b"<html>\n<title> - FEDERAL AND INDUSTRY EFFORTS TO IMPROVE CYBERSECURITY FOR THE ENERGY SECTOR, INCLUDING HOW TO IMPROVE COLLABORATION ON VARIOUS CYBERSECURITY AND CRITICAL INFRASTRUCTURE PROTECTION INITIATIVES</title>\n<body><pre>[Senate Hearing 116-378]\n[From the U.S. Government Publishing Office]\n\n\n                                                       S. Hrg. 116-378\n\n                  FEDERAL AND INDUSTRY EFFORTS TO IMPROVE \n                    CYBERSECURITY FOR THE ENERGY SECTOR,\n                  INCLUDING HOW TO IMPROVE COLLABORATION \n                    ON VARIOUS CYBERSECURITY AND CRITICAL\n                   INFRASTRUCTURE PROTECTION INITIATIVES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                      ENERGY AND NATURAL RESOURCES\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             AUGUST 5, 2020\n\n                               __________\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n                       Printed for the use of the\n               Committee on Energy and Natural Resources\n\n        Available via the World Wide Web: http://www.govinfo.gov       \n        \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n41-402                      WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------\n        \n        \n        \n        \n               COMMITTEE ON ENERGY AND NATURAL RESOURCES\n\n                    LISA MURKOWSKI, Alaska, Chairman\nJOHN BARRASSO, Wyoming               JOE MANCHIN III, West Virginia\nJAMES E. RISCH, Idaho                RON WYDEN, Oregon\nMIKE LEE, Utah                       MARIA CANTWELL, Washington\nSTEVE DAINES, Montana                BERNARD SANDERS, Vermont\nBILL CASSIDY, Louisiana              DEBBIE STABENOW, Michigan\nCORY GARDNER, Colorado               MARTIN HEINRICH, New Mexico\nCINDY HYDE-SMITH, Mississippi        MAZIE K. HIRONO, Hawaii\nMARTHA McSALLY, Arizona              ANGUS S. KING, JR., Maine\nLAMAR ALEXANDER, Tennessee           CATHERINE CORTEZ MASTO, Nevada\nJOHN HOEVEN, North Dakota\n\n                      Brian Hughes, Staff Director\n                      Lucy Murfitt, Chief Counsel\n                Jake McCurdy, Professional Staff Member\n                    Robert Ivanauskas, FERC Detailee\n                 Renae Black, Democratic Staff Director\n                Sam E. Fowler, Democratic Chief Counsel\n           Nicole Buell, Democratic Professional Staff Member\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n\n                           OPENING STATEMENTS\n\n                                                                   Page\nMurkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1\nManchin III, Hon. Joe, Ranking Member and a U.S. Senator from \n  West Virginia..................................................     3\nKing, Jr., Hon. Angus S., a U.S. Senator from Maine..............     4\n\n                               WITNESSES\n\nGates, Alexander, Senior Advisor, Office of Policy for \n  Cybersecurity, Energy Security, and Emergency Response, U.S. \n  Department of Energy...........................................     6\nMcClelland, Joseph, Director, Office of Energy Infrastructure \n  Security, Federal Energy Regulatory Commission.................    14\nConner, Steven C., President, Siemens Energy, Inc................    20\nO'Brien, Thomas, Senior Vice President and Chief Information \n  Officer, PJM Interconnection, L.L.C............................    28\n\n          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED\n\nConner, Steven C.:\n    Opening Statement............................................    20\n    Written Testimony............................................    22\n    Responses to Questions for the Record........................    80\nGates, Alexander:\n    Opening Statement............................................     6\n    Written Testimony............................................     8\n    Responses to Questions for the Record........................    59\nKing, Jr., Hon. Angus S.:\n    Opening Statement............................................     4\nManchin III, Hon. Joe:\n    Opening Statement............................................     3\nMcClelland, Joseph:\n    Opening Statement............................................    14\n    Written Testimony............................................    16\n    Responses to Questions for the Record........................    75\nMurkowski, Hon. Lisa:\n    Opening Statement............................................     1\nO'Brien, Thomas:\n    Opening Statement............................................    28\n    Written Testimony............................................    30\n    Responses to Questions for the Record........................    86\n\n \n FEDERAL AND INDUSTRY EFFORTS TO IMPROVE CYBERSECURITY FOR THE ENERGY \nSECTOR, INCLUDING HOW TO IMPROVE COLLABORATION ON VARIOUS CYBERSECURITY \n           AND CRITICAL INFRASTRUCTURE PROTECTION INITIATIVES\n\n                              ----------                              \n\n\n                       WEDNESDAY, AUGUST 5, 2020\n\n                                       U.S. Senate,\n                 Committee on Energy and Natural Resources,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:07 a.m. in \nRoom SD-366, Dirksen Senate Office Building, Hon. Lisa \nMurkowski, Chairman of the Committee, presiding.\n\n           OPENING STATEMENT OF HON. LISA MURKOWSKI, \n                    U.S. SENATOR FROM ALASKA\n\n    The Chairman. Good morning, everyone. The Committee will \ncome to order. We are here this morning to examine federal and \nindustry efforts to improve the cybersecurity of the energy \nsector, including efforts to improve collaboration on various \ncybersecurity and critical infrastructure protection \ninitiatives. It has been more than a year since we last held a \nhearing on cybersecurity for the energy sector, but I think it \nis fair to say that this is always a timely topic. It is also a \ncritical priority that we cannot lose sight of, even as we \ngrapple with COVID-19, lest it become the source of our next \nnational crisis.\n    There have been a few noteworthy developments since our \nlast hearing. Earlier this year, the President issued an \nExecutive Order focused on securing the bulk power system from \nboth cyber and physical threats posed by hostile nation-state \nactors. This is an effort that will be led by the Department of \nEnergy (DOE). Meanwhile, the Federal Energy Regulatory \nCommission (FERC) has published a paper detailing a potential \nstructure for providing incentives to utilities to make \ncybersecurity investments following up on a technical \nconference examining the same issue in 2019. I am pleased this \nmorning to be able to welcome our witnesses from DOE and the \nFERC and to look forward to hearing the latest from them. I \nalso welcome the witnesses representing industry which will \nplay an equally significant role in how these initiatives \nunfold.\n    The threat of cyberattacks by foreign adversaries and other \nsophisticated entities is real, and it is growing. As I \nmentioned on the Senate Floor earlier this week when we \nconfirmed Mark Menezes, cyberattacks are near constant and only \ngrowing more sophisticated. According to the latest worldwide \nthreat assessment from the Office of the Director of National \nIntelligence, China, Russia and other foreign adversaries are \nusing cyber operations to target our military and our critical \ninfrastructure. Those near-peer adversaries already have the \ncapability to launch cyberattacks against our electric and gas \ninfrastructure. The COVID-19 pandemic has created a unique \nopportunity for cyber criminals to attack our networks, \nincluding critical energy infrastructure. The Department of \nJustice (DOJ) recently issued a press release announcing the \nindictment of two individuals backed by the Chinese Ministry of \nState Security. DOJ noted these two individuals not only \ntargeted portions of our energy sector, including DOE's Hanford \nsite, but also entities conducting research on a Coronavirus \nvaccine. We cannot allow hostile foreign nations to disrupt our \nway of life.\n    Energy is the lifeline for all critical infrastructure \nsectors, and protecting our critical infrastructure is the \nfirst step in ensuring its continuity. Unfortunately, we have \nalready seen the real-world ramifications of cyberattacks on \nthe energy infrastructure, and this is most vividly seen in \nRussia's attacks on Ukraine. In December 2015, Russian hackers \ncut off power to nearly a quarter million people in Ukraine in \nan attempt to disrupt and intimidate. In the summer of 2017, \nRussian hackers infiltrated the industrial control system of a \nSaudi Arabian petrochemical plant and disabled the plant's \nsafety systems. More recently, an advanced Russian government-\nbacked hacking group is alleged to have probed a U.S. energy \nentity's network, according to a release the DOE issued in \nJanuary. We all know the stakes here. A successful hack could \nshut down power impacting hospitals, banks, gas pumps, military \ninstallations and cell phone service. The consequences would be \nwidespread and devastating and only more so if we are in the \nmidst of a global pandemic.