[Senate Hearing 116-247]
[From the U.S. Government Publishing Office]
S. Hrg. 116-247
THE STATUS AND OUTLOOK FOR CYBERSECURITY EFFORTS IN THE ENERGY INDUSTRY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 14, 2019
__________
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the
Committee on Energy and Natural Resources
Available via the World Wide Web: http://www.govinfo.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
35-555 WASHINGTON : 2020
COMMITTEE ON ENERGY AND NATURAL RESOURCES
LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming JOE MANCHIN III, West Virginia
JAMES E. RISCH, Idaho RON WYDEN, Oregon
MIKE LEE, Utah MARIA CANTWELL, Washington
STEVE DAINES, Montana BERNARD SANDERS, Vermont
BILL CASSIDY, Louisiana DEBBIE STABENOW, Michigan
CORY GARDNER, Colorado MARTIN HEINRICH, New Mexico
CINDY HYDE-SMITH, Mississippi MAZIE K. HIRONO, Hawaii
MARTHA McSALLY, Arizona ANGUS S. KING, JR., Maine
LAMAR ALEXANDER, Tennessee CATHERINE CORTEZ MASTO, Nevada
JOHN HOEVEN, North Dakota
Brian Hughes, Staff Director
Kellie Donnelly, Chief Counsel
Jed Dearborn, Senior Counsel
Robert Ivanauskas, FERC Detailee
Sarah Venuto, Democratic Staff Director
Sam E. Fowler, Democratic Chief Counsel
David Gillers, Democratic Senior Counsel
Brie Van Cleve, Democratic Professional Staff Member
C O N T E N T S
----------
OPENING STATEMENTS
Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska.... 1
Manchin III, Hon. Joe, Ranking Member and a U.S. Senator from
West Virginia.................................................. 3
WITNESSES
Chatterjee, Hon. Neil, Chairman, Federal Energy Regulatory
Commission..................................................... 5
Evans, Hon. Karen S., Assistant Secretary, Office of
Cybersecurity, Energy Security, and Emergency Response, U.S.
Department of Energy........................................... 9
Keber, Major William J., Executive Officer, West Virginia
National Guard's Critical Infrastructure Protection Battalion.. 19
Robb, James B., President and Chief Executive Officer, North
American Electric Reliability Corporation...................... 24
Whitehead, David Edward, Chief Operating Officer, Schweitzer
Engineering Laboratories, Inc.................................. 34
ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED
Chatterjee, Hon. Neil:
Opening Statement............................................ 5
Written Testimony............................................ 7
Responses to Questions for the Record........................ 68
Evans, Hon. Karen S.:
Opening Statement............................................ 9
Written Testimony............................................ 11
Responses to Questions for the Record........................ 75
Keber, Major William J.:
Opening Statement............................................ 19
Written Testimony............................................ 21
Responses to Questions for the Record........................ 99
Manchin III, Hon. Joe:
Opening Statement............................................ 3
Murkowski, Hon. Lisa:
Opening Statement............................................ 1
Robb, James B.:
Opening Statement............................................ 24
Written Testimony............................................ 26
Responses to Questions for the Record........................ 164
Whitehead, David E.:
Opening Statement............................................ 34
Written Testimony............................................ 36
Responses to Questions for the Record........................ 170
THE STATUS AND OUTLOOK FOR
CYBERSECURITY EFFORTS IN
THE ENERGY INDUSTRY
----------
THURSDAY, FEBRUARY 14, 2019
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The Committee met, pursuant to notice, at 10:09 a.m. in
Room SD-366, Dirksen Senate Office Building, Hon. Lisa
Murkowski, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. LISA MURKOWSKI,
U.S. SENATOR FROM ALASKA
The Chairman. Good morning. The Committee will come to
order.
I will just note for the record that today is Valentine's
Day.
Senator Manchin. Happy Valentine's.
The Chairman. Thank you.
Some people celebrate it with flowers and chocolate. It is
actually my son's birthday, so we observe it as a birthday
rather than flowers and chocolate today.
But here at the Energy Committee what we prefer to do is
take a deep dive into the very real cyber threats that face our
electric grid system. Here is the punchline everyone, hold on.
After all, nothing says love like ensuring the security of our
critical energy infrastructure. So that is our Valentine's
statement for the morning from the Energy and Natural Resources
Committee. You have to love the script writers back here.
[Laughter.]
Last week we had a chance to examine the state of energy
markets and the promise of clean energy innovation. Both of
these hearings, great hearings by the way, highlighted the
increased automation and the digitalization of energy
technologies. While advances in technology are always welcome
and can help us run things more efficiently, each new digital
connection opens a potential pathway for bad actors to disrupt
our energy delivery.
We know that the threat of cyberattacks by our foreign
adversaries and other sophisticated entities is real and it is
growing. Last month's 2019 Worldwide Threat Assessment detailed
how China, Russia and other foreign adversaries are using cyber
operations to target our military and our critical
infrastructure. The assessment notes that our electric grid and
natural gas pipelines are particularly vulnerable to attack and
that Russia is mapping our infrastructure with the long-term
goal of causing substantial damage.
Unfortunately, we have already seen the real-world
ramifications of cyberattacks on energy infrastructure. Back in
December 2015, Russian hackers cut off power to nearly a
quarter-million people in Ukraine. And in the summer of 2017,
Russian hackers infiltrated the industrial control system of a
Saudi Arabian petrochemical plant and disabled the plant's
safety systems.
We cannot let a similar attack happen in the United States.
Our grid system is `uniquely critical' and the consequences of
a successful cyber incursion would be widespread and
devastating. The resulting loss of power could impact
hospitals, banks, cell phone service, gas pumps, traffic
lights, you name it.
The government's focus on cybersecurity, in partnership
with industry, is a major reason that the United States has not
experienced an attack like Ukraine's. In the 2005 Energy Policy
Act, Congress created the Electric Reliability Organization. We
have since certified it as NERC and mandated reliability
standards to be developed through an industry stakeholder
process. Protecting our nation's critical assets is a shared
responsibility, with federal, state, and private sector
partners working together to improve cyber defenses and
coordinate responses to cyberattacks.
The 2015 FAST Act enacted provisions authored by this
Committee to codify the Department of Energy (DOE) as the
sector-specific agency for energy sector cybersecurity and
provide the Secretary with authority to address grid-related
emergencies. We also enacted provisions to facilitate greater
information sharing by protecting sensitive information from
disclosure.
The Administration is taking steps to address emerging
cyber threats. Last year, DOE established the new Office of
Cybersecurity, Energy Security, and Emergency Response, known
as ``CESER.'' I look forward to learning more about the work
that is being done by this office. Assistant Secretary Evans
has been on the job for about six months, so gaining her
perspective this morning is going to be very useful for us.
The Department is also partnering with FERC to find
solutions to energy infrastructure threats. Next month the
agencies will co-host a technical conference to discuss current
and emerging cyber and physical security threats, as well as
ways to incentivize cybersecurity investments. It is important
that we are seeing these agencies prioritize cybersecurity and
plan this conference very closely together.
I am pleased to welcome a very distinguished panel this
morning. We have Chairman Neil Chatterjee from the Federal
Energy Regulatory Commission (FERC). We appreciate your
leadership at the Commission and look forward to your comments
this morning. I have already mentioned Karen Evans, the
Assistant Secretary at the Department of Energy working in
CESER. From the North American Electric Reliability
Corporation, or NERC, we have Mr. James Robb. We have David
Whitehead from Schweitzer Engineering Labs (SEL), and we have
Major William Keber from the West Virginia National Guard
Critical Infrastructure Protection Battalion.
I think it is well recognized that the panel we have in
front of us represents those who are on the frontlines of the
effort to protect our energy infrastructure from cyber threats.
Thank you all for being here. I look forward to your
testimony and comments.
I will now turn to my Ranking Member, Senator Manchin.
STATEMENT OF HON. JOE MANCHIN III,
U.S. SENATOR FROM WEST VIRGINIA
Senator Manchin. Well, thank you, Madam Chairman, and Happy
Valentine's Day to you and everybody else out there, men and
women, mostly the women.
The Chairman. Men too.
Senator Manchin. True, it is mostly women.
[Laughter.]
A tidbit I read this morning, it was really interesting and
fitting for today about how we got the name of Saint
Valentine's Day, or Valentine's Day.
Saint Valentine, in the second century of the Roman Empire,
basically, the Roman Emperor, Roman rulers, forbade their
soldiers from getting married. They thought they were better
fighters if they did not marry. Saint Valentine, basically, was
performing marriages because he was a devout Christian, and he
would say after he would perform the marriage, Happy Valentine.
And so, it came from Saint Valentine. That is how we got
Valentine's Day. It was very interesting to hear that, and I
thought I would share that with you. I don't know if it is
factual or not, but it sounds good.
[Laughter.]
Chairman Murkowski, I want to thank you for convening the
Committee today to talk about cybersecurity efforts in the
energy industry. This hearing is particularly timely because
just a few weeks ago, our Director of National Intelligence,
Dan Coats, publicly warned of two potential energy
cybersecurity attack scenarios: a Russian cyberattack that
could disrupt an electrical network for a few hours and a
Chinese cyberattack that could disrupt a natural gas pipeline
for weeks. These threats are not just theoretical.
We know that in 2015 and 2016, Ukraine suffered two
devastating power outages as a result of cyberattacks. And
according to the New York Times, a petrochemical plant in Saudi
Arabia was hit with an even more serious type of cyberattack in
2017. That attack was not designed to shut down the plant, like
the Ukraine power outages. It was meant to ``sabotage the
firm's operations and trigger an explosion.'' In other words,
the attack could have taken human lives, but luckily it did
not.
I cannot overstate how serious this threat is, and I am
pleased that Secretary Perry has given this the attention it
deserves by elevating cybersecurity to an office of its own,
the Office of Cybersecurity, Energy Security, and Emergency
Response, or CESER, for short.
On a personal note, I am also pleased that the first
Assistant Secretary to run this office is Karen Evans, who has
not one but two degrees from WVU, a very smart lady.
I am also especially pleased to have Major Keber of the
West Virginia National Guard here to share the great work the
Guard has done for West Virginia in the cybersecurity space.
My current position as the Ranking Member of the Senate
Armed Services Subcommittee on Cybersecurity and my time
serving on the Intelligence Committee further convinced me that
we need to look at this as a national security priority.
Energy cybersecurity is national security. Period.
Absolutely. In fact, there are two items I raised in the Armed
Services Committee in our first cybersecurity hearing that are
equally relevant in the energy space.
First, supply chain security has emerged as a significant
focus in both spaces. We have to make sure the companies that
build components for our grid are secure. We have to protect
against vendors' remote access of the grid being exploited, and
we have to make sure that attackers do not insert malware into
a vendor software update.
Second, our cyber workforce is in crisis. We simply do not
have enough cyber workers to fill the positions. Forbes reports
that by 2021, there will be as many as 3.5 million, I repeat,
3.5 million unfilled positions. Yes, a big part of this is
about getting training, but let's not put the cart before the
horse. It is also about bringing these jobs to the areas that
need them.
I think that is where there is an opportunity here for
states like West Virginia and Alaska to fill the gap. I know
that Major Keber will speak to this a bit more, but the West
Virginia National Guard is one of the few National Guard units
with access to a decommissioned power plant for workforce
training, and they are increasing their workforce development
efforts.
I look forward to hearing from our witnesses about how the
nation can rise to this challenge while strengthening the
economies of places like West Virginia and Alaska. I look
forward to hearing from our witnesses about how the nation can
rise to this challenge while strengthening the economies in
places like Southern West Virginia and rural Alaska. And I
think it will require collaboration between all entities,
including those represented by our witnesses here today, to get
where we need to go.
My little State of West Virginia has been a leader on
energy supply and reliability for this country. But unless
cybersecurity challenges are addressed head on, it won't matter
how much supply we have. We must do everything we can to
protect and ensure the security of our infrastructure. As we
kick off that conversation in this new Congress, I am glad to
have this great panel here today to share their outlook for
cybersecurity in the energy industry.
Thank you, Madam Chairman.
The Chairman. Thank you, Senator Manchin.
We will now turn to our witnesses. I introduced everybody,
so we will just go ahead and proceed.
We will begin with you, Chairman Chatterjee. We would ask
that you all try to keep your comments to about five minutes.