\n    The Federal Government and industry focus on cybersecurity \nis a major reason why the United States has not experienced an \nattack like Ukraine's. Protection of our critical assets is a \nshared responsibility demanding that federal, state and private \nsector partners work together to improve cyber defenses and \ncoordinate responses to cyberattacks. The FAST Act of 2015 \ncontained provisions authored by our Committee to codify the \nDepartment of Energy as the sector-specific agency for the \nenergy sector and to provide the Secretary with authority to \naddress grid-related emergencies. We also sought to facilitate \ngreater information sharing by protecting sensitive information \nfrom disclosure. Our American Energy Innovation Act also has \nnumerous sections to enhance government industry partnerships \nin this space and establishes programs to enhance the cyber \nposture of smaller utilities. Most recently, I introduced a new \nbill, the Energy Infrastructure Protection Act, to update \nprovisions in the Federal Power Act and restrict federal \ndisclosures of certain sensitive energy information. I know \nthat there are a few who may disagree with that approach, but \nthe alternative, disclosing and displaying our vulnerabilities \nfor our enemies, will hardly make us any safer.\n    I am pleased to welcome a distinguished panel of witnesses \nwho are truly at the front lines of the effort to protect our \nenergy infrastructure from cyber threats. I thank you again for \nbeing with us this morning.\n    I will now turn to my colleague and Ranking Member, Senator \nManchin, for his opening remarks.\n\n              STATEMENT OF HON. JOE MANCHIN III, \n                U.S. SENATOR FROM WEST VIRGINIA\n\n    Senator Manchin. Thank you, Chair Murkowski, for convening \nthis hearing today, and thank you to our witnesses for making \nyourselves available to join us and discuss efforts to improve \nthe cybersecurity of the electric sector. As a Ranking Member \nof both this Committee and the Senate Armed Services \nCybersecurity Committee, I am intensely focused on the security \nof our energy infrastructure. We just had a meeting yesterday \non that, and it was quite enlightening. And the importance of \nour discussion today against the backdrop of a global pandemic \nis not lost on any of us, I believe, in this room.\n    The COVID-19 crisis has made our nation, the world, acutely \naware of the consequences of being underprepared for a \ncatastrophic event. The pandemic has forced the energy industry \nto adapt to new challenges and vulnerabilities with more \nemployees working remotely. There are certainly lessons to be \nlearned from this moment in history about the need to invest in \nprotections to avoid, to mitigate and respond to events that \nchallenge our grid's resilience and thereby our national \nresilience. You all know well that threats to critical \ninfrastructure are serious and increasing daily. In recent \nmonths, federal officials have warned of rising cybersecurity \nthreats from China, and recent reports indicate Russia has \nshown renewed interest in targeting the U.S. power grid. Then \nlast month, a national security agency and the Cybersecurity \nand Infrastructure Security Agency (CISA) issued an alert \nurging critical infrastructure operators to take immediate \naction to secure their operation technology assets. Legacy grid \nsystems are/were not designed to defend themselves against \nmodern cyberattacks, and as they grow more and more connected \nto the internet, our electric systems grow more and more \nvulnerable. On top of that, IBM recently issued a report that \nshowed that the energy sector suffers particularly high costs \nfrom state-sponsored cyber threats. Compared with the previous \nyear, the costs of cyber breaches are up 14 percent because of \nthe increased number of attacks targeting power grid \ninfrastructure and the magnitude of the damage caused.\n    There is a lot of work being done across the sector to \naddress these cybersecurity challenges. I would like to \nhighlight the good work of my colleague, Senator King, who \nrecently co-chaired the Cyberspace Solarium Commission. This \nCommission issued a report this spring identifying a number of \nrecommendations to reduce the probability and impact of \ncyberattacks of critical infrastructure which he presented to \nthe Senate Armed Services Committee yesterday, and it was truly \nquite enlightening. Although the report is broad in scope, many \nof the Commission's recommendations affect the electric \nindustry, and I look forward to hearing about the impact to the \nelectric sector today.\n    A few months ago the President issued an Executive Order \ndirecting the Department of Energy to identify foreign-made \ngrid components that pose an unacceptable security risk to the \nU.S. power grid. While I support this action, I was concerned \nthat vendors and manufacturers of the grid equipment the order \ntargets were not being adequately consulted. Senator Risch and \nI sent a letter to the DOE about these concerns and are eager \nto see DOE utilizing the valuable knowledge and experience of \nmanufacturers as they implement this Executive Order. Having \nboth DOE and industry representatives here today, I look \nforward to hearing how these engagements are going. There are \ncertainly opportunities for Congress to facilitate action in \nthis space as well, and I am proud that the American Energy \nInnovation Act included several pieces of legislation that \nsupport investments in programs that are of vital importance to \nsecuring and protecting our critical energy infrastructure. The \nbill would strengthen public-private partnerships like those I \nknow our witnesses will discuss today and included my and \nSenator Murkowski's PROTECT Act which would establish \nincentives for electric utilities to invest in advanced \ncybersecurity technologies.\n    I am still committed to passing this comprehensive \nbipartisan energy package so that these important programs can \nbe put into action. We have lots to do to protect and secure \nour electric grid. I look forward to hearing from our agency \nand industry witnesses today and what efforts are working and \nwhat work still remains to be done.\n    Thank you, Madam Chairman.\n    The Chairman. Thank you, Senator Manchin, and you mentioned \nthe work of Senator King on the Cyberspace Solarium Commission. \nSenator King, as a member of the Committee, has asked for a \nbrief moment here to introduce just that and, as you have \nmentioned, he has had an opportunity before the Senate Armed \nServices. It is important to acknowledge that work.\n    Senator King, if you would like to make any brief comment \nabout that before we turn to our distinguished panel, you are \ncertainly welcome to proceed.\n\n             STATEMENT OF HON. ANGUS S. KING, JR., \n                    U.S. SENATOR FROM MAINE\n\n    Senator King. Absolutely. Thank you, Madam Chair. You \noutline very eloquently the danger, so I don't really have to \nspend a lot of time on that. Everybody in this hearing knows \nthe level of risk that we have before us.\n    Just let me tell you a bit about the Solarium. It was \ncreated in the 2019 National Defense Authorization Act (NDAA). \nIt was a national commission whose mission was to establish a \ncomprehensive strategy to defend this country in cyberspace. \nThe structure of the Commission was somewhat unique. It had 14 \nmembers including 4 sitting Members of Congress: myself; \nSenator Ben Sasse; Congressman Mike Gallagher, a Republican \nfrom Wisconsin; and Jim Langevin, who is a Democratic member of \nthe House and a member of the Armed Services Committee from \nRhode Island. We also had four members from the Executive \nBranch and six members from the private sector. One of the most \nvaluable members of the entire Commission was Tom Fanning, who \nis the CEO of the Southern Company, which I think is the second \nlargest electrical utility in the country. We had over 30 \nmeetings. We had about 90 percent attendance at all of our \nmeetings, and we talked about a whole range of cyber issues.\n    Our report really boils down to three simple points. One is \nreorganization. Reorganizing and organizing our government to \nbe responsive to this problem and not operate in silos. \nSecondly is resilience. How to strengthen our resistance to \ncyberattacks and how to build up our defenses, if you will. And \nthe third is response. How do we develop a deterrent doctrine \nso that our adversaries have to feel that they will pay a price \nfor attacking this country, even if it is below the level of \nthe threshold of the use of force?