Your full statements will be incorporated as part of the
record. Again, we appreciate the level of expertise that you
bring to this very, very important discussion.
Chairman Chatterjee.
STATEMENT OF HON. NEIL CHATTERJEE, CHAIRMAN, FEDERAL ENERGY
REGULATORY COMMISSION
Mr. Chatterjee. Chair Murkowski, Ranking Member Manchin,
and Members of the Committee, thank you for inviting me to
appear before you today to discuss the cybersecurity in the
energy sector. I appreciate the Committee's attention to this
crucial subject and the role that the Federal Energy Regulatory
Commission plays in securing our nation's critical
infrastructure.
I'd like to take this opportunity to highlight three major
issues for the Committee. First, the evolution of mandatory
reliability standards; second, the voluntary partnerships FERC
has established with industry and other agencies; and third,
the interdependency of the electric and natural gas systems.
Turning first to the topic of Mandatory Reliability
Standards. As part of the Energy Policy Act of 2005, Congress
gave the Commission the authority to approve and enforce
mandatory reliability standards for the nation's bulk power
system, including for cybersecurity.
As I'm sure Jim Robb will discuss in greater detail, EPACT
'05 established a joint responsibility between the Commission
and NERC as the designated electric reliability organization
for developing and enforcing the reliability standards. Because
of the unique relationship between our organizations,
maintaining an open and collaborative relationship between NERC
and the Commission has been a top priority during my tenure.
I'd like to thank Jim and the rest of the team at NERC for
their dedicated efforts, and I look forward to continuing our
important work together.
NERC's standards for cybersecurity, known as the Critical
Infrastructure Protection, or CIP, standards became mandatory
and enforceable in 2009. Since 2009, the CIP standards have
matured considerably and now form an effective framework for
protections against cyber threats. The evolution of these
standards has reduced the need for constant revisions to
address discreet issues and instead has allowed both FERC and
NERC to focus on tackling emerging threats. In particular, I'd
like to call the Committee's attention to two important actions
that the Commission has recently taken on this front.
First, at our Commission meeting last October, FERC
approved reliability standards to address supply chain threats.
By exploiting vulnerabilities in the electric utility supply
chain, adversaries can seize on a variety of opportunities to
compromise critical systems. While supply chain vulnerabilities
are some of the most important to address, they're also some of
the most difficult to mitigate. This is because today's
utilities rely on a highly integrated, global supply chain to
meet their business needs. Leveraging this modern network of
vendors can provide utilities with significant benefits but it
also presents difficulties in comprehensively identifying
risks. While there is no silver bullet to mitigate supply chain
risks, I believe this standard is a significant step in the
right direction.
Second, at our meeting last July, the Commission approved a
final rule directing NERC to expand reporting requirements for
critical systems. That rule directed NERC to develop a standard
requiring registered entities to report both successful and
attempted intrusions into critical systems to NERC's
Electricity Information Sharing and Analysis Center, as well as
to the Department of Homeland Security. This final rule
represents another important step toward mitigating risks by
enhancing the collection and distribution of information on
rapidly evolving threats.
While the NERC CIP standards form an important baseline,
compliance alone is not enough to achieve cybersecurity
excellence. That's why the Commission has adopted a two-prong
approach to address threats to energy infrastructure, mandatory
reliability standards overseen by our Office of Electric
Reliability and voluntary initiatives overseen by our Office of
Energy Infrastructure Security, also known as OEIS.
OEIS engages with partners in industry, states, and other
federal agencies to develop and promote best practices for
critical infrastructure security. These initiatives include,
among other things, voluntary architecture assessments,
classified briefings for state and industry officials, and
joint security programs with other government agencies in the
private sector. Because the responsibility for securing
critical infrastructure is shared across the public and private
sector, I am a strong supporter of our efforts to continue
strengthening these partnerships.
As part of that objective, the Commission continues to work
collaboratively in this area and will be hosting a joint
technical conference on March 28th with the Department of
Energy to discuss investments for cyber and physical security.
The conference will explore current threats against energy
infrastructure, best practices for mitigation, incentives for
investing in physical and cybersecurity protections and cost
recovery practices at both the state and federal level. And
there's one final area where I believe continued partnership
across industry and government will be essential. Because of
our nation's growing use of natural gas for power generation,
I'm increasingly concerned about the security of our natural
gas pipeline system.
Last year I joined my colleague, Commissioner Rich Glick,
in an op-ed, detailing how a successful cyberattack on the
system could have a significant impact on the electric grid.
Given this vulnerability, Commissioner Glick and I expressed
our view that more must be done to ensure robust oversight for
natural gas pipeline cybersecurity. Since the publication of
that op-ed, I've been pleased to hear from many members of the
natural gas pipeline community who have expressed their
appreciation for these concerns and a willingness to continue
taking steps to improve their security posture. I also recently
met with TSA Administrator David Pekoske and was impressed by
his focus on this vital issue as well as his pledge to further
improve TSA's oversight of pipeline security.
While I think both industry and government have made
significant strides, I believe more work still needs to be
done. The Commission stands ready to assist in these efforts
wherever we can.
Now before I conclude my opening statement, I want to thank
each of you, again, for your efforts in this space and your
time to engage in this conversation today. These are complex
issues and they won't be solved easily, but I appreciate the
opportunity to come before you today, and look forward to
continuing this essential dialogue.
[The prepared statement of Mr. Chatterjee follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Chairman Chatterjee.
Welcome, Assistant Secretary Evans.
STATEMENT OF HON. KAREN S. EVANS, ASSISTANT SECRETARY, OFFICE
OF CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, U.S.
DEPARTMENT OF ENERGY
Ms. Evans. Chairman Murkowski, Ranking Member Manchin and
members of the Committee, thank you for the opportunity to
discuss the continuing threats facing our national energy
infrastructure. Focusing on cybersecurity, energy security and
the resilience of the nation's energy systems is one of
Secretary Perry's top priorities.
By the Secretary proposing and Congress affirming the
Office of Cybersecurity, Energy Security, and Emergency
Response, also known as CESER, the Secretary clearly
demonstrated his commitment to achieving the Administration's
goal of energy security and, more broadly, national security.
Our nation's energy infrastructure has become a primary
target for hostile cyber actors, both state sponsored and non-
state sponsored. The frequency, scale and sophistication of
cyber threats have increased. Our cyber incidences have the
potential to disrupt energy services, damage highly specialized
equipment and even threaten human health and safety.
The Director of National Intelligence along with several
heads of the Administration's Intelligence agencies recently
stated in written testimony that China has the ability to
launch cyberattacks that cause localized, temporary, disruptive
effects on critical infrastructure such as the disruption of a
natural gas pipelines for days to weeks. Russia also has
similar abilities with the capability to disrupt an electrical
distribution network for at least a few hours, similar to those
demonstrated in the Ukraine in 2015 and 2016.
The release of the President's National Cyber Strategy,
also known as NCS, in September, reflects the Administration's
commitment to protecting America from cyber threats. The
Department of Energy plays an active role in supporting the
security of our nation's critical energy infrastructure in
implementing the NCS.
As a result, energy cybersecurity and resilience has
emerged as one of the nation's most important security
challenges and fostering partnerships with public and private
stakeholders is of the utmost importance for me, as the
Assistant Secretary of CESER.
CESER and its predecessor organization have demonstrated
the emergency response function through multiple weather
events, including hurricanes, by activating our emergency
response organization. In 2018, CESER responded to over a wide
range of incidences, including six hurricanes, three wildfires,
two typhoons, a cyclone, an earthquake and a volcano eruption.
Recently we worked closely with the federal industry and state
partners to monitor the impact to the energy sector in the
January 2019 Arctic Blast that affected central and eastern
portions of the nation.
However, today I would like to focus my testimony primarily
on the cybersecurity function of the office and how CESER will
meet the priorities of the Administration and work in
conjunction with our federal agencies, state, local, tribal,
territorial governments, industry and our national lab
partners. The Secretary has conveyed that he has no higher
priority than to support the security of our nation's critical
energy infrastructure.
CESER has the Department's lead to secure our nation's
energy infrastructure against all hazards, reduce risks of and
impacts from cyber events and disruptive events and assist with
restoration activities. The office enhances the Department's
ability to dedicate and focus attention on DOE sector-specific
agency responsibilities and will provide greater visibility,
accountability and flexibility to better protect our nation's
energy infrastructure and support asset owners as well as the
overall critical infrastructure response framework, as overseen
by DHS.
Establishing CESER is the result of the Administration's
commitment to and prioritization of energy security and
national security. Our long-term approach strengthens our
national security and positively impacts our economy. As CESER
moves forward, we are taking the first steps in
transformational change to achieve the Secretary's priority of
emergency preparedness and rapid, coordinated response to
disruptions in the energy sector.
I appreciate the opportunity to appear before this
Committee to discuss cybersecurity in the energy sector and I
applaud your leadership. I look forward to working with you and
your respective staffs to continue to address cyber and
physical security challenges.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Assistant Secretary.
Major Keber, welcome to the Committee.
STATEMENT OF MAJOR WILLIAM J. KEBER, EXECUTIVE OFFICER, WEST
VIRGINIA NATIONAL GUARD'S CRITICAL INFRASTRUCTURE PROTECTION
BATTALION
Major Keber. Good morning, Chairman Murkowski, Ranking
Member Manchin, and members of the Committee. Thank you for the
invitation and opportunity to participate in today's hearing on
the Status and Outlook for Cybersecurity Efforts in the Energy
Industry.
My name is Major William Keber. I'm the Executive Officer
for the West Virginia National Guard's Critical Infrastructure
Protection Battalion, currently serving in a Title 32 status.
Our organization is a distinctive one that conducts assessments
and training to improve the security and operation of our
nation's critical infrastructure.
Since 2005, we have conducted infrastructure protection
assessments and training events for the Department of Energy,
Department of Transportation, Defense Industrial Base, the
Department of Homeland Security and the Department of Defense.
To date, our teams have conducted over 3,500 assessments and
2,600 training events, educating over 59,000 individuals. We
have conducted assessments in support of national events such
as the State of the Union, Republican and Democratic National
Conventions, the National and World Scout Jamborees and the
Superbowl.
The West Virginia National Guard CIP Battalion has a
diversified portfolio that currently supports DHS, Department
of the Army and the United States Coast Guard. We support DHS'
cybersecurity infrastructure security agency with training,
assessment support and infrastructure image captures. We
support the U.S. Coast Guard by conducting their port security
and resiliency assessments and the Department of Army by
conducting mission assurance assessments and training.
The CIP Battalion has always assessed networks and
communication architectures against cybersecurity concepts and
principles but never had the authorities to conduct deep
analysis on the network. Assessment teams were relegated to
questioning site representatives through interviews and
annotating their physical observations. Recent Congressional
legislation has opened the doors to evaluate cybersecurity and
thereby allowing us to expand our capabilities and
methodologies.
The West Virginia National Guard has developed a
relationship with the cybersecurity branch at NASA's
Independent Verification and Validation Office. Members of this
team have years of experience conducting blue and red team
cyber assessments against some of our nation's most complex
technical architectures. The collaborative sharing of best
practices has significantly enhanced our organization's
assessment teams.
We are currently working in conjunction with a
cybersecurity community of interest that includes Army cyber,
NASA, Idaho National Labs, the National Security Agency, the
Threat Systems Management Office, the Navy and the U.S. Army
Corps of Engineers to formalize our approach and bring together
the best practices from each of these organizations.
We are working to develop a comprehensive approach and
methodology for our cyber assessments. We will cover key cyber
infrastructure areas such as the perimeter, networks and points
applications, control systems and especially the policies and
procedures to govern them. We plan to conduct network
architecture reviews, traffic analysis, policy and procedure
document review, access control evaluation and wireless
vulnerability assessments.
Most importantly, we are striving to replicate these
systems in a lab environment to research potential
vulnerabilities, determine possible attack vectors, test
resiliency, identify systemic concerns and evaluate impacts in
a safe manner. We will document our findings and incorporate
risk mitigation recommendations into the Army's preexisting
remediation processes.
The West Virginia National Guard and the regular Army have
contributed to enhancing workforce development by sending team
members to specialized training. The West Virginia National
Guard has organized cybersecurity training in partnership with
the University of Charleston.
Additionally, we have utilized our access to a
decommissioned power plant in West Virginia. We utilize this
facility to give trainees the opportunities to see firsthand
the vast systems involved with industrial systems and power
generation.