\n    Energy, of course, is a major target. One of the \nchallenging parts of this problem, which you and Ranking Member \nManchin mentioned, is that this really has to be a partnership \nbetween the Federal Government and the private sector. Eighty-\nfive percent of the target space in cyberspace is in the \nprivate sector, a lot of that is the energy sector. And if \nthere is one thing we learned from the pandemic, it is that the \nunthinkable can happen and a significant cyberattack is not \nunthinkable. We know that it is being planned, and we know that \nit is happening today. I spoke recently to a utility executive \nwho told me that his system is attacked three million times a \nday, now, today. So this is not an abstract issue. This is \nsomething that we have to address, and the Commission made a \nnumber of legislative recommendations, more than two dozen of \nwhich we hope will be included in the final National Defense \nAct that is now headed to conference. I want to thank the \nCommittee and the Chair and the Ranking Member for their \ncooperation on assisting us in getting those provisions into \nthe National Defense Authorization Act. There will be others \nthat we will be discussing over the next few months in this \nCommittee.\n    But I want to thank you for having this hearing. It is \nincredibly important. This is one of our prime issues, and I \nlook forward to the testimony of our witnesses. Again, thank \nyou for your work on this and if we work together, we can \ndefend this country.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator King. Thank you for that \nbrief summation and to those of you, including Senator Sasse, \nwho were part of that very, very important Commission.\n    Let's turn to our panel this morning.\n    We have one of our witnesses that has joined us in person. \nWe thank you for that. Mr. Alexander Gates, who is the Senior \nAdvisor at the Office of Policy for Cybersecurity, Energy \nSecurity, and Emergency Response. It is a long name. We call it \nCESER there at the U.S. Department of Energy. We welcome you to \nthe Committee, Mr. Gates.\n    With us virtually today are Mr. Joseph McClelland, who is \nthe Director of the Office of Energy Infrastructure Security at \nthe Federal Energy Regulatory Commission. We welcome you, Mr. \nMcClelland.\n    Mr. Steve Conner is the President and CEO for Siemens \nEnergy, and we thank you for being part of this panel this \nmorning, Mr. Conner.\n    Mr. Thomas O'Brien is the Senior Vice President and Chief \nInformation Officer at PJM Interconnection. We appreciate that \nyou have joined us as well and look forward to your input to \ntoday's discussion.\n    With that, we will go in the order that I have introduced \nyou. We will begin here in the Committee room with Mr. Gates. \nWe would ask you all to try to keep your comments to about five \nminutes. Your full statements will be included as part of the \nrecord, and then we will have an opportunity for questions from \nthose of us present and those of us online.\n    Mr. Gates, welcome, and again, thank you for your \nleadership there at the Department of Energy. Please proceed.\n\nSTATEMENT OF ALEXANDER GATES, SENIOR ADVISOR, OFFICE OF POLICY \n  FOR CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, \n                   U.S. DEPARTMENT OF ENERGY\n\n    Mr. Gates. Thank you, ma'am.\n    Chairman Murkowski, Ranking Member Manchin and members of \nthe Committee, thank you for the opportunity to appear before \nyou to discuss the Department of Energy's important work to \nprotect the energy infrastructure from cyber threats. A \nreliable, resilient and secure energy infrastructure is \ncritical to U.S. economic competitiveness, national security \nand, to put it frankly, our way of life. As an organization \nresponsible for safeguarding the nation's nuclear stockpile and \nas a member of the intelligence community, the Department of \nEnergy is keenly aware of threats to our national security. \nToday that includes cyber threats to the energy sector. In the \n2019 and 2020 worldwide threat assessment, the Director of \nNational Intelligence stated, ``Our adversaries and strategic \ncompetitors will increasingly use cyber capabilities to seek \npolitical, economic and military advantage over the United \nStates and its allies and partners. China, Russia, Iran, North \nKorea increasingly use cyber operations to threaten both minds \nand machines in an expanding number of ways, to steal \ninformation, to influence our citizens and to disrupt critical \ninfrastructure.''\n    Within the Department, CESER and the Office of Electricity \nform a nucleus that provides products and services that improve \nthe energy sector's cybersecurity and resilience. Whether it's \nelectricity, oil, natural gas or renewables, CESER endeavors to \nincrease the security of the United States' energy \ninfrastructure against all hazards through the following \npriorities: improving emergency response and recovery, \nexpanding cyber discovery activities, creating high fidelity \nsituational awareness, providing more focused research and \ndevelopment, further solidifying our partnerships and \nincreasing workforce development efforts. The Office of \nElectricity, on the other hand, is focused on long-term \nresearch and development to build a secure and resilient power \ngrid. The Office has four strategic priorities: building \nadvanced modeling capabilities, innovating in the field of \nmegawatt scale grid storage, improving grid operations and \nperformance through advanced sensing technology and securing \ndefense critical electric infrastructure.\n    Some key DOE initiatives that come out of those groups of \npriorities include the Cyber Risk Information Sharing Program, \nor CRISP, which is a public-private data sharing and analytic \nplatform that facilitates the timely, bidirectional sharing of \nthreat information amongst energy sector stakeholders. The \nNorth American Energy Resilience Model (NAERM), which is a \nmodeling capability that analyzes risk and threats to the grid \nand other interdependent infrastructures, provides operational \nsituational awareness. The Cybersecurity Testing of the \nResilience of Industrial Control Systems, or CyTRICS, tests \ncritical components to identify and mitigate embedded cyber \nvulnerabilities in industrial control systems within the energy \nsector. And, of course, Executive Order (EO) 13920, Securing \nthe United States Bulk Power System in response to the growing \nthreat the EO authorizes the Secretary of Energy, working with \nother federal departments and agencies and the private sector, \nto quickly and proactively protect the bulk power system.\n    Cybersecurity in the energy sector is a complex endeavor \nthat will require more authorities, laws, and in some respects, \nan extreme level of collaboration to achieve. As a sector-\nspecific agency, the Department of Energy relies on strong \ncollaboration with FERC, NERC, and CISA, in order to make \nprogress. Utility owners, coordinating councils, and trade \ngroups are all very effective partners in this fight. \nCollectively these entities form the fabric of a public-private \npartnership that everyday serves to protect the nation's energy \ninfrastructure. Despite all the progress made to date, the \ncyber threats to the sector are real and outpacing our \ncollective solutions. Still, more action is needed to make the \nenergy sector more resilient and cybersecure.\n    Thank you for this opportunity to appear before your \nCommittee. I look forward to working with you to address the \nnation's cyber and physical security challenges to the energy \nsector.\n    [The prepared statement of Mr. Gates follows:]\n    \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    The Chairman. Mr. Gates, thank you very much for that \ntestimony.\n    We will now go online to Mr. McClelland, with the Federal \nEnergy Regulatory Commission. Welcome.\n\n  STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ENERGY \n INFRASTRUCTURE SECURITY, FEDERAL ENERGY REGULATORY COMMISSION\n\n    Mr. McClelland. Thank you, Chairman Murkowski, Ranking \nMember Manchin and members of the Committee. Thank you for the \nprivilege to appear before you today to discuss potential \nthreats to the bulk power system in the United Sates. My name \nis Joe McClelland, and I am the Director of the Office of \nEnergy Infrastructure Security at the Federal Energy Regulatory \nCommission. I come before you as a Commission staff witness, \nbut I should note that my remarks do not necessarily represent \nthe views of the Commission or any individual Commissioner.\n    In the Energy Policy Act of 2005, or EPACT 2005, \nspecifically Section 215 of the Federal Power Act, Congress \nentrusted the Commission to approve and enforce mandatory \nreliability standards for the nation's bulk power system. \nSection 215 requires the Commission to certify an electric \nreliability organization or ERO that is responsible for \nproposing FERC Commission review and approval, reliability \nstandards or modifications to existing reliability standards \nhelp protect and approve the reliability of the nation's bulk \npower system. The Commission certified the North American \nElectric Reliability Organization or North American Electric \nReliability Corporation, or NERC, as the ERO. Section 215 of \nthe Federal Power Act provides stakeholder input in the ERO's \ndevelopment of reliability standards for a bulk power system. \nThis process works relatively well to develop standards to \naddress traditional operations and planning related reliability \nevents that may cause grid failures or blackouts such as from \nimproper vegetation management or failures associated with the \noperation of protective equipment.