Our Army partners have organized training at Idaho National
Labs, SANS and other Army training opportunities. The CIP
Battalion team's citizen soldiers have unique professional
experiences providing distinct benefits. We have engineers,
master electricians and network administrators that have
decades of industrial experience. They can serve on an active
status with us or in traditional reserve status, later
returning to industry providing valuable skills and knowledge.
To summarize, the West Virginia National Guard CIP
Battalion is uniquely positioned to provide the Department of
Defense and other related sectors insight and assistance
pertaining to infrastructure protection and cybersecurity. We
will continue to move forward with our efforts to expand our
cybersecurity activities and help more organizations secure
this great nation of ours.
Thank you again for this opportunity to discuss our efforts
to enhance cybersecurity within the West Virginia National
Guard at today's hearing.
[The prepared statement of Major Keber follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Major.
Welcome, Mr. Robb.
STATEMENT OF JAMES B. ROBB, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Robb. Good morning, Chairman Murkowski, Ranking Member
Manchin and members of the Committee. This is my first
appearance before the Committee as NERC's CEO, and I appreciate
the invitation very much to discuss the status and outlook for
cybersecurity in the electricity sector.
As you pointed out in your opening comments, Chairman,
electricity supports every aspect of our way of life and well-
being. While to date there's been no successful cyberattack
that's resulted in any loss of load in the United States, the
threats are very real and the potential consequences severe.
While all sectors of the economy are increasingly targets
for data theft, ransomware and other criminal activity, the
electricity sector, in particular, has taken the cyber threat
very seriously and has put in place a robust system to provide
protection for critical infrastructure. We find that boards and
executive leadership provide very strong support and focus and
set cybersecurity as a top priority for their organizations.
In recent years we've seen an increase in the
sophistication and frequency of cyber threats. The major
threats include phishing, malware, physical attacks and theft.
Spear phishing, in particular, with credential harvesting
objectives is one of the most common attacks because it's
proven to be so effective and relatively easy to execute.
Nation states and terrorist groups are persistent threats,
a reminder that security requires constant vigilance.
NERC and our work employs a three-pronged approach to
support the security of the bulk power system. Our approach
includes mandatory and enforceable standards, as Chairman
Chatterjee mentioned earlier, information sharing and
partnerships. Together they form a solid foundation of best
practices and strategies necessary to effectively confront this
ever-evolving threat.
NERC's mandatory critical infrastructure protection
standards provide a common foundation for security. Our
standards are developed using subject matter expertise from
industry through a FERC-approved process and then reviewed and
approved by NERC's independent board of trustees and then by
the FERC.
The CIP standards require companies to establish plans,
protocols and controls that protect their critical systems
against cyberattack, ensure the personnel are adequately
trained on cyber hygiene, timely report security incidents to
us and then be able to recover from events.
Electricity is the only critical infrastructure with
mandatory cyber standards. Compliance with those standards is
routinely audited and non-compliances are subject to financial
penalty.
However, while critical to the security equation, standards
alone are clearly insufficient. The emerging dynamic nature of
malicious cyber threats requires constant situational
awareness, real-time communications that are effective and
prompt emergency response capabilities. That's where
information sharing comes in. NERC's Electricity Information
Sharing and Analysis Center, or the E-ISAC, provides these
services and supports industry cyber defense. Operated by NERC,
but working in collaboration with DOE and the Electricity
Subsector Coordinating Council, the E-ISAC is the central hub
for the sharing of security information within the electricity
sector. The E-ISAC communicates with over 1,000 electric
industry organizations via a secure portal with critical
security information that is provided both by industry and
government. We conduct periodic webinars and critical broadcast
calls to rapidly communicate key insights and threats to
industry.
For the most serious of threats, NERC alerts are used to
provide concise, actionable security information and mitigation
strategies to industry. NERC alerts are divided into three
levels and can require companies to positively affirm back to
us that they have successfully mitigated the threat. Since
2009, we've issued 46 security-related alerts, 41 of those were
cyber-related.
Partnerships, however, form the third plank for security
and the preeminent partnership in the electricity sector is
something we call the CRISP Program, the Cyber Risk Information
Sharing Program. Conceived by the DOE and managed by the E-
ISAC, CRISP uses innovative technology developed by the
Department of Energy and the national laboratory system to
monitor cyber activity on company systems.
CRISP companies currently cover approximately 75 percent of
the meters in the United States and we are working to further
expand that program. Indicators and threat actor information
captured by CRISP is then shared to the entire E-ISAC
membership base. So it's shared beyond the direct participants
in CRISP so that everyone can benefit from those insights.
Another key partnership is NERC's GridEx exercise. GridEx
is the largest geographically distributed security exercise for
the electricity sector. It's conducted every other year and
simulates a widespread, coordinated physical and cyberattack
designed to overwhelm even the most prepared of organizations.
In 2017, 6,500 individuals and 450 organizations participated
in GridEx IV, and we'll be launching GridEx V this November on
November 13th and 14th.
Looking ahead, however, there are many challenges for us to
address and those include strengthening cross sector
partnerships to facilitate better information sharing and
coordination between critical infrastructure segments,
developing more advanced and nimble tools to stay ahead of
adversaries, securing electronic devices that are connected
behind the meter, expanding the declassification and
dissemination of critical information and developing a strong
cyber-aware and cyber-capable workforce.
Thank you again for the opportunity to discuss NERC's
responsibilities for cybersecurity, and I look forward to
questions.
[The prepared statement of Mr. Robb follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Robb.
Mr. Whitehead, welcome.
STATEMENT OF DAVID EDWARD WHITEHEAD, CHIEF OPERATING OFFICER,
SCHWEITZER ENGINEERING LABORATORIES, INC.
Mr. Whitehead. Chair Murkowski, Ranking Member Manchin, and
members of the Committee, thank you for the opportunity to
share the views of Schweitzer Engineering Laboratories on the
important topic of securing our critical infrastructure from
cyber threats.
SEL is an employee-owned U.S. manufacturer and provider of
products, systems and services for the protection, monitoring,
control, automation and metering of utility and industrial
electric power systems worldwide. Our mission is to make
electric power safer, more reliable and more economical. We are
headquartered in Pullman, Washington, and employ 3,700 folks in
the United States with a total of 5,200 employees worldwide.
As highlighted by today's hearing, cybersecurity is a
critical component for the secure and reliable operation of
electric power systems. For 35 years, SEL has emphasized the
importance of security in the products and solutions we create.
Whether it's regulatory compliance, securing power system
assets or protecting operational network technologies, SEL
offers security-focused solutions to help utilities protect
electric networks and help vital industries protect their
assets.
Today, I'd like to highlight three topics that I believe
are critical to the cybersecurity challenges we face in the
energy industry and our nation. First, I will review what we
see as an essential role of government, ``teaching the
threat''; second, I will discuss the difficult task of
balancing regulation and innovation; and third, I will provide
a few examples of how industry is actively addressing
cybersecurity threats.
My point one, teaching the threat. We read in the news
weekly, sometimes daily, about advanced, persistent threats
from nation-states. Clearly, our adversaries are becoming more
sophisticated in the way they target our critical
infrastructure. We are constantly having to evolve our thinking
and innovate against these threats.
At SEL and other like-minded companies, we have some of the
best engineers in the world doing just that. What we do not
have is the access to the vast and sophisticated intelligence
and information gathering that exists in our country. The U.S.
Government has the capability to identify, classify and
communicate these threats. At SEL, we take cybersecurity
threats very seriously, and we act immediately when we receive
information.
Building out a more robust system of communication where
government agencies move quickly and efficiently to share
important information, to teach us about the potential or
actual threats, will not only make our systems or will make our
systems more secure.
Point two, balancing regulation and innovation. SEL is a
company built on the foundation of innovation. At the entrance
of our research and development building in Pullman,
Washington, these words are boldly displayed, ``The best way to
predict the future is to invent it.''
Innovation and regulation do not have to be at odds with
each other. Regulations, however, are often implemented as a
reaction to an undesired event. As soon as a regulation is
enacted to address a specific issue or event, bad actors are
already looking for other avenues of exploitation.
Regulations have the capacity to limit how an institution
may go about solving a problem. And further, regulations will
never be able to anticipate new or innovative solutions. There
are clear and obvious needs for standards and regulations and
we are always ready to work together to create solutions, but
we would encourage or we should be encouraged to work together
in finding ways to continue fostering critical innovation that
outpaces our adversaries. We cannot allow bad actors, who are
unconstrained by regulations, to outpace us.
And point three, industry is actively addressing
cybersecurity threats. There is so much cutting-edge work being
done in our industry to keep ahead of cyber threats. During the
past 35 years since the development of our first product, SEL
has continued to advance cybersecurity solutions. As systems
become more integrated, we have moved from a, or we moved to a,
security-in-depth approach, building layers of security so that
systems are not dependent on one security feature, but instead
consist of many layers. And solutions range from simple to very
sophisticated.
I remind folks never to connect critical infrastructure to
the internet and to audit this which is certainly a very simple
solution and then there's new technologies evolving like
Software-Defined Networking which I'm convinced is the solution
for engineered and cyber-secured industrial networks which is
certainly a more sophisticated and technically advanced
solution.
The Federal Government is not the only entity paying
attention to cybersecurity, industry is addressing
cybersecurity too. Last week, I had the opportunity to attend
DistribuTECH, a very large, electric power industry conference
in New Orleans. It was exciting to see cutting-edge cyber
solutions being offered by both new startups and well-
established suppliers. There are many brilliant minds working
diligently to solve cybersecurity challenges.
As new threats emerge, and they will, industry and
government must work together and learn from each other to
effectively secure our critical infrastructure. And I know we
can.
Thank you for the opportunity to testify, and I look
forward to the questions you may have.
[The prepared statement of Mr. Whitehead follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Whitehead.
I think your comments really sum it up neatly.
Specifically, how do we stay ahead of the bad actors? To use
your words, the best way to predict the future is to invent it,
but that requires us to be nimble and flexible, to be quick.
You mentioned that it would be helpful if government agencies
moved more quickly to share information.
One of the things that we are not really adept at here in
the Federal Government is moving quickly and sharing things
readily. It speaks to the reality of this problem that we are
reckoning with, not just here in the Energy Committee but
across all of these Committees, whether you are on SASC or you
are on Commerce or Homeland, this is impacting all of us.
You have suggested, Mr. Whitehead, that some regulations
can inhibit the process of invention. We would like to think
that some regulation can actually help incentivize more
investment, which I hope is the purpose of the joint conference
that FERC and DOE are going to be hosting, called Security
Investments for Energy Infrastructure.
So, just a quick conversation this morning with you, Mr.
Chairman, Assistant Secretary, and Mr. Whitehead. Exactly what
options are out there to help facilitate this ability, this
innovation, so that we have the investment that will line up
behind it because you cannot have one without the other.
Do you want to start off, Mr. Chairman?
Mr. Chatterjee. Thank you for the question, Chair
Murkowski.
As I mentioned in my opening remarks, the Commission takes
a two-pronged approach to address much of what you and Mr.
Whitehead just laid out.
We have mandatory reliability standards overseen by our
Office of Electric Reliability but I firmly believe that those
standards are the floor, not the ceiling. And that is why the
second prong of our approach through our Office of Energy
Infrastructure Security on focusing on voluntary best
practices. Coordinating with other agencies is so critical to
keep up with these, with the required information sharing that
is necessary and these fast-evolving threats that we're dealing
with.
The Chairman. Do you think we share information quickly
enough and adequately enough?
Mr. Chatterjee. I think the efforts that Secretary Perry
and Deputy Secretary Brouillette have led through the Electric
Sector Coordinating Council have been effective. We've got the
appropriate agencies and industry and stakeholders at the
table, but we need to be smarter and better. We can always be
better.
I'm looking forward to the joint technical conference to
make sure that as we look at cyber and physical protections
that we have the right incentives policy in place. And that's
really an important role that FERC can play in ensuring that
those incentives to take on those risks are there so that we
attract the right kind of investment focused on these physical
and cyber threats.
The Chairman. I appreciate that.
Under Secretary?
Ms. Evans. So I'd like to approach it a couple different
ways based on what we've talked about today.
The CESER office is actually looking at this challenge in
concurrent paths, not sequential paths. There are specific
things that we have to be able to do in order to respond and
understand what's going on, and I think a lot of that deals
with the information sharing.