\n    The nature of national security threats by adversaries \nintent on attacking our nation's electric grid significantly \ndiffer from the reliability of vulnerabilities that have caused \nregional blackouts and reliability failures that we have faced \nin the past. Widespread disruption of electric service can \nquickly undermine the U.S. Government, its military and the \neconomy, as well as endanger the health and safety of millions \nof our citizens. To help mitigate these advanced, persistent \nand rapidly evolving threats, the Commission uses a two-pronged \napproach regarding grid reliability employing mandatory \nreliability standards to establish foundation of practices \nwhile also working collaboratively with the industry, with \nstates and other federal agencies to identify and promote best \npractices.\n    While NERC reliability standards are the foundation of the \nCommission's work to address cybersecurity, there are \nadditional measures that can and should be taken to further \nimprove industry's cybersecurity posture in light of these \nrapidly evolving threats. That is why the Commission \nestablished our office, or OEIS. OEIS partners with industry, \nstates and federal agencies to develop and promote best \npractices for critical infrastructure security. Working with \nthese organizations, OEIS helps identify new and emerging \nthreats, inform the private sector of them and then assist with \nmitigating action. One example of OEIS' work is that we conduct \nvoluntary architectural assessments of utility computer \nnetworks, reviewing everything from the configuration of legacy \nequipment to the application of state-of-the-art protection \nsystems. Another example is OEIS works with the Office of the \nDirector of National Intelligence and the Department of Energy, \nspecifically CESER, to conduct briefings and exchange \ninformation with state and industry officials about the current \nthreats industry is facing and what can be done to address \nthem. More broadly, OEIS works with the NERC Electricity \nInformation Sharing and Analysis Center (E-ISAC) to rapidly \nissue bulletins and alerts informing industry of specific \nvulnerabilities and threats as well as best practices that can \ndefend against them. And as a final example, OEIS assists with \nthe planning and execution of tabletop exercise and \nparticipates in joint security programs with other government \nagencies. In fact, just last week, OEIS assisted the National \nGuard units and participating utilities in the New England \nstates to conduct Cyber Yankee, a simulated cyberattack on \nutility networks. Exercises such as this are critical to \nmaintaining readiness and ensuring our ability to respond to \ncybersecurity events.\n    In conclusion, cybersecurity threats pose a serious risk to \nthe bulk power system and its supporting infrastructures that \nserve our nation. These are complex, persistent and fast-\nevolving issues. Therefore, the Commission has adopted this \ntwo-pronged approach to best address the important security \nmatters. Thank you again for the opportunity to testify today, \nand I look forward to your questions.\n    [The prepared statement of Mr. McClelland follows:]\n    \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    The Chairman. Mr. McClelland, thank you for that. We \nappreciate it.\n    Let's next go to Mr. Conner from Siemens Energy. Mr. \nConner, welcome.\n\n           STATEMENT OF STEVEN C. CONNER, PRESIDENT, \n                      SIEMENS ENERGY, INC.\n\n    Mr. Conner. Thank you, Chairwoman Murkowski, Ranking Member \nManchin and members of the Committee, thank you for the \nopportunity to testify today. My name is Steve Conner. I'm the \nPresident of Siemens Energy, Inc., which is the U.S. regional \nentity of Siemens Energy. We have more than 11,000 employees in \nthe U.S. supporting the country's grid operations at 21 power \nequipment and manufacturing service and innovation sites. Our \nheadquarters is located in Orlando, Florida. The United States \nis our company's largest market worldwide, and Siemens Energy \nequipment provides secure, resilient technologies that support \none-third of America's total daily energy needs. We have been \nworking with our customers on solutions for the evolving \ndemands of industry and society for more than 150 years. We \nhave been a partner to the United States Government, America's \nenergy producers and its energy providers for decades. We have \na deep understanding of the safest and most resilient \ninfrastructure technologies and processes necessary to secure \none of our most essential national assets, America's power \ngrid.\n    Industrial cybersecurity is at the core of our Siemens \nEnergy business. Our products and solutions have industrial \nsecurity functions that are built in by design and turned on by \ndefault. They support the secure operation of plants, systems \nand machines and networks of our customers. We use this \nexperience and expertise to establish partnerships that advance \ncybersecurity efforts. I would like to share with you some \nexample of those collaborations with both the public and \nprivate sectors.\n    In 2018, we created the Charter of Trust which is now a \nleading global initiative of companies and organizations \nfocused on securing critical infrastructure. We're a founding \nmember of the Energy Cybersecurity Alliance, a partnership of \nenergy companies, manufacturers and service providers. We have \na dedicated team of seasoned security experts which we call our \nProductCERT team that manages the receipt, investigation, \ninternal coordination and public reporting of security issues \nrelated to the Siemens products solutions and services. Any \nvulnerabilities discovered are shared with our governmental \npartners. And just last week, the New York Power Authority \n(NYPA) and Siemens Energy announced a new collaboration to \ndevelop an industrial Cybersecurity Center of Excellence. It \nwill bring the public and private sectors together to develop \ninnovative cybersecurity best practices that will serve as a \nmodel for deployment at other utilities. This first of its kind \nIndustrial Cybersecurity Monitoring Research and Innovation \nCenter will focus on detecting and defending against \ncyberattacks on critical infrastructure owned and operated by \nNYPA, the largest state-owned electric utility in the nation. \nSuccessful solutions have potential to be deployed and \ncommercialized at other public and private organizations that \noperate critical infrastructure across the U.S.\n    Supply chain security is just as important as \ncybersecurity. By ensuring the security of our supply chain, we \nenhance the reliability, security and resilience of America's \nenergy infrastructure. This depends on close collaboration and \ninvolvement with our customers, partners, suppliers and \ngovernments around the world to secure for our supply chain. \nSome examples of our supply chain security policies and best \npractices include a supply chain management standard that \nperforms regular supplier audits to address technical, \ncommercial and cybersecurity risks and opportunities. We \nmanage, track and control access to confidential data, chronic \ndevelopment and source code, both physically and virtually. We \ndon't share any overall product development information with \nthe suppliers. And utilizing select components from qualified \nsuppliers only, which includes testing their hardware, software \nand security, only then including them in an approved \ncomponents database. And lastly, we perform civil, criminal and \ngovernmental-sanctioned background checks as necessary.\n    As you can see, Siemens Energy takes its responsibility to \nsecure our country's critical energy infrastructure by \ncollaborating with the public and private sector very \nseriously. We are constantly looking for additional ways to \nengage the public sector, including supporting vendor-driven \nforums that would improve industry involvement and promote \nwider discussion on the vulnerabilities and supply chain risks.\n    Thank you again for inviting me to testify, and I, along \nwith the 11,000+ U.S. employees of Siemens Energy, look forward \nto the continued collaboration necessary to ``keep the lights \non'' in the U.S. energy infrastructure.\n    [The prepared statement of Mr. Conner follows:]\n    \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    The Chairman. Thank you, Mr. Conner. We appreciate your \ntime before the Committee this morning.\n    Finally, let's go to Mr. O'Brien with PJM Interconnection.\n\n STATEMENT OF THOMAS O'BRIEN, SENIOR VICE PRESIDENT AND CHIEF \n        INFORMATION OFFICER, PJM INTERCONNECTION, L.L.C.\n\n    Mr. O'Brien. Chairman Murkowski, Ranking Member Manchin and \nCommittee members, thank you for the opportunity to speak to \nyou today on this critical topic. I appreciate the opportunity \nto represent PJM. I also appreciated the opening comments from \nthe Chairwoman and some of the things that she covered \nspecifically around the Energy Information Protection Act which \nis something that's very important to us at PJM and the \nindustry.\n    I'd like to thank my fellow panelists for their insights \nand contributions. I've worked with some of them in the past, \nand I really appreciate everything that you do.