It's clear with what Chairman Chatterjee has said and the
leadership and the partnership that we have with the E-ISAC and
our electricity subsector coordinating council as well as the
oil and natural gas coordinating council. So a lot of that
information is being shared.
A specific example I would like to share is that this
Administration and we have been very forward leaning with
attribution and then doing a full, multi-pronged approach with
indictments as well as sanctions and then putting context
around the information as to what is the threat and then how do
you manage that. And then we share it out through the E-ISACs.
But the other thing that we most recently have done on
February the 6th, the Department has sent out a notice of
intent, and you're going to hear me reference this a lot, which
is the ``Clean Energy Manufacturing Innovation Institute:
Cybersecurity in Energy Efficient Manufacturing'' because to
me, that is how we get to the innovative leap ahead types of
things.
Everything that everyone has talked about, about building
it into software, being able to manage ahead, taking care of
innovation, that is the vision of what this manufacturing
institute will do. And looking at a lot of the things that we
have learned as an industry across the board and building it in
so that we can take advantage of the technology.
The Chairman. Thank you.
Mr. Whitehead, is this going to help?
Mr. Whitehead. What I think the biggest help we see right
now is having forums this like where I had the opportunity to
meet with Mr. Robb this morning for lunch and the information
sharing that is set up right now with members and government is
really the asset owner, so the Baltimore Gas and Electrics, the
PEPCOs and so on and so forth.
Where I think, for my request, is we're off one derivative
though because I'm the manufacturer of these devices that are
getting installed by the asset owners. And so, if there is a
cyber threat or one of these activities going on, I think we're
the most skilled in ascertaining what is the impact of a
particular cyber threat because we're the ones writing the
code, developing the hardware. So getting us looped in as
quickly as possible if there's an attack out there and setting
up mechanisms so it's, we refer to it as a JITE type of
information exchange, I think it would really move us forward
in terms of being able to secure our critical infrastructure.
The Chairman. Thank you.
Senator Manchin.
Senator Manchin. Thank you, Madam Chairman. I thank all of
you for your appearance today.
Many in this room, myself included, spent time at
substations and know how physically vulnerable they used to be.
In April 2013, attackers with rifles shot 17 transformers at a
Metcalf, California substation. Before the attackers opened
fire on the transformers, fiber optic lines running nearby were
cut.
Since then, NERC has proposed standards requiring
transmission owners to address physical security risk and
vulnerabilities that could impact the reliable operation of the
grid.
Mr. Robb and Chairman Chatterjee, I want to ask quickly,
how has the physical security of the grid, specifically at
substations, improved since those attacks? Very quickly, if you
will.
Mr. Robb. Now that the physical security standard you
referenced has been put in place, all of the utilities in the
country have had to identify critical assets within their
jurisdiction and when we have to verify that they did the
assessment of what's critical correctly and then they have to
have a credible hardening plan against them. So not every
substation in the country is subject to that protection
standard, but the critical ones are and those actions have been
put in place.
Mr. Chatterjee. I agree with what Mr. Robb has said. You
know, the important part is identifying, you know, where those
critical substations are and where those key interconnections
are and we have to remain, you know, vigilant on this.
Senator Manchin. Let me go into this then.
Just a week and a half ago, NERC issued the largest ever
fine for 127 violations of physical and cybersecurity
standards. As a general matter, many in the electrical sector
have viewed the NERC standards as effective at establishing a
baseline for cybersecurity.
It is also my understanding large utilities often have more
resources available to them than the smaller utilities to make
the necessary security investments.
So, again, my question would be as the entity responsible,
Mr. Robb, for enforcement and imposing fines, what is your view
of the current state of compliance across the country?
Mr. Robb. So, in general, the industry has taken security
very, very seriously and I think one of the important things to
note about the CIP standards is one, they're relatively new to
the industry. And most all of the violations that we process,
including many in the enforcement action you referenced,
Senator, are voluntarily reported, detected through detective
controls within the entities. And I think that, in and of
itself, shows the level of diligence and seriousness with which
industry approaches this.
I think your question about the resources of large versus
small entities is a very insightful question. One of the things
that we have done with our substandards is try to take a very
thoughtful, risk-based approach to make sure that those
entities, those assets, those functions, if you will, elements
that propose the highest risk to reliability are more
thoroughly protected and for lower risk entities and so forth,
that they are, they have a baseline----
Senator Manchin. Are there resources available to the
smaller utilities so that they can maintain the security they
need?
Mr. Robb. I can't speak, obviously, for every utility in
the country.
One of the----
Senator Manchin. No, I am saying do we have programs in
place, government programs, because of the necessity of
security, to make sure that smaller utilities are still meeting
the highest security standards we have?
Mr. Robb. The small utilities are required to be compliant
for those functions that they are responsible for.
One of the other initiatives that the industry has put in
place though is something called Cyber Mutual Assistance.
Senator Manchin. Okay.
Mr. Robb. So that if an entity that is resource constrained
suffers a cyber event or a physical event, that in the same way
that the industry will muster resources to help in storm
recovery and so forth, will also deploy resources to help in
cyber recovery.
Senator Manchin. Every two years, the North American
Electric Reliability Corporation Grid Security Exercise, called
GridEx, challenges utilities and state and local governments to
respond to realistic cyber or physical security threat
scenarios.
Major Keber, from our little State of West Virginia, are
you all participating? Do you participate in GridEx?
Major Keber. Sir, to date, I have not personally, but yes,
we do send other members that are working in our cybersecurity.
Senator Manchin. Are all states represented? Do we know who
is participating in GridEx so we can basically evaluate their
proficiency?
Mr. Robb. I can't affirm that every state does, but I'm
pretty sure they all do.
Senator Manchin. And?
Major Keber. Yes, sir, I have heard that there is good
representation from other states to include West Virginia's
participation in the national GridEx exercise.
Senator Manchin. Thank you, Madam Chairman.
Thank you, all, I appreciate it.
The Chairman. Senator Risch.
Senator Risch. Thank you, Madam Chairman.
First of all, I want to welcome Mr. Whitehead here. We are
honored to have a good chunk of Schweitzer Engineering
Laboratories in Idaho. Mr. Whitehead, I think, was very modest
in his description of what the company does. You indicate you
have 5,200 employees around the world. How many countries do
you operate in, Mr. Whitehead?
Mr. Whitehead. We have product in about 146 different
countries, so we certainly have a global presence.
Senator Risch. Yes.
Schweitzer Engineering was founded by a genius of a man,
Edward Schweitzer, who is a former NSA employee, interestingly
enough. And he is the driving force right now behind the
establishment of an NSA museum here in Washington, DC.
The products that they put out are legendary around the
world, and we are glad to have you.
You and I have talked a little bit about this but when I
started about ten years ago on this, well, on this Committee
and the Intelligence Committee, the cyber thing was becoming
obviously a big issue. At that point the private industry was
very, very reluctant to engage the United States Government in
its activities and particularly to disclose to them what kinds
of things they were doing, what they had, et cetera, et cetera.
After a couple of few incidents the private sector and, by
the way I understand where they were coming from on this, but
after a couple of few incidents the private sector had a rude
awakening and now that whole situation has changed
dramatically.
Do you agree with that assessment, that the private sector
has realized that they are not big enough to individually take
on this cyber threat?
Mr. Whitehead. I think there's certainly a lot of talent
within the private sector to go about solving problems.
Certainly, the challenge we have in the private sector is
knowing all of the threats that may be coming at our critical
infrastructure.
And I think, again, that's where the government plays a
great role. They have a lot of resources to understand, attack
vectors and who may be the threat actors challenging our
systems. So the ability to work with the government to quickly
exchange information, tell us what's going on, by us being the
individual manufacturers or the asset owners, being able to
tell us what the threat is or teach us what the threat is. We
have a lot of brilliant minds that then can figure out how to
mitigate those threats and come up with new solutions to
protect our critical infrastructure.
Senator Risch. It has become a much more robust partnership
then, would you agree with that, between the private sector----
Mr. Whitehead. Yeah, I think, yeah. After the last ten
years or so we're getting, you know, great relationships with
NERC and other regulating bodies.
I feel that the pace with which information gets
disseminated could--it would help us all if it was sped up.
Senator Risch. As I listen to the threats through the
Intelligence Committee, I am always amazed that we do not have
more trouble than we do with the number of people that are
levying a tax against us, the number of attacks that they are
levying against us and the sophistication with which they are
operating.
It is things that you make at your company that stop that
and, for that, I think everyone should be grateful, although
most people have no idea what, that those devices are out there
between them and between the device they are holding and where
they are communicating with.
Mr. Whitehead. Thank you.
And it's not like, well certainly from SEL's perspective
which we woke up say, five years ago, and thought cybersecurity
would be a challenge. And as you pointed out, Ed, Dr.
Schweitzer, had a career at DoD and took cybersecurity very
seriously. So even back in 1984 when he created the first
product, there were two levels of passwords and other means for
signaling control systems, that there was, you know, at least
an attempted access to one of our devices.
So, this is, we've always, I think, taken cybersecurity
very, very seriously from day one, certainly at SEL, and I
think our industry also appreciates the need for cybersecurity.
Senator Risch. Well, we appreciate that.
Major Keber, very briefly.
I understand that you recently had some training at the
Idaho National Laboratory (INL) on cybersecurity. Is that
correct?
Major Keber. Yes, sir, that is.
Senator Risch. Realizing you cannot tell us everything
about it, for those of you who do not know, the Idaho National
Laboratory has been the flagship nuclear energy laboratory in
America and is quickly becoming the cybersecurity flagship
laboratory in America which we are glad to have. It has some
unique things going on there, some unique assets, that they
have that make it such.
Could you tell us a little bit, briefly, about your
training there and what you can tell us about it?
Major Keber. Yes, sir.
It was, the training was a very good, comprehensive look at
industrial control system cybersecurity. We looked at
specialized, sort of, devices that are unique to industrial
control system and kind of looked at the holistic approach of
how to access those particular networks and infrastructures
developed.
They did take us, we did take a look at the tour of the lab
that they have there. It was a very interesting and unique, one
of a kind, site to see.
Senator Risch. Did you meet with any of the strike teams
that they have there that are ready to deploy?
Major Keber. Yes, sir.
We met with some of their assessment teams. They came in
and we had an engagement with them and it was very informative.
We shared and cross-leveled best practices and took a lot from
what they had to offer in a way of experiences and things that
they're seeing out during their assessments.
Senator Risch. Well, we are proud of the INL, and glad to
hear that it worked well for you.
So thank you very much. My time is up. Thank you very much,
Madam Chairman.
The Chairman. Thank you, Senator Risch.
Senator Stabenow.
Senator Stabenow. Thank you, Madam Chair.
First to you and the Ranking Member, congratulations again
on a very important lands bill being passed. I know it was an
incredible amount of hard work for a long time. So
congratulations.
This is an incredibly important hearing. It touches every
part of our economy, our way of life, and our national
security. So thank you to all of you for being here.
The last polar vortex a few weeks ago produced, as we know,
freezing temperatures and snow and rain across the Midwest. We
certainly felt that in Michigan. We had a gas compressor
station in Southeastern Michigan that suffered an unexpected
fire, and there were a lot of questions about how that happened
and what was going on, as you know. It resulted in Michigan
families being asked to lower their thermostats, and
businesses, including our auto manufacturers, suspended
operations.
It was a real sobering reminder of the vulnerabilities,
both because of climate change and what is happening around
carbon pollution, and cyberattacks from foreign companies or
others and the increasing interdependence of our critical
infrastructure. And I know that is why we are having this
discussion.
I want to stress one area in transportation coming from
Michigan, because we know that the new cybersecurity threats
are emerging as transportation becomes more electrified and
autonomous. This is another important piece because we know
that by next year, 90 percent of new cars are projected to be
connected to the internet and what comes with that. And we know
that within 20 years, 55 percent of all new car sales are
projected to be electric, in addition to other kinds of fuels.
We currently have mandatory federal cybersecurity standards
for bulk power in electric systems, but not for interstate
natural gas pipelines and electric distribution that directly
services homes, businesses and transportation.
I know that Chairman Chatterjee, you mentioned that gas
infrastructure, but to you and Mr. Robb, isn't it time we had
mandatory cybersecurity standards for this critical electric
and gas infrastructure?
Mr. Chatterjee. Thank you, Senator Stabenow, for the
question.
And yes, the point you raise is spot on. The increased
interdependence that we are seeing, particularly between gas
and our electricity mix in our power system makes ensuring the
security of that infrastructure so important and so
significant. And it's something that I've been particularly
concerned about.
I partnered with my colleague on the Commission, Rich
Glick, early on after we both joined the Commission, to
highlight the fact that due to this increased interdependence
focusing on the security of this infrastructure was essential.
We raced and looked at the fact that while FERC was responsible
for permitting the approval of the pipeline, the responsibility
for securing the pipelines, you know, against physical and
cyberattacks fell to the TSA. So, the agency which is
responsible for 800 some odd million aviation passengers, the
highways, our rail system, also responsible for this massive
network of pipelines. We had concerns about the resources and
the personnel and the expertise at TSA to do this as well as
the fact that TSA relied upon voluntary standards.
One thing that I will say is that in the past year since
Commissioner Glick and I, sort of, elevated the profile of this
discussion and folks like Senator Heinrich and others have
introduced legislation on it, I have been impressed by the
response I've seen from both industry and TSA. Industry has
really moved forward to take ownership of this and take steps
to demonstrate their seriousness and focus on investing in the
security. And as I mentioned in my opening remarks, in meeting
with the TSA Administrator, it was clear that they were putting
a greater focus on this. That said, the recently published GAO
report showed that there is still much, much more work to do.
And so, while I'm pleased with the progress we've seen
since we elevated the profile of this issue, I'm going to
remain vigilant on it because there's a lot more that needs to
be----
Senator Stabenow. Well, we have been talking about this for
a long time, frankly, and not moving as fast as the technology.
Those that wish to use the technology to do us harm are moving.
I did not hear yes or no on mandatory cybersecurity standards.
Mr. Chatterjee. Again, I think it's an ongoing dialogue
that we'll have to see.
Senator Stabenow. Alright.
Mr. Chatterjee. I've been encouraged by the voluntary, by
the improvement in the voluntary steps that industry has taken
and by the attention that TSA is putting to this. I want to
continue to work toward that.
Senator Stabenow. I understand. We need to be moving a lot
faster.
Mr. Robb, did you have thoughts on that?
Mr. Robb. Well, I'll agree with the Chairman that the
interdependency between natural gas and electric, the electric
sector, has become fundamental now to the reliability of the
system. Without fuel, power plants can't run.
And while I can't comment authoritatively on the state of
cybersecurity on the pipelines and the effectiveness of the
voluntary standards that are in place there, I think it is
incumbent upon the natural gas industry to be as secure as the
industry that they are supporting.
Senator Stabenow. Okay. We have a lot of work to do in all
of this.
My time is up, so I will not ask another question, but I am
going to ask in writing about the vulnerabilities in our energy
supply chain and whether our growing dependence on foreign made
energy components presents a potential national security
threat, as we are hearing from our own intelligence community
when they say technology supply chain attacks are a key threat.
I know in the auto industry they are deeply concerned about
that.
So thank you, Madam Chair.
The Chairman. Yes, it is a good question.
Senator Cassidy.
Senator Cassidy. Mr. Whitehead, I think it was you who
mentioned the necessity for increased information sharing
between the Federal Government and folks such as you. I totally
agree. Why is it not occurring?
Mr. Whitehead. I think that's better left up to Mr. Robb or
the Chairman.
When we had to have conversations to make great
conversations with them, I think that we're just at a point now
where we've established between say, the government and the
asset owners. I think that the next step in the evolution of
how we share information that will certainly include the
equipment suppliers to the asset owner.
Senator Cassidy. So let me kick it over to you, Mr.
Chatterjee, because if we have voluntary standards and as
Senator Stabenow said, okay, it's very important, but
everybody's testimony says it is dynamic. How can you
voluntarily comply with a dynamic situation when you are not
given the information about the dynamism? Does that make sense?
Mr. Chatterjee. It makes complete sense.
I think there are a number of elements to this. The topic
of workforce has come up. You know, cybersecurity talent is
hard to find.
Senator Cassidy. Now, that seems separate though, if I may,
because obviously you have somebody coding but you have
somebody else saying, uh oh, we never thought of this one but
they are coming at us this way. That is not workforce, that is
information sharing.
Mr. Chatterjee. Information sharing is a component of it as
well. There's also issues, quite frankly, that are taking place
with getting the sufficient clearances.
FERC has been trying to do our part to do one day read ins
so that our colleagues at the state level and industry have
access to----
Senator Cassidy. Now, we have heard testimony, not to
interrupt, but I have limited time.
Mr. Chatterjee. Yes, sir.
Senator Cassidy. We have heard testimony, because I think
Madam Chair has a fixation on this topic. So last time we had
several hearings on this, and it was that the big energy
producers have that clearance. There is someone there who has
that clearance. But still I am hearing from Mr. Whitehead, who
is being very diplomatic over there, that the information is
not being shared. Now you sense my frustration.
Mr. Chatterjee. Absolutely, sir.
Senator Cassidy. So, digame, porque?
[Laughter.]
Why is that?
Mr. Chatterjee. So again, there are challenges that occur
in terms of sharing the information in a classified setting. We
are doing everything we can to make sure that the information
that we gather in a closed setting or an open setting is shared
with industry partners----
Senator Cassidy. What I am hearing from Mr. Whitehead--my
eyes are not good enough, is it doctor or mister?--that is not
the case. Ms. Evans, did you have some comment on that?
Ms. Evans. Yes, sir, I appreciate the opportunity to
discuss this with you.
This is exactly why Secretary Perry established the CESER
office is to address the frustration that you're experiencing
right now and that you're expressing.
So the activities in the programs in our office are to help
bridge that gap with our partners because we're looking at it
from a national security perspective. So the threats, the
things that you're talking about, how do you declassify that
and then how do you get it out to the asset owners as well as
to the people that are delivering services and also software
and manufacturers, those types of things?
Senator Cassidy. So none of that is aspirational.
Ms. Evans. Well, no, I was going to get into--we were doing
things. We actually have----
Senator Cassidy. Okay, because I have a minute and 40
seconds left.
Ms. Evans. Okay.
So we have several programs underway and the most recent
example under my tenure is the APT10 threat where we worked to
declassify, with the intel community, declassified those
indicators, then shared those out with the community through
the E-ISACs and then continuously communicate that back out. We
work with the national labs and it's----
Senator Cassidy. Why would Mr. Whitehead say that there is
still an issue here?
Ms. Evans. Because the Administration and Secretary Perry
and this office has been established for four months.
Senator Cassidy. Got it.
Ms. Evans. And so, I would give you, I would ask you to
give me the opportunity to increase that because he does work
with our research and development program and there are several
programs that we are actually working in conjunction with him
to improve that.
Senator Cassidy. Got it.
Now let me ask you one more thing. Everybody mentions this
dynamic you don't want regulations but there was a malware
incident with Entergy about a year ago and it was on the
corporate side, not on the grid side. I think it is MISO--I
never know if it is ``meeso'' or ``miso''--but the concern was
that it might infect the transmission. It did not because it
was in corporate.
That just seems like a best practice that you would have a
firewall between somebody opening an attachment from his son
which turns out to be malware versus that which is sending
electrons from Indiana to Louisiana.
Knowing that we do not want to regulate this to death but
are there best practices that are expected to be complied with
because, for example, in a previous hearing we heard that in
some situations they have an analog switch as a best practice
because it doesn't allow the cyber to go all the way through
because there's one little flip that a human being has to do
that otherwise protects one side from the other. Are there best
practices that we are, kind of, mandating?
Ms. Evans. Well, we're not mandating best practices. What
DOE does is share the information out with our respective
partners that are represented here as well as into the
community. So that specific incident that you are describing
really says, okay, if you're going to gain efficiencies, don't
connect your IT systems to your OT systems. Yes, that is a best
practice that is stressed throughout the community that is
talked about over and over again. I know that the E-ISACs have
shared that information out in the community. But this is some
of those things where you have to over communicate to make sure
that best practices and the exercises--you know, we have done
joint exercises with FERC. We do the exercises, we participate
because exercises highlight what you think the best practices
are, give you opportunities to really demonstrate those and
then to continuously close the gap. So everybody has been
talking about that, that is important.
Senator Cassidy. I have a question for the record regarding
compliance with those best practices because once you have
everybody putting their electrons on the same grid, you want to
make sure that they are not just thinking about it but they are
actually doing it.
Ms. Evans. Yes, sir.
Senator Cassidy. So we would like to know about compliance.
Madam Chair, thank you for indulging.
The Chairman. Thank you.
Senator King.
Senator King. Thank you, Madam Chair.
First, I would like to hopefully suggest that we can move
quickly on S. 174, which is the bill of Senator Risch and me.
Last year it was S. 79. It passed the Senate and came within a
whisker of passing the House at the very end of the session. I
hope we can. We have had a hearing. We have had a markup. I
hope we can move that bill out because it addresses this
question exactly.
There is a weird calmness about this hearing.
[Laughter.]
This is not calm. The Russians are already in the grid, are
they not, Mr. Robb?
Mr. Robb [off mic]. I can't----
Senator King. Well, there were news reports from a year ago
of the Department of Homeland Security releasing screenshots of
Russian hackers in the SCADA system. Is that not true?
Mr. Robb. Again, I'm not in a position to talk----
Senator King. Well, can you comment on the public story
that was something released by the Department of Homeland
Security?
Mr. Robb. No.
Senator King. Okay, let me ask another question.
Do any of our utilities have Kaspersky, Huawei or ZTE
equipment in their systems?
Mr. Robb. We issued a NERC alert.
Senator King. I did not ask you if you issued an alert. I
am asking you, do any of our utilities have ZTE, Huawei or
Kaspersky equipment or software in their systems?
Mr. Robb. Not to my knowledge.
Senator King. Not to your knowledge.
Mr. Robb. Not to my knowledge.
Senator King. Have you surveyed the utilities to determine
that?
Mr. Robb. I don't believe we have.
Senator King. I think that would be a good idea, don't you?
Mr. Robb. I'll take that on.
Senator King. Thank you.
Of course there should be mandatory standards for gas
pipelines. They are part of the electric system. 60 percent of
the energy of the electric industry supply in New England is
natural gas, not to mention heating.
It seems to me we have already passed this, an effective
system for the electric utilities, and Mr. Chairman, I am with
you 100 percent, but I just don't want you to hedge about it. I
think you should come right out and say, we have to do this.
Mr. Chatterjee. I think mandatory standards are one way to
do this, but I just would caveat that they are not necessarily
the only way and the only--the point that I was making was that
I've been heartened by the significant support I've seen from
industry since I raised the subject matter, and I want to
continue that productive dialogue.
Senator King. Do they support mandatory standards?
Mr. Chatterjee. Right now, again----
Senator King. Let me guess, they don't.
Mr. Chatterjee. At this stage I have to commend them for
the steps that they have taken since I raised this issue, and I
want to give them the opportunity to work in good faith going
forward.
Senator King. Well, I appreciate working in good faith, but
it seems to me we made a realization some years ago that
mandatory standards made sense in the electric side. If the
natural gas pipeline system is now essentially a part of the
electric system, I see no reason why that should not be the
case in that industry.
Mr. Chatterjee. I think there's no question that Congress
continuing to shine a light on this will help move forward on
this issue.
Senator King. Major, do we red team the utilities?
Major Keber. Sir, not at this time, I do not. My teams do
not red team utilities and private sector. We are focused on
government-only entities.
Senator King. Mr. Robb, does anybody red team the
utilities?
Mr. Robb. I'm not aware of, sir.
Senator King. Don't you think that would be a good idea?
You can't really tell if you are safe until somebody smart
comes in and tries to attack you.
Mr. Robb. I'll take that, sir.
Senator King. Thank you.
Again, I just think we are entirely too calm about this.
This is not a threat. This is happening now. We are under
attack.
This is not something that may happen next year or two
years from now, and I am not revealing anything classified in
the sense of quoting news articles and presentations by the
Department of Homeland Security.
We are in a very dangerous place and I just think this has
to be an emergency, an urgent situation and that's--I just, I
hope I have conveyed that here this morning.
Madam Chair, I really commend you and the Ranking Member
for doing this hearing, because I do not think there are many
more serious threats facing this country than this one.