\n    My written testimony covered a broad range of topics, \nincluding PJM's current approach to managing cybersecurity, \npartnership and collaboration, cybersecurity supply chain \nconsiderations, workforce and training and longer-term \nconsiderations. In my brief remarks, I will build off of some \nof the key points from my fellow panelists and leave you with \nthree things for consideration and let the written testimony \nspeak for itself.\n    First, and this was highlighted by everybody, is \ncollaboration and partnership is essential between and amongst \ngovernment, industry and our service providers. It is essential \nand no one can do it by themselves. I'd like to share a couple \nof examples. DOE and DHS lead the charge on both classified and \nnon-classified briefings, and this is critical to industry for \nmanaging priority and risk management. The Electric ISAC, which \nis part of NERC, is the hub of information sharing for the \nelectric industry. They continue to evolve their information \nsharing programs and the industry relies on that significantly. \nThe E-ISAC coordinates the cyber risk information sharing \nprogram which is just one way to get intelligence on what the \nadversaries are doing. DHS has a program for sharing threat \nindicators with industry and something that we use at PJM.\n    I'd like to echo some of what Joe McClelland said. We work \nwith FERC on things like risk management, best practices, and \nwe appreciate their support. And again, I would emphasize the \nimportance of protecting critical information, which again, was \nhighlighted in the opening by Chairwoman Murkowski.\n    Now let's talk about compliance for a second. Just because \nthe electric industry is on the forefront of compliance, NERC \nsets standards but they don't do it blindly. They do it with \nindustry engagement, and regional entities lead the audit \nprocess which essentially drives transparency and allows for \nconsistency. I also wanted to speak to just one example that \nPJM is involved with around fuel security. We're looking at a \nphase three fuel security study at the moment. It's looking at \nmajor interstate pipelines, modeling, both physical and cyber \nscenarios and we've had great support from DOE, from FERC, and \nwe'd like to thank them for that.\n    The second takeaway that I'd like to leave with you is that \nrisk management must be informed by clear understanding and \nappreciation of the adversary is informed by threat \nintelligence, likelihood on impact and requires adequate \ninvestments. On October 1st of 2020, the NERC cybersecurity \nsupply chain management standard will go into effect. That's an \nexcellent starting point for advancing controls to mitigate \nrisks and associated threats, and I'm sure that will continue \nto evolve. Previously mentioned, we're looking at the impact of \nthe Executive Order and that has potential sweeping and broad \nimplications for the procurement of electrical equipment as \nwell as legacy equipment. And while ISOs and RTOs do not own \nthe assets, the order will have significant operational \nplanning and marketing impacts. Consistent with the feedback \nfrom Bruce Walker from DOE, we agree that it should be a \nsurgical approach.\n    The final point that I'd like to leave you with is that \nmetrics and key performance indicators are critically important \nto security operations. You can't improve what you don't \nmeasure, and you need to establish key targets so you can see \nhow your progress is going. That will allow you to focus on \ntransparency and continued recruitment.\n    I'd like to thank you for the opportunity to appear before \nthis Committee. I look forward to your questions, and I \nappreciate the opportunity to leave you with my three \ntakeaways: collaboration and partnership between government, \nindustry and our service providers is essential and no one can \ndo this alone; risk management must be informed by clear \nunderstanding, appreciation of the adversary; and finally, \nmetrics and KPIs are necessary for a clear security operating \npicture. Thank you for this opportunity.\n    [The prepared statement of Mr. O'Brien follows:]\n    \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    The Chairman. Thank you, Mr. O'Brien, and we thank each of \nthe panelists that have appeared before us this morning.\n    Mr. Gates, I want to start with you in terms of my \nquestions. I think everyone on the panel this morning has \nmentioned the need and the necessity for collaboration and \npartnerships, but we all know that it is one thing to say I am \ngoing to partner with you, I am going to collaborate with you, \nbut you have to trust one another. And sometimes when we are \noperating in a world of cybersecurity, you are not quite sure \nwho to trust.\n    So, as several have mentioned, the Executive Order on the \nbulk power system is going to require enhanced information \nsharing between the government and the entire energy sector, \nincluding our utilities, our vendors and our manufacturers. If \nyou can speak to how, within DOE, we can improve the protection \nof sensitive data that it receives from the industry and then \nalso, how can DOE improve its trust of the private sector when \nsharing sensitive government information? I know, oftentimes, \nwhat we will hear is the industry is required to give the \ninformation, but they don't feel like they have been fully read \ninto the situations. And so, again, collaboration and \npartnership are key and important, but that is also built on \ntrust. So can you speak to both sides of that, please?\n    Mr. Gates. Thank you, Senator. I'll address the protection \nof the sensitive information from industry. That's always a \nchallenge. Certainly, as it relates to collecting data from the \nExecutive Order and the RFI that will allow us to implement the \nExecutive Order, the RFI went out in July and ends in August. \nProtecting that information is, kind of, central to the \nprogram. The Department, when you look at information sharing, \nwhen you look at analysis and data gathering programs, not only \nCRISP but the CATT program that you may have heard of, the \nCyber Analytics and Technical Techniques program. Those types \nof initiatives are central to understanding what's going on and \nthen sharing information in a way that's protected. Liability \nprotections for companies, for example, is part of that \nequation. The other part of that equation is the Department and \nthe government protecting less than classified but very \nsensitive information. So we are designing systems and programs \nthat the Department of Energy protects secrets and sensitive \ninformation in a number of endeavors from our science and \nresearch initiatives with the national labs to our nuclear \nstockpile and weapons protection programs, and cybersecurity is \nanother aspect of that.\n    As it relates to the sector trusting us, that's a tough \none, but if you just look at what's happened in the last four \nor five months and our response to the pandemic, the sharing \nthat we've had with the different coordinating councils, the \nuse of the ISAC to share information, we think the trust in the \nsector is growing, that the Government is actually figuring out \nhow to take even classified information through a process, \nsanitize it in a way that it can quickly be distributed through \neither CISA or the E-ISAC but out to the sector in timely \nenough fashion that it actually makes a difference. We haven't \ntotally solved the problem, ma'am.\n    The Chairman. Right.\n    Mr. Gates. It's a work in progress, but we think the trust \nissue, the trust equation is improving in favor of both the \nGovernment and the sector.\n    The Chairman. Well, and I think we recognize that it has to \nin order for this all to work.\n    Let me ask you one more question. Hopefully this one is \nrelatively brief. Many of us on this Committee have electric \nco-ops and municipal utilities that have benefited from the DOE \ninitiative that is focused on improving the cyber and physical \nsecurity posture of the electric sector. In Alaska, we are \nprimarily served by our rural electric co-ops and our municipal \nutilities. Last year, Congress agreed to appropriations report \nlanguage that encouraged CESER to continue this initiative. Our \nenergy bill also includes language that encourages these types \nof public-private partnerships. We also established a grant \nprogram to improve the cyber posture of our smaller utilities. \nCan you give us any update on the status of this initiative? \nHas any funding been released in this regard?\n    Mr. Gates. Ma'am, I'll get the exact details of the status \nof the program to you after this session. But we are working \nvery hard to make sure that money flows to the sector and even \noutside of that program, the small utilities are, they're a \nsoft, in some respects, a soft underbelly of the grid and we \ntake great pride in, you know, certain research and development \nprograms, like the Essence program that we think are going to \nbe valuable in providing those entities the same level of \nprotection as some of the larger utilities. So I'll get the \ndetailed answers to you.\n    The Chairman. Well I appreciate that and, again, that is \nsomething that, I think, we recognize there is a vulnerability. \nThey may be small, but once you work your way in, you can do a \nlot of damage there and recognizing the cost then to these \nsmall, rural electric co-ops and our municipal utilities, this \nis something that we have been focused on.\n    Let me turn to Senator Manchin.\n    Senator Manchin. Thank you, Madam Chairman.\n    First of all, to Mr. McClelland. As you are aware, Senator \nMurkowski and I introduced the PROTECT Act last year. The bill \nwould establish incentives for electric utilities to invest in \nadvanced cybersecurity technology. FERC's recent staff white \npaper exploring cybersecurity incentives considers several \noptions that could work to achieve some of the objectives laid \nout in our bill. What are the next steps for FERC in \nconsidering cybersecurity incentive options, and can you share \nwhat some of the public comments have been in the docket?\n    Mr. McClelland. I think I found the unmute button. Thank \nyou, Senator, for the question and also I just want to thank \nyou for your work on the bill and your continued support and \ninterest in cybersecurity. The, as you're aware, the white \npaper was a FERC staff white paper. It went out on June 18th as \na 60-day comment period. And the white paper proposes two \nmechanisms of incentives. One is to exceed the current \nobligation within the CIP, the NERC, Critical Infrastructure \nProtection, or CIP, reliability standards, that would be, say, \nfor instance, if an entity went from a low designation to a \nmedium or a high designation.\n    The other is to follow the NIST framework. The NIST \nframework was established by Executive Order in February 2013 \nand its purpose was to create a set of best standards that all \ncritical infrastructure sectors could share, all 16 sectors \ncould share. So the industry collaborated with government to \nproduce that NIST framework. It was revised, subsequently it \nwas revised twice. So it was produced in 2014 and revised in \n2018. So the white paper proposes either or both of those \nalternatives. We're awaiting comment. I don't have the status \nof what the current comments are to that proceeding, but we'd \nbe happy to follow up with you.\n    Next steps would be to consider those comments and then use \nthat within the Commission as a mechanism to better understand \nhow, where industry would like, where the most effective place \nto apply the cyber incentives might be.\n    Senator Manchin. Thank you, sir.\n    I only have a few minutes here, so I want to go through \nsome things very quickly, if I can.\n    Mr. Conner, we have talked about deterrents. How do we \ndeter other nations from hitting us, especially in our grid \nsystem which would be very vulnerable and very harmful to our \ncountry? I guess, retaliation. How do you believe the \nretaliation--what we should do when we know these perpetrators \nare continually trying to do all the damage they can--what type \nof deterrents do you think that we, as the United States \nGovernment, should take against these perpetrators? Should we \nhit back? Should we hit back at their critical infrastructure \nor just give them a warning or what is the recommendation?\n    Mr. Conner. Well, I think, as was mentioned earlier, we \ncan't have, we can't have something that really has no meaning, \nbut you know, it's true from our standpoint that, you know, the \ntechnology that's out there, we have to continue to fight this. \nThis is not a matter of a ``nice to have,'' it's--or a ``needs \nto have.'' This is a ``needs to have'' and it changes daily. So \nas far as deterrents, you know, we don't really look at that \nfrom Siemens Energy Inc.'s viewpoint, but I do--but I believe \nthere is something that we have to do to make it crucial for \npeople who want to come in and attack our grid system.\n    Senator Manchin. Yes. I would like to get some of you all's \ninput to try to make sure that we are not out of sync with the \nrules of engagement, if you will, but we have used retaliation \nfrom our nuclear response to let them know that we would hit \nand hit hard. I think in order to stop this type of attack, we \nhave to make sure that they understand that we will use every \nmeans that we have to come back at these countries who are \ngoing at us, to hinder us, really, and harm us. I would love to \nhear from you all in the industry, if you will.\n    Mr. Gates, if I can follow up real quick? Presidential \nPolicy Directive 21 designated responsibilities to different, \nto various federal agencies, departments and agencies, to serve \nas sector-specific agencies and support the private sector in \nmanaging the risk and respective critical infrastructure \nsectors. This recommendation was incorporated into the House \nversion of NDAA and will likely come up in conference. I \nsupport these discussions and hopefully they acknowledge and \npreserve the important role that DOE plays in protecting the \nelectric grid.\n    Mr. Gates, do you agree that DOE provides specific \ncapabilities and expertise as a sector-specific agency (SSA)? \nIs there additional clarification that DOE needs to fulfill its \nresponsibility in this regard, and how do you all interact with \nthe sector-specific agencies to ensure their coordination, but \nnot duplication?\n    Mr. Gates. Thank you for the question, Senator Manchin.\n    I think in many respects the Department of Energy is a \nunique SSA. Not only does the sector know us, but we know the \nsector and, in many respects, we're part of the sector. As you \nknow, we're, we manage PMAs. We manage the SPRO. We're, in some \nrespects, an operator and those kinds of requirements are \nimportant to us understanding what's going on, sharing \ninformation with our partners. So I think that unique aspect of \nDOE is important. It gives us credibility in the sector, and I \nthink it allows us to go at the cyber problem and other \nproblems really aggressively because, you know, you add our----\n    Senator Manchin. Yes.\n    Mr. Gates. ----our national lab complex and just the talent \nand expertise we can bring to the problem. We think it's \nimportant for us to serve a strong SSA role.\n    Senator Manchin. Thank you.\n    Thank you, Madam Chairman.\n    The Chairman. Thank you, Senator Manchin.\n    We will next go to Senator Cassidy, who is with us online.\n    Senator Cassidy. Hello, gentlemen. Thank you, Madam Chair.\n    Mr. Gates, last year we heard that one of the problems of \ninformation sharing was getting security clearances for \npartners in the private sector. Can you give us an update? Have \nwe been able to better gain those security clearances, which is \nto say, better able to share this information?\n    Mr. Gates. Senator, I do not have an answer, a specific \nsolution. Clearing, you know, the thousands of owners in a way \nthat allows us to share highly sensitive information is an \nincredibly difficult challenge. We've taken the, I think the \napproach that is more historic in trying to make the \ninformation still useful but not sensitive, so in a way that is \nuseful to the sector but doesn't threaten sources and methods. \nIt's a difficult challenge. It's been a difficult challenge \nclearing just individuals who actually work in national \nsecurity. It's one that we need to tackle, but I'll give you an \nupdate offline on the status of that action.\n    Senator Cassidy. I would appreciate that because, again, it \nwas identified as an issue a year ago and it does seem as if it \nwas highlighted a year ago as, kind of, the Achilles heel. And \nso, however we can address that, that would be great. I will \naccept that it should be offline.\n    Mr. Conner, as an equipment manufacturer, how do you feel \nthat this information sharing has progressed because it does \nseem as if there is a threat. It seems, again, as an equipment \nmanufacturer, you need to be actively involved with the nature \nof the threat.\n    Mr. Conner. Yeah, as I mentioned earlier, we have a number \nof tools, you know. Collaboration, I think Mr. O'Brien talked \nabout, nobody can do it alone. So we have a number of tools \nthat we go out with our partners and our customers on/with, \nwhen we take a look at, for instance, the DOE talking with \nthem. We just had a meeting end of June with Secretary \nBrouillette and talked about what we can do on the order to \nhelp, kind of, guide this along. But again, I think it's hey, \nthe collaboration, I think is good. We can always improve \nthings, and we need to continue to improve things to keep this \nmoving forward.\n    Senator Cassidy. Mr. Conner, I am also very interested in \ncounterfeit goods and the ability of counterfeit goods to \nbasically serve as a sabotage instrument, and you mentioned the \nquality control that you have in order to prevent that from \noccurring. Can I ask, does any of your supply chain go through \nChina? I say that because we know that the People's Liberation \nArmy has allegedly inserted chips into servers that would allow \ninformation to go back, chips that were only found with \nforensic engineering. So again, to what degree do your supply \nchains go through China and do we have such a risk?