And I thank all of you. I don't mean to come off as
negative. I love what you are doing at the Department of
Energy. You have the office set up. It is the right structure.
But I just think this has to be addressed with a real sense
of crisis because I do not want to go home to Maine and say,
well, we knew what was going on but you know, we had four
committees here that had jurisdiction and we really could not
quite get it done. We have got to get it done.
Thank you, Madam Chair.
The Chairman. Thank you, Senator King.
I am reminded that when it comes to pipelines that, oddly,
it is not our Committee's jurisdiction, it is the Commerce
Committee. But you are right, cybersecurity is not limited to
this Committee or to Commerce or to Homeland or to SASC, it is
cross-jurisdictional. We need to address it as such.
How we are able to do that and do that quickly gets back to
the issue that it is not only agencies being nimble. It has to
be amongst us and our committees and how we are talking with
one another, because right now we all know that we have our own
silos inherent within this. But you have good cause to be
frustrated.
Let's go to Senator McSally.
Senator McSally. Thank you, Madam Chair.
I want to pick up where my colleague left off, because I
agree this is a very real threat and the threat is with us.
I am thinking back if I close my eyes, I worked for Senator
Kyl back in 1999 when I was a major in the Air Force as a
Legislative Fellow. As he was the Chair of Technology Terrorism
and Government Information Subcommittee on Judiciary, this is
what we focused on. The majority of my portfolio was
cybersecurity related to critical infrastructure and at that
point the potential threat of state actors and non-state actors
to hold us hostage and to take down grids and the potential
attacks there. If I close my eyes this would sound like a
hearing from 19 years ago in many ways.
I do not want to take away from some of the things that
have been done but what has changed in 19 years, more rapidly
than us figuring out how to defend, protect, share information
and do whatever it takes, is the threat is real and it is
happening. And that includes China and Russia, Iran, other non-
state actors that have just taken leaps and bounds investing in
looking at how they could go after us in asymmetrical
capabilities, to go after us where we might be vulnerable.
I appreciate you, Madam Chairman, for doing this hearing. I
appreciate the discussion today.
I am deeply concerned about the threat, the information
sharing, the silos, both up here and out there.
One is related to information sharing to rural communities.
So, the CRISP program, Ms. Evans. I want to talk a little bit
about some of the major utilities. A lot of them are involved
in it and that is great, but in Arizona the vast majority of
our communities are rural and so the smaller companies or the
co-ops and others--how is that program going to be able to or
how is more information sharing going to be able to get out to
small utility companies so that they are equally informed and
protected?
Ms. Evans. So I appreciate the opportunity to answer that
question, and I want to share although we are calm, I would say
that the Administration shares your sense of urgency in
addressing this issue because we know the threat is real and we
know that we have to deal with the energy sector accordingly.
And it is a multi-pronged approach to the question about is
there red teaming that is happening in the utilities. DHS does
have that capability and does offer it when it is asked for. It
is a voluntary type of activity.
As it relates specifically to the municipalities and co-
ops, we are embracing and taking that and leaping forward
because CRISP is an evolution of several lessons learned that
we have from the energy sector. And the one thing that I want
to highlight is that trust relationship that is key to
information sharing.
If you have this long history, as you have said, then you
know if there's no trust in the sector then the information
isn't going to be shared. And so, CRISP and the E-ISAC and the
leadership from the energy sector, across the board, both with
pipelines as well as oil and natural gas and the electric
sector have really built the trust. That's how we share the
information. They have an oil and natural gas. We have the E-
ISAC. And also because of what happened with the FAST Act of
2015, this Committee clearly established that DOE had to say
what is the critical defense, critical infrastructure and what
are the energy assets associated with that.
When we did that, Assistant Secretary Walker has done that.
We, as DOE, because of the critical nature paid to make sure
that those municipalities that were identified in that could be
part of the CRISP program as we continue to evolve how we're
going to do information sharing in a dynamic bidirectional way.
Senator McSally. Great, thanks.
I do want to follow up also on the clearances issue. I was
on the Homeland Security Committee in the House and this, for
all sorts of threats that we are talking about, whether it is
terrorist threats to, you know, massive sports gatherings or
retail industry, the constant issue that came up is the lack of
ability for individuals that are out there, day in and day out,
that are having to deal with the threat, knowing what is going
on.
We have done a good job since 9/11 in general of breaking
down barriers among federal agencies, but now this vertical
information sharing amongst governments and with the private
sector is just something that is lacking. So the clearance
issues, the opportunity to do tear lines so that the
information can be shared out there is really important. Where
are we in breaking down some of those barriers? We have to
protect, obviously, information, but there are ways to do this
by reading in more people with clearances and using tear lines.
Ms. Evans. Well, the clearance process, as you know, is an
amorphous process that everyone participates in but I would say
that the intelligence community is very forward leaning because
the worldwide threat assessment document that was just released
on January 29th really clearly outlines what the current state
of affairs is. And that's an open-sourced document that
everyone can read.
Now what we have done from our perspective is those with
clearances, we're giving them more specific information
associated with that. But I don't know how much clearer you can
be if you don't read that document about what the threats are,
the sense of urgency, what our adversaries, our nation-states
are capable of doing and what we need to do as a nation in
order to be able to secure the energy infrastructure.
Senator McSally. Great.
I am out of time, but I think I am also talking about
specific threats as they are arising. I realize we have to
protect sources and methods but then getting that information
out quickly.
Thank you.
Thank you, Madam Chair.
The Chairman. Senator McSally, I appreciate you raising the
issue of security clearances because we have heard that time
and time and time again. I understand that it is still an issue
even though we addressed it through the FAST Act but we
continue to have holdups through the FBI.
Those who need it----
Senator King. Madam Chair, last time we checked in the
Intelligence Committee, there was a backlog of something like
750,000 security clearances.
The Chairman. Yes.
Senator King. It is a huge problem.
The Chairman. Yes.
You say you are working to get the clearances, but you
still have folks on hold. So you cannot get the information
that you need to share because you do not have the clearances.
Mr. Whitehead. Just a point of clarification, and I'm sure
our company is not unique, but at SEL we have folks with
clearances, including myself up to the TS/SCI level so we can
sit in classified briefings and get to understand the details
of what those threats might be.
The Chairman. I should hear from our folks. You speak about
the rural application and there is a need to know here.
Senator Heinrich, you are probably going to carry on this
conversation, so it is your turn.
Senator Heinrich. I will do my best, and thank you for
having this hearing.
I continue to hear from utilities that it is a real
challenge, the backlog, and that it is a huge bottleneck. In
fact, we heard from a former member last year, if you remember,
who used to be on the House Intelligence Committee, that he
could not get his clearance. If he can't get his clearance,
then who can?
Let me switch gears here and, Mr. Robb, you mentioned spear
phishing. I agree that is an incredibly important point of
entry that we need to do a better job on, and it is a hard one
because it is human-based.
Secretary Evans mentioned separating IT systems and OT
systems. When I think about this--and I grew up in a utility
family, my dad was a lineman then he went on to manage both gas
and electric distribution systems--there is a bias in utilities
and it is, oftentimes, a very positive bias toward reliability.
But sometimes that can manifest itself in ways that do not help
us update systems.
Specifically, I think about SCADA systems and I think about
programmable logic controllers. I think about the openings
there with regard to being able to control those systems using
radio communication due to the fact that they are hard to air
gap, especially the older ones. And I worry that we are not
moving fast enough, especially in a world where it is often
viewed that if it works, just leave it alone. Sometimes that
causes utilities, or the person whose job it is to actually
update the software or change out an outdated component, to not
do that. And so, those challenges continue to exist well beyond
their normal life span.
Are we doing enough in terms of securing and updating those
kinds of components across the entirety of the utility system,
Mr. Robb?
Mr. Robb. Yes, so a couple comments to your point directly.
The CIP standards do require critical systems to be patched
and to be kept at up to date with the latest releases.
You're right that it is a challenge in many cases to
reconfigure systems without studying all the derivative
ramifications of those. It's a very complex machine but the
standards do require ongoing patching and modernization.
Senator Heinrich. Do we spot check or have any way to just
make sure that it is actually happening?
Mr. Robb. Subject to spot check and thorough audit.
Senator Heinrich. Great.
Mr. Robb. Routinely.
One other point I wanted to make, if I could, just a
second.
Senator Heinrich. Sure.
Mr. Robb. The Senator's question from Arizona because it's
applicable here.
The CRISP program insights are not confined to just the
CRISP participants. When we work through the insights that come
out of that program, although they originated from a handful of
utilities, they're disseminated broadly across the----
Senator Heinrich. So, rural electric co-ops, for example.
Mr. Robb. So, the rural electric companies, the
municipalities and so forth are the beneficiaries of that
information.
I am sorry.
Senator Heinrich. No.
Chairman Chatterjee, I wanted to ask you, is TSA the right
place--and I appreciate that they are putting more focus on
this and they seem to have a pretty big job at the airports, I
have noticed--is it the right place for that to live?
Mr. Chatterjee. When I recently raised this issue, that was
the question that I asked. Is the entity responsible for
aviation, for railroads, for highways, you know, also
responsible for this, particularly when reports indicated that
they had as few as, I think, four or six people responsible for
overseeing this really critical task?
I've been impressed with how they've responded to the call
for action but the GAO report clearly showed that there was
much more work to do and, I think, particularly stressed having
the expertise and the resources in place. I think FERC is
making a commitment through our Office of Energy Infrastructure
Security to work with TSA to provide that expertise.
Senator Heinrich. Sure.
Mr. Chatterjee. My final point I want to make because it
addressed a point Senator King was pressing me on as well, and
I just wanted to be clear on this. The authority to impose
mandatory standards does currently lie with TSA, and it would
take Congress to make that change. I just want to be clear, I
wasn't dodging the question but----
Senator Heinrich. I think we should all be thinking about
that question, where the right place is to do this and making
sure it is adequately resourced.
Before I let you go, Chairman, I want to get your update on
FERC Order 841. What kind of a timeline are we looking at?
Mr. Chatterjee. So we've heard from a number of
stakeholders that they're waiting for our action on rehearing.
We had a comment or a deadline for filings of December the 3rd.
These are very, very complex issues. We understand that people
want that clarity going forward. My colleagues and I are
committed to doing it right and we understand the agita and the
desire to get it done. Better to do it right than rushed, but
we're working diligently.
Senator Heinrich. I agree. We do need to get this right,
but it is also a pretty urgent matter. It certainly opens up an
enormous amount of economic activity and a resiliency that we
need to be supportive of.
I would just, once again, emphasize what an urgently
important order that is.
Mr. Chatterjee. Yes, sir.
Senator Heinrich. Thank you, Chairman.
The Chairman. Thank you, Senator Heinrich.
Senator Hyde-Smith.
Senator Hyde-Smith. Thank you, Madam Chairman, and thank
you so much to the panel and the experts that we have here that
is so helpful to this Committee.
I do have a question, Ms. Evans, kind of continuing on the
conversation.
We all understand the nature of the infrastructure in the
energy sector, and it makes it extremely difficult to deploy
cybersecurity protocols that fit every single niche, but are
the checklist standards that are applied so broadly to
cybersecurity in the energy sector enough to ensure security in
mainstream and custom energy applications? And if so, what are
the proactive security approaches that are being taken to
require more thorough testing in research by qualified agencies
or institutions to improve that cybersecurity in the energy
section?
Ms. Evans. Well, I believe based on what my colleagues have
talked about here is, is that when we look at what standards
are that they are the floor and that that would be the minimum
of what you have to do.
If you take a risk-based approach, and you're really
looking at what are the consequences for the activities that
you have, you'll get to either complying with the checklist or
complying with the standard, really understanding what your
environment is.
We have cybersecurity research and development which is
cybersecurity for energy delivery systems which is our research
and development group which is underneath us which is actually
taking that question but also leaping ahead and saying how do
we skate to the puck, not necessarily think about where we are
today but where we want to be in the future.
And then, how do we then test supply chain risk management?
How do we then embrace these types of things that have been
highlighted today by the members dealing with cars that have
computers in them so that you can go and do a lot of different
things with your cars, but that's another attack vector.
So I think a lot of the things that we've been talking
about in the sense of urgency is how do you raise the cost to
our adversaries? Anyone who is in this space, using any type,
to your point, there's not going to be a silver bullet here.