\n    Mr. Conner. Very minimal, very minimal supply chain usage \nfor us out of China. We do have facilities in China, and we do \nserve that market. That's not on Siemens Energy Inc. side, my \nside in the U.S., but that's on the larger part of Siemens \nEnergy as a whole. What we actually go through, as I mentioned \nin my testimony, we actually have preapproved vendor lists and \nthese vendors have to go through rigorous testing. We take a \nlook at all their products and then----\n    Senator Cassidy. Let me ask, because I heard your \ntestimony. I have also become aware that having a network of \nvendors represents a security challenge for actually the parent \ncompany, if you will. If it is a vendor to the Department of \nDefense (DoD) that they can, kind of, work their way up the \ninformation chain into a prime contract. Similarly, since we \nare concerned about the cybersecurity of our grid, the \ncybersecurity of Siemens itself, I am sure that you have a \nnumber of cyberattacks as well. With this network of providers/\nvendors, how does Siemens avoid cyber espionage upon what you \nare doing and on cyber sabotage?\n    Mr. Conner. Well, we actually have a significant group both \nin the U.S. and globally that goes through and tests every day. \nWe get attacked thousands of times a day. I think somebody \nmentioned earlier, 300 million times a day. I don't think it's \nthat much, but again, ours is, we have the, our approved vendor \nlist. We go through and we have, to the extent we find \nsomething or from a compliance standpoint somebody doesn't meet \nthat requirement, we kick them off. So it's almost, it's a \nsignificant amount of business that they would lose. And we \nalso do, as I mentioned earlier, we do background checks and \neven through governmental, even the U.S. Government on who \nwe're going to utilize as vendors, et cetera, to make sure they \nmeet all the requirements to avoid having any counterfeit parts \nin our systems.\n    Senator Cassidy. Okay.\n    Thank you, Madam Chair. I yield the floor.\n    The Chairman. Thank you, Senator Cassidy.\n    Senator King.\n    Senator King. Thank you, Madam Chair.\n    There is one subject that we have not touched on today. It \nis not really within the jurisdiction of this Committee, but I \njust mention it in this context and that is the vulnerability \nof water systems. There was a recent alleged attack by Iran on \nan Israeli water system. Fortunately it was defended against \nsuccessfully, but we have something like 50,000 water \ncompanies, separate water companies, in this country and that \nis a risk that the Congress needs to address.\n    Secondly, an issue that has not come up yet today is the \ngas pipeline system, and in New England about 60 percent of our \nelectricity comes from natural gas and all the natural gas \ncomes through the pipeline system. So at least in our region, \nand I suspect in other areas of the country, the pipeline \nsystem is part of the energy grid. You can protect the energy \ngrid, but if the gas can't get through for some reason, the \nlights are still going to go off. My concern is TSA, in 2005, \nwas given the authority to regulate the pipeline system. They \nwere given the authority to issue regulations which they never \nhave, and I am reminded of Lincoln's famous letter to \nMcClellan, ``If you're not gonna use the army, perhaps you \ncould lend it to me for a while.'' If TSA is not going to use \nthis authority, perhaps we should give the authority to \nsomebody who will use it because this is an enormously \nimportant part. They are relying entirely on voluntary self-\nregulation. I just don't think that is adequate given the level \nof risk. And I know that FERC has an interest in this. This is \nsomething I very much want to follow up on.\n    A couple more specific questions to our panelists. Mr. \nO'Brien, do you red team your system? Do you do pen testing to \nsee whether you have vulnerabilities? Do you have hackers for \nhire to test the security of your system?\n    Mr. O'Brien. Yes, thank you for the question, Senator King. \nWe do a couple things. One is we do continuous red teaming, and \nwe partner with an outside firm that's constantly probing our \nsystem and looking for issues. Secondly, we do what we call \ncompromise assessments. We've brought in a top forensics \ncompany, Mandiant, to comb through our network looking for \nissues. And finally, we do internal audits, penetration testing \nand all that. So yes, we do. Thank you.\n    Senator King. That is very reassuring.\n    I want to ask Mr. Gates and Mr. McClelland the same \nquestion. I was very disturbed a year or two ago when we had a \nhearing on this subject when I asked the fellow from NERC, do \nyou red team? Do you pen test? And the answer was, I don't \nthink so or something to that effect. Do you, as the agencies \nthat are looking after this incredibly important \ninfrastructure, do you do penetration testing and red teaming \non the networks that you are responsible for?\n    Mr. Gates?\n    Mr. Gates. Senator King, thank you for that question.\n    In the context of the federally-owned assets, the PMAs, the \nSPRO, there is a red teaming of other, kind of, security \nmeasures that are taken to verify certain aspects of the \ndefenses of the system and----\n    Senator King. What about the private systems that are part \nof your responsibility?\n    Mr. Gates. So in that respect, and that's where the ESCC, \nthe ONG, SCC and other forms are important where we can advise \nand consult and recommend defensive services such as red \nteaming, such as pen testing.\n    Senator King. So the answer is no, you don't do this \nyourself. Is that correct?\n    Mr. Gates. So we don't do it ourselves and we're not, we're \nnot designed, CESER wasn't designed to provide that service.\n    Senator King. But wasn't CESER designed to protect the \ngrid?\n    Mr. Gates. It's designed to protect the grid, yes, sir, but \nthrough using----\n    Senator King. Isn't protecting the grid determining whether \nit is safe?\n    Mr. Gates. It is, but using the authorities and the \nresources that have been allocated to do that mission which we \nbelieve we're operating in, we could do more, perhaps we should \ndo more. I don't know if it gets to the level of pen testing or \nred teaming. There are certain people on my staff who would \nlove to take that on. But again, right now, in the role with \nthe responsibilities and authorities we have and the \npartnerships, it's an advisory service that we're providing at \nthis point.\n    Senator King. Well, if you need additional authorities, I \nhope you will take for the record a question to let us know \nwhat additional authorities you need. I don't see how you can \ncarry out a mission of protecting the grid without testing the \ngrid's vulnerability.\n    Mr. McClelland, I did not get a chance to follow up, but I \nwant to ask, I want you to think about the same question.\n    Finally, Madam Chair, I just hope that we could follow up \nthis hearing with a hearing on the natural gas pipeline system, \nbecause I think it is a crucial part of our energy system and I \nam very concerned that we don't have the level of standards, \ntesting and examination on that system that we have on the \ngrid.\n    Thank you very much, Madam Chair, I appreciate it. I yield \nthe floor.\n    The Chairman. Thank you, Senator King, and know that I \ncertainly agree in terms of our energy infrastructure as it \nrelates to our pipelines.\n    I don't see Senator Gardner on--I know he is popping in \nbetween three hearings this morning--so let's go to Senator \nHyde-Smith.\n    Senator Hyde-Smith. Thank you, Chairman Murkowski, and \nthank you, panel, for appearing today because your testimony is \nvery valuable to this Committee. Your insight is very \nimportant, and I certainly appreciate you guys taking the time \nand being with us today.\n    My question is for all of you. It is well known that our \nnation's critical infrastructure is under constant threat of \nattack from our adversaries as we have been discussing. Couple \nthis with the aging and fragile nature of systems running \ncritical energy delivery systems and you have a potential \nrecipe for disaster with our aging infrastructure. I know a lot \nof time and resources are dedicated to implementing the best \npractices and standards to secure these assets; however, best \npractices and standards do not often stop increasingly \nsophisticated bad actors for long. In your judgment, how much \nmore should we be investing in time and resources recruiting \nprivate or government entities that specialize in protecting \nthe energy sector and counteracting these threats?\n    We will start with whoever wants to go first.\n    Mr. Gates. Thank you for the question, Senator Hyde-Smith.\n    Investment is always a tricky and difficult question, \nparticularly from the government perspective when you have, you \nknow, so much private ownership of an entity. So finding the \nright balance is a challenge. I think I can say, as you've \nstated, we're not investing enough, but how much of that should \nbe public or private investment is a fair question. As Senator \nKing mentioned regarding the pen testing, there are other \nsecurity services that can be provided to identify threats. I \nthink what we're doing in the Department to create products \nlike the NAERM, the North American Energy Resilience Model, \nDCEI, CRISP--I think those are things that are helping, but \nmore can be done on the ground to help sense more, to provide \nmore analysis to identify threats more quickly and mitigate \nthem.