There's going to be multiple ways but what we really have to do
is raise the cost of what everybody is doing because it's too
easy for our adversaries to exploit several things.
We've talked briefly about phishing, but that's really a
cheap way to get in. That is what our research and development
is doing. Then, as the results of that, where we partner with
industry, people that are participating in this sector, how do
we then share the information out to the right stakeholders
because this is all owned by private sector.
The government doesn't own this infrastructure. What we
have to do from a national security perspective is share the
information so that it can facilitate whether there needs to be
a regulation or whether there needs to be a resiliency
standard. But they need to benefit from the research and
development that the Department is doing.
Senator Hyde-Smith. Absolutely.
And one other question, if I may, Madam Chairman?
How would you decide what types of non-federal
infrastructure should be defined as critical for these
purposes?
Ms. Evans. This is a specific thing that we really are
looking at and researching now, to your point.
What we are looking at is through our program called Citrix
which is really dealing with supply chain risk management. And
this is something that I'm sure my colleague from SEL would
also talk about is where has industry gone because you want to
stimulate a market economy, right? And you want to have
competition and you want to be able to have all those things.
So where is the greatest bang for the buck to be able to
address what we have today? Where are people investing? But
then, how do we then take the information and this is again
what we're going to do for the manufacturing institute, is take
the knowledge that we get from our labs where they are doing
incredible work, and then being able to transfer that out into
industry so that industry can incorporate it into their product
road maps.
So we do work very closely with the Office of Technology
Transfer within the Department so that we can take these things
that we are learning here and what is the best way to transfer
it back out into the industry so that as people are entering
into the energy sector, we know that they are incorporating
these types of things so that as our industry partners are
buying solutions, they could then say, okay, these things have
gone through these types of analysis. If I buy this over this,
I'm reducing the risk in my enterprise. That--we are
accelerating that and working through that with the national
labs to get it out to the industry.
Senator Hyde-Smith. Based on the critical areas?
Ms. Evans. In multiple areas because there's current ones
that they have to comply with.
So, for example, we're working with Pacific Northwest Lab
on a risk-based model because one question that always gets
asked by industry is for every dollar I invest, how much risk
am I going to reduce?
They have to comply with the CIP standards. So, the risk
model is saying, okay, let's look at these attack trees
associated with the CIP standards. We should be able to answer
that question so that a CEO of a board or a utility or a
municipality can say if I do this investment, this is how I can
reduce risk.
The national labs have a lot of modeling that's going on,
and what I'm trying to do is take that knowledge that they have
and use it in a way that the energy sector then has the tools
that they need to make those decisions. So that's where we
started.
Senator Hyde-Smith. Great. Thank you so much.
Thank you, Madam Chairman.
The Chairman. Thank you.
Senator Cantwell.
Senator Cantwell. Thank you, Madam Chair and Ranking Member
Manchin. This has been a great hearing so far. I thought I was
just going to come down and say the words, Chairman Chatterjee,
and get a little focus there on your new leadership. But, good
to see you.
Our colleagues have just been so excellent on illuminating
this problem. I could not be more supportive of the concept. I
think that we need to do something very, very aggressive here.
It is good to see that, from various aspects, people understand
that.
Just for clarification, our National Guard is doing red
teaming in the State of Washington on utilities. So, it does
exist somewhere in this.
But I wanted to get to this question about regulation
versus innovation and get your thoughts, Mr. Whitehead. I
understand my colleague, Senator Risch, was here earlier
claiming that the CEO of your company was a genius and that
definitely puts you into a high atmosphere of challenges.
But you understand how important it is, and you mentioned
your security clearance. How can we work with everybody here to
create that system so that we are not just making up a bunch of
things that we want all the utilities to do, and then five
months from now, we see a new threat and they are doing this
little list that we asked them to do and now there is a new
list?
The changing nature of the attacks is really the game,
right? It is like the path of least resistance. They are just
going to start and as we keep advancing, they are just going to
continue.
How do we get this system in place where we are getting the
data and information shared and seeing real-time effects of
these attacks? Because I feel like that is what everybody on
this Committee wants. I think that is why you are hearing the
urgency from everybody and now the opportunity is here. How do
we really define how to get that communication system?
Mr. Whitehead. Well, thank you, Senator, for the question.
I think there's two parts. There was the innovation versus
regulation and from my perspective as a supplier of equipment
for the critical infrastructure is there's a lot of reporting
up that happens to various agencies but what we don't see then
is a lot of reporting back down to us. So, there seems to be a
diode or a one-way communication.
I think working with Mr. Robb and other folks, we had a
great conversation at breakfast this morning is how do we
integrate what we're doing, as a supplier we're not, you know,
part of the members of the various information sharing
committees. How do we get on to those committees?
I don't think it's hard. And I think we're at a point in
the evolution of these information sharing committees where we,
as suppliers, critical suppliers, certainly to the U.S.
infrastructure, that we have a seat at the table for being able
to share that information.
I'd make an argument and I've joked with our folks is I'll
stand up a team that's ready to talk, have a phone call at
eight o'clock every single morning, 7 days a week, 365 days a
year, even if it's a 15 minute phone call that says, hey
there's nothing going on or vice versa, hey, you know, asset
owners and suppliers of equipment, this is what you should be
looking out for today.
You know, it doesn't have to be a long conversation. I
mean, that's one idea that I thought of. I don't think it takes
a lot of effort. Certainly, you need to--how you classify your
information and who can be on those phone calls. I'm sure
there's words or ways to work out those particular scenarios.
But I think it's setting up organizations that can be very
quick, very nimble disseminating information. And it can be
both ways. I could get on that phone call and say, hey you know
what? I had a customer call me up. They saw this weird thing
and that could be reported up and shared amongst the community
at that level.
Senator Cantwell. What level of security clearance do you
think that is?
Mr. Whitehead. I think it can be all the way from
unclassified where it's just hey, look out for this kind of
data packet coming where you don't have to attribute to sources
or methods of how that came out, just be looking for this kind
of traffic, all the way to if you're in this particular area
and based on, you know, sources and methods. Maybe some people
do need to know that level. But I think it can go scale from
all different levels of classification.
Senator Cantwell. Assistant Secretary Evans or Chairman
Chatterjee, what about this other way of looking at this, which
is: do we have anything where we are assessing the technology
as it exists and focusing more on creating a security standard
that we think should be deployed?
For example, I am a big fan of Schweitzer Electronics
because they are doing a lot of great work in this area and, I
believe, are on some cutting-edge technology. But let's say
it's somebody else, some other company, do we have any
operation within the Federal Government now, either from the
Department or from FERC's perspective, that says we highly
recommend the deployment of this technology?
It is almost like the constant hygiene aspect of this
problem. And is there a function within our government where we
are making the recommendations that these things be deployed
more rapidly or is somebody just making the judgment call that
this is where we need to be?
Ms. Evans. So, the heart of the issue of what you're
talking about is the innovation while you're maintaining the
existing environment. And so, yes, that environment exists. And
we've talked about it briefly, but it is with the Electricity
Subsector Coordinating Council, the Government Coordinating
Council which is all of the whole of government approach as
well as the Oil and Natural Gas Subsector Coordinating Council.
So we specifically, as the Department of Energy, my
research and development program underneath me looks into the
future, like evaluating equipment. That's what we're doing from
a supply chain risk management.
The Department itself, our OCIO function looks at this as
well because we have the PMAs also in there.
When we take a risk-based approach as a Department based
on, for example, we had to do Kaspersky but there are other
things that we know based on the current environment and the IT
world. We share that out with the sector and say, look, the
Department has taken this approach based on these types of
things. We do it at a classified level. We also attempt to do
it at an unclassified level.
I will share one thing that, maybe, the Committee would
want to think about this going forward is as we have shared
what the Department is doing one of the issues that has been
raised up from the sector as a whole is, is that as they look
at it to take an action as a collective against this to not,
say for example, they did not do something with a specific
company that is in this sector, one of the issues that they
have raised is the potential of an anti-trust type of issue
that would come against the sector as a whole because they were
taking a risk-based approach.
Senator Cantwell. This is why I am interested in whether we
have the function within the Federal Government because look,
we all travel, and guess what we do if we are going to travel
somewhere? We look online and say, well, what are the threat
assessments of traveling to that region of the world--and it is
posted there.
So what I am interested in is the issue about the
regulatory side taking a long time, and the challenge here is
that it is constant and evolving.
What we want though is some part of the Federal Government
that says, oh, yes, these software-defined network (SDN)
solutions should be deployed. We are not even saying whose,
just that these are five solutions we think all utilities
should be deploying if they want the hygiene of their networks
to be state-of-the-art or--
Again, I know that gets a little tricky, but at the same
time, I just feel like this is what we are trying to do in the
State of Washington. We are trying to use the National Guard
and a coalition of people to define what the state-of-the-art
hygiene is to make people's systems secure.
I would just think if we are going to stay out of whatever
we think is the--I am where my colleague from Maine is and that
is that with the evidence as clear as it is, we need to do a
lot more.
But one thing we need to do a lot more on is to start
having the Federal Government define what is the state-of-the-
art technology that they think utilities should be deploying,
even if it is a recommendation and not mandated.
Ms. Evans. Absolutely.
Senator Cantwell. But I think we are over here researching
and exploring and I just feel like we should be upgrading the
checklist of things that people should be doing at least every
six months.
Ms. Evans. I would say that we, that the Department and the
Secretary's viewpoint is in line with what you are suggesting,
that is what we view for the long-term play with the Advanced
Manufacturing Institute.
But in the short run of what we are doing is how my office
is going to do that evaluation, work through the programs that
we have and the intent is for us to publicize from a voluntary
perspective, looking at everything that has been envisioned up
on this Hill is if you voluntarily participate over here and we
have NIST and we have all these other things, here is the
information about these programs. Here are things of how you
can make an informed decision. That information would feed into
this. We are specifically looking at these are the specific
systems and components that are built into the current
infrastructure.
The other effort that the Department is doing is through
the Grid Modernization Initiative and the GMLC, which is Grid
Modernization Lab Consortium, because a lot of the information
that you're talking about, they develop. Then how do I then
transfer that out and say these are the best practices? This is
how you can do it. This is how you can leap ahead.
We just had a briefing yesterday on an initiative that has
been three years in the making that is really going to help
leap ahead the industry as a whole. And now we're figuring out
what's the best way to get it out into industry so that the E-
ISACs and the industry as a whole can use it.
Senator Cantwell. Alright.
Madam Chair, I know my time is expired.
The Chairman. Thank you, Senator Cantwell. You have always
pushed the Committee to focus on these cyber issues and your
leadership on this is greatly appreciated. Thank you.
Senator Hoeven.
Senator Hoeven. Thank you, Madam Chairman.
Mr. Robb, how do you answer the question when somebody
says, is our energy infrastructure, is our grid, safe and
secure from cyberattacks? How do you know? Are we safe? How do
you know?
Mr. Robb. Senator, it is the issue that keeps us all up at
night. And what I can represent very confidently is that the
industry takes this threat very, very seriously. We have,
through the mandatory cyber critical infrastructure protection
standards, we've a very strong foundation of defense in the
grid. We can always do better on the information sharing and
analysis of emerging attack vectors and so forth to build real-
time situational awareness and defense of specific threats, but
the foundational security of the grid in this country is very,
very strong.
Senator Hoeven. How do you know?
Mr. Robb. Because we have mandatory standards in place. We
audit the utilities against those standards and they're subject
to a financial penalty if they are found in violation of those
standards.
Senator Hoeven. How do you make sure on the one hand you
are integrated, but on the other hand if there is a problem
somewhere it does not invade the whole system?
Mr. Robb. One of the great design features of the North
American Electric Grid is that it's sectionalized in many ways
and the whole purpose of the standards is to ensure that if
something bad does happen to some part of the grid, that it's
contained and does not propagate across it. So that if an
incident did occur in New Jersey or something like that, it
stays there, right, as opposed to compromising the entire
system. That's the whole design principle of the reliability
standards we have.
Senator Hoeven. Do the participants in the grid, writ in
large, have the ability both to participate but also to protect
themselves from a threat that might enter the system?
Mr. Robb. I'm sorry, I didn't catch the question, sir.
Senator Hoeven. For all the participants in the grid, do
they have both the ability to be integrated and operate
interoperably but also the ability to segregate themselves, if
necessary, in the case that there is some type of virus or
other threat or problem?
Mr. Robb. Yes, sir, they do.
Senator Hoeven. And you are able to check that and verify
it? We are not guessing like some of the financial hybrids
before the market meltdown?
Mr. Robb. No.
Senator Hoeven. All the regulators thought that, didn't
they? Remember, they all said all those financial hybrids, they
had risk management all squared away? But it didn't work. So
how do you know?
Mr. Robb. Well, there's always potential for a failure in
any complex system. What I can say is that the standards that
are in place with which industry must comply and again, subject
to audit and penalty if not, provide that base level of
security and support.
Senator Hoeven. And you feel the regulatory oversight and
the audits are sufficiently transparent, understandable and so
forth that it is verified, that we do have that security in
place and if there is a weakness it is identified in a timely
way?
Mr. Robb. I believe so, sir.
Senator Hoeven. Can be addressed?
Mr. Robb. Yes.
Senator Hoeven. Mr. Chatterjee, good to see you again.
Mr. Chatterjee. Good to see you, Senator.
Senator Hoeven. Based on your new role and your years of
experience here on the Hill, have you seen any legislation out
there that you think would be most helpful in this
cybersecurity area that we should be advancing or do you know
any concepts for legislation that you think we ought to be
advancing that could, that would help and be beneficial?
Mr. Chatterjee. I think, and I mentioned this earlier, you
know, the workforce issues are critical. Finding cyber
expertise, dealing with information sharing is essential to
this and identifying that workforce, all of us making this
societal investment and making sure people are educated.
There's been a lot of talk about cyber hygiene and the
vulnerabilities within organizations tend to be driven by human
beings in this space, and we saw some of the supply chain
issues that arose as a result of that.
And so, I think anything we can do to get expertise on this
area throughout the country, throughout stakeholders in
industry, and I understand there's a bill regarding a federal
rotational cyber workforce program, introduced by the Senator
from North Dakota. I'm certainly supportive of that concept,
because it is hard to find and train good employees.
Senator Hoeven. You have not lost your touch.
[Laughter.]
You are a good man.
And certainly, getting our noms through and getting
positions filled would be helpful too, wouldn't it?
Mr. Chatterjee. Yes, sir.
Senator Hoeven. That would be beneficial, right?
Secretary Evans, being a northern border state, obviously,
we work with Canadians all the time. We love them. Greatest
ally ever. How do we make sure that we are managing the cyber
risks and threats across border in a good, solid, integrated
way?
Ms. Evans. Sir, we do work in partnership with NERC. I'm so
glad we can say NERC, instead of saying the whole name. And so,
we do work in partnership with them. I know the Canadians
actively participate in that.
The Office of Electricity also is working on what the, I
want to make sure I get the NAERM right, which is North
American Energy Resiliency Model, of how that is all going to
play across the board.
Senator Hoeven. Yes.
Ms. Evans. That does involve our Canadian partners in that
as well.
Again, it's making sure that we can share the information
with them. They are our allies. We need to make sure that we
can share the information and that we understand the shared
risk.
I would also go back to some of your questions about how do
we know?
The reason why we do the exercises and, again, all of us
have talked about the exercises, is because we think we have
the best plans in place until we have to actually exercise
them.
Senator Hoeven. Right.
Ms. Evans. And so, the exercises really point out if we
have any weaknesses so that we can identify that that's why our
partners here talk about several of the exercises that we
participate in so that we can highlight that because we don't
want to get into that situation of now we're in a crisis and we
find out we don't have the best plan.
Senator Hoeven. Is there any legislation vis-a-vis Canada
that you have seen that is helpful or that is on your screen?
Ms. Evans. I believe the way that the Hill is looking at
this in multiple different ways. There are things that you are
talking about from the workforce perspective that is very
helpful. That's been outlined already by Chairman Chatterjee.
The things in supply chain risk management and how you're
looking at that and giving us the longer-term view of how we
need to put those programs in place would allow for us to do
that.
And I think the industry and I would share this with my
colleagues if they have any insight into that, but what I hear
often is, is that they want to make sure the bidirectional
happens but they are concerned as they continue to move through
this and we get into very interactive information sharing that
the proper protections are in place as they take actions as a
collective.
Senator Hoeven. Thank you.
The only other thing I would offer is Major Keber, thanks
for your service. We appreciate it.
Thank you, Madam Chairman.
The Chairman. Thank you, Senator Hoeven.
Just a couple quick things. I know we are wrapping up. I
know that Senator King wanted to add on.
I wanted to just go a little bit further. Senator Cantwell
raised the same issue that I had raised initially with you, Mr.
Whitehead, in terms of innovation versus regulation and the
inherent conflict there.
We have had a lot of discussion about the mandatory
standards we have in the electric sector. We are the only ones
here that have mandatory and enforceable cyber standards, and
we know what the violations can lead to.
We had a witness here before the Committee last year, a
gentleman by the name of Rob Lee of Dragos. He was a hands-on
cyber expert. He suggested to us that utilities are perhaps
overly focused on the legal aspects of compliance and sometimes
these mandatory NERC standards that basically cause you to
check the box to make sure that you are meeting the standard,
that is, focus on compliance rather than the creativity, the
innovation that we need in order to do all this. We are going
to use our limited bandwidth because we have talked about the
fact that we do not have enough people in this area that are
the smart, forward-thinking, leaning-in brains to make this
happen. So we set our resources to just the compliance side. He
actually suggested a three-year cooling off period to let the
utilities focus on cyber threats instead of, he called, the
cyber lawyers.
Comment on that, if you will, Mr. Robb and Mr. Whitehead.
Mr. Robb. Sure.
So, I hear that a lot. I'm not sure I believe it. For the
most part the standards that we have in place for cybersecurity
don't require any unnatural acts. They really codify what good
utility practice is in these spaces.
And I think the fact of the matter in the conversations
that I always have with the CEOs, and I believe that the CEOs
of organizations get this, that a secure operation is going to
be compliant with the standards that we have in place. It's not
really an either/or. It's a yes/and.
Again, when I look at the number of violations that we have
of CIP standards and the root causes, they typically result,
the root causes are typically on things like management culture
and so on and so forth. So that, there's really a lot that the
CEOs can do to drive a secure and compliant organization. They
work hand in glove. It's not a tradeoff that someone has to do
x or y. And if that tradeoff is ever presented, our advice to
the entities is always do what you need to do to be secure, and
we'll deal with the compliance aspects later. And if there's
something silly in the compliance world, we'll deal with that
in an appropriate way.
The Chairman. Mr. Whitehead.
Mr. Whitehead. Yeah, I'll have a little fun with Mr. Robb
for just a second as I think you can----
[Laughter.]
----it's okay--I think you can be compliant but not
necessarily secure, right?
The Chairman. Right. My point.
Mr. Whitehead. People can check all the boxes and you could
still have a challenge or an issue.
So you always have to be careful. I think that's what, I
know Rob pretty well, Rob Lee. I think that's what he was
really alluding to is that what you want to make sure is that
you're not stifling creativity or taking the responsibility out
of somebody really thinking about what they're doing, right?
Just filling in checkboxes is not going to make you secure,
maybe it makes you compliant, but it's not going to make you
secure. So requiring people or certainly giving them the
ability to think about how their particular situation, their
particular networks, their particular critical infrastructure
is designed and operating and then how security overlays on top
of that, I think, is the critical aspect to keeping our assets
all secure. I think that's it.
And Senator Cantwell, thank you for SDN. One word of
caution, SDN is a great technology. We've got solutions for it.
What I like the idea of is that hey, the government is saying
this is a great technology, Mr. Utility, you should look at
this. What I would hate though is to say, Mr. Utility, you have
to deploy this technology because I've got 800 engineers back
in Pullman coming up with the next greatest thing and I would
hate to say, you know what, everybody has to focus on SDN when
we've just come up with a great new solution for protecting our
critical infrastructure.
The Chairman. Thank you for that.
Senator King, you wanted to jump in?
Senator King. Please.
Chairman Chatterjee, I know it just slipped your mind. You
wanted to mention to Senator Hoeven S. 174, the Risch-King
bill, as an important step in the right direction. Would you
say yes to that?
Mr. Chatterjee. I would absolutely say that additional R&D
about possible defenses is always helpful, and I very much
encourage those efforts.
Senator King. Thank you. I appreciate that.
Madam Chair, I just wanted to make a final point on this
issue.
All we have been talking about today is protecting
ourselves, patches, standards, hygiene, all of those kinds of
things. The missing part of this discussion, and it is true
governmentwide, is deterrence. Our adversaries who are
attacking us in this way, thus far anyway, have not felt that
there was a price to be paid for those attacks, that we were a
cheap date.
That part of what we have to develop and this is going on
in a number of different forums over the next year or so and
indeed the Administration has produced some good work on this,
but we need to be talking about how we make, how we change the
calculus for our adversaries when they decide to venture into
our electric grid or our gas pipelines, that there will be a
price to be paid? It may be cyber. It may be sanctions. It may
be other kinds of responses. But thus far, there has not been a
doctrine or a strategy in this country that deters these kinds
of attacks as there is in other areas of our national security.
So I would just point out that we will never be able to
patch our way out of this threat. We would be like a boxer who
was really skilled at ducking and bobbing and weaving, but if
you can never punch back, you are not going to win the fight.
I just want to mention that as a larger background issue
that is involved in this question, whether it is this kind of
cyberattack, a cyberattack on our election system, or any other
intrusion of that kind, our adversaries have to begin to
realize that there will be a cost to them for attacking this
country in this way. Until they do so, they are going to
continue to do it, as they have over recent years.
Thank you.
The Chairman. I certainly concur it is an important part of
it, and I think we want to be in the position that we are not
reactive in this deterrent aspect, that we have made quite
clear from a proactive perspective that there are consequences.
Senator Cantwell.
Senator Cantwell. Yes, Madam Chair, if I could just
quickly.
I don't know if we have put our finger on it this morning
yet but I do think, to Mr. Whitehead's point, yes, we want to
keep innovating. That is the challenge. We want to keep
innovating.
I do not even know if there is a private sector Good
Housekeeping seal that somebody is putting on for utilities. I
think that is the key, right, is that and, at least as it
relates to the FERC role and the agency roles, is are there
entities out there that are doing their job and doing their
best?
At the same time, as you said, you are going to develop,
your engineers are going to--first of all, the threat is to
keep up on them.
So I certainly agree with you, Senator King, that there is
a lot that we should be doing on an international basis to
basically stop the arms race that is happening on cyberattacks.
And we should be joining other nations in promulgating--we
should be spending as much time on this as we are on this
discussion because if we were, I guarantee you, we would get
someplace.
This security is critical, and we have to get other nations
to say that you do not tolerate these kinds of actions by
governments and you basically are going to stop people from
engaging them.
But anyway, back to this. I just think we need more
discussion about, Madam Chair, what kind of rapid response
system can we establish, and how do we know when we get to a
point where we really think people should deploy something we
think is viable--without representing a software state--is an
ongoing discussion.
I think from the consumer perspective they are like, oh,
another upgrade, and I am supposed to do that? Yet, every
upgrade really does get us a greater layer of security. That is
what each system does. Not that it does not have problems with
it, it too has bugs. I just think we need to keep talking about
how we establish this communication back to the government
about what we should be deploying. I think it is tricky and
hard, but I don't think it is impossible.
I think having all that information flow on a constant
basis would be very helpful to making us more--again, a few
bobs and weaves would not hurt us right now while we are
getting this larger thing in place.
Thank you.
The Chairman. Thank you, colleagues, and thank you to the
members of the panel. I think it has been a very interesting
discussion, a very important discussion.
But I do harken back to Senator McSally's comments that she
could close her eyes and this could have been the same
conversation 19 years ago. We do not want to be sitting here or
have those who follow us 19 years from now be sitting here
asking ``what were they doing in 2019 here?''
There is a heightened sense of urgency for action. It has
to be coordinated. We have to recognize that here in Congress
we have jurisdictional issues that we wrestle with. We have to
figure out those issues just as it needs to be figured out in
our agencies and in the private sector. There is simply too
much on the line.
We appreciate all the engagement. We look forward to FERC's
technical conference and the continued, very important
dialogue.
With that, the Committee stands adjourned.
[Whereupon, at 12:08 p.m. the hearing was adjourned.]
APPENDIX MATERIAL SUBMITTED
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]