\n    What that investment looks like, I can't say, but I know \nit's not enough. The system is so large and expansive and you \nhave such a different kind of stakeholder--stakeholders that \ncan invest a lot on their own--and then you have communities \nthat are on limited budgets. So it's a complicated problem that \nneeds to be addressed, but it will require more investment.\n    Mr. O'Brien. Yeah, Senator Hyde-Smith, this is Tom O'Brien \nand I would add to what Alexander Gates discussed is, you \nbrought up a really good point that there are legacy systems \nand there's older systems that are out there and we need to \nprotect our systems. And I would go back to what we talked \nabout earlier around the cybersecurity framework. We know how \nsophisticated the adversaries are. We still need to be able to \nprotect our assets. We need to be able to detect when a bad \nactor is getting into our systems and we need to be able to \nrecover and respond when that happens. That will require \nincreased investment by everybody and I think it needs to scale \nbased on the risks that you have. So just as a short answer, \nthat would be my feedback.\n    Thank you.\n    Senator Hyde-Smith. Thank you.\n    Mr. McClelland. If I might add, Senator, just add one other \nperspective?\n    Our office conducts individual assessments at utility \nnetworks. In many cases, these networks are large and complex. \nThey're having tens of thousands of points. One of the \nrecommendations we make, because it is so difficult, the \nchallenges so sophisticated, and it's so rapid as far as its \nmovement, one of the recommendations we make is that the \nutilities consider hiring outside expertise, contractors, that \nwould assist during an emergency. So if their systems were \nbreached, if they were having difficulty, they would bring in \nthe outside contractors who have already helped preconfigure \nand arrange those networks so that they could be more \nresilient, better able to come back online and then it wouldn't \nbe a matter of scrambling to try to find a contractor that \ncould provide some assistance at the last minute.\n    So we actually focus this more toward the private sector to \nsay FERC can provide cost recovery. We can provide incentives. \nWe're seeking comments about how those incentives and that cost \nrecovery structure would best benefit the private sector, but \nat the same time, we are offering recommendations to address \nthe issue that you raised.\n    Senator Hyde-Smith. Thank you very much.\n    My second question----\n    Mr. Conner. Yes, Senator----\n    Senator Hyde-Smith. I am sorry.\n    Mr. Conner. I was just going to respond.\n    Senator Hyde-Smith. Oh.\n    Mr. Conner. You know, as I mentioned earlier, Senator, in \nmy responses, companies of all sizes need the technology \nworkforce and the resources to manage these attacks and \ncritical infrastructure. Cyberattacks are not going to be going \naway and we need to defend against them and make it a priority. \nAnd you know, I talked about the latest collaboration that we \nhave with NYPA, New York Power Authority, to put together a \nstate-of-the-art cyberattack and critical infrastructure group \nthere. So, you know, the intent is that as we learn things in \nindustry, as the governments learn them, as the states learn \nthem, that we all collaborate and then we actually can filter \nthat down and share that, those solutions, amongst the other \nutilities, not only energy, but I think we had mentioned water \nearlier, Senator. So things that we can learn there as well.\n    Senator Hyde-Smith. Thank you very much.\n    Madam Chairman, I have a second question, if we have time \nfor that? We will be brief.\n    The Chairman. Go ahead.\n    Senator Hyde-Smith. It is on the cybersecurity defense, \njust the collaboration. Mr. Gates, this will be to you. With \nrespect to protecting our nation's critical energy \ninfrastructure, please provide the Committee with your primary \nrecommendations on how the Department of Energy, the \nintelligence community and the private sector can collaborate \nbetter to defend against these cyber threats from, obviously, \nforeign adversaries, more effectively? Just on the \ncollaboration.\n    Mr. Gates. Well, fortunately, we're working from a decent \nbase with the CRISP program, the briefings that we provide the \nsector and our collaboration with the IC. The IC is, of course, \nthe Intelligence Community, is critical. It is better to engage \nthe adversary outside of our networks instead of inside. That \nshouldn't be the first point of an engagement. And so, the IC's \nrole in that is critical and that's not just my bias because \nthat's where I sort of grew up, but the collaboration is \ngetting stronger. It needs to get better. It needs to be \nseamless, and it needs to be real time.\n    The Solarium Commission proposed some things that kind of \nspeak to that, but I think more can happen. Information sharing \nand, ma'am, you mentioned the trust issue earlier, when you're \ntalking about the Intelligence Community, sensitive information \nand sharing it rapidly, that those are oxymorons in some \nrespects. We need to do more to figure out how to get useful, \nkind of, sensitive information into the hands of network \noperators so they can make decisions and take actions. It's a \nwork in progress. I will be--I would gladly provide you a list \nof recommendations on how to improve that process.\n    Senator Hyde-Smith. Thank you very much.\n    The Chairman. Thank you, Senator.\n    Let's go to Senator Cortez Masto.\n    Senator Cortez Masto. Thank you. Gentlemen, thank you so \nmuch for this important conversation. I want to thank the Chair \nand Ranking Member for holding this hearing.\n    Let's talk a little bit about workforce. I know, Mr. Gates, \nin your testimony you highlighted one of the priorities for \nCESER is to build a superior workforce. And then Mr. O'Brien, \nin your testimony, you also highlighted that the future success \non the electricity industry depends on the development and \nleadership of the next generation of utility employees \nincluding cybersecurity analysts. So let's start with both of \nyou and, Mr. Gates, I will start with you. Can you speak more \nabout DOE's efforts and methods to deliver on your goals of \nbuilding a superior workforce? And then Mr. O'Brien, I would \nask you to also talk about the importance of the need for \nbuilding that cybersecurity workforce across both the public \nand private energy sectors. Mr. Gates.\n    Mr. Gates. Thank you, Senator.\n    This is a challenge for the country. Most of the estimates \nare that even, you know, at current rates we're going to be \nshort of not only IT cybersecurity professionals, but it's even \nstarker when we talk about industrial control systems. We \nstarted a number of initiatives from CyberForce, for example, \nto help with training of those who are inclined to enter this \nspace as a profession. We think there's more that can be done. \nCertainly we're looking at models, similar to the Center of \nAcademic Excellence that DHS and NSA run for cybersecurity and \nintelligence programs. We think there's a carve-out possible \nfor those who are inclined to go into defensive industrial \ncontrol systems. Using our national lab complex, we actually \nstarted this year a collaboration with one of the military \nacademies to do internships to get them training with one of \nthe national labs in this area and we think there's just more. \nThis is something where it's not just the Department, but the \ngovernment and the private sector will need to invest to get \nthe experience, the senior and junior engineers more training, \nthose who are in the business and build on ramps for those \ncoming out of college or in college to enter the business so we \ncan build that, not only cybersecurity workforce, but one \nthat's, kind of, geared toward the energy sector.\n    Senator Cortez Masto. Thank you.\n    Mr. O'Brien, your thoughts on what more we can be doing?\n    Mr. O'Brien. Yeah, thank you for the question and I think \nyou're highlighting a really good point that the supply and \ndemand on cybersecurity resources is somewhat problematic, and \nfrom our perspective we're looking at growing talent from the \ninside where we can and we've established things like \nrotational development programs and really teaching people the \nbusiness, teaching people the different technologies so that \nthey can fight the cybersecurity issue. I think the other thing \nthat we've done, and it's yielded some pretty good results, is \nwe have some great partnerships with, you know, academia. We've \nhad great partnerships with DoD, DOE and really engaging our \nworkforce on that. The E-ISAC has done a very nice job with \nworkshops and you've really got to commit to getting your \npeople to those so that they can learn.\n    And then the other thing that I referenced in my testimony \nwas I think we need to look at the diversity inclusion as an \nopportunity for untapped potential and that's something that \nwe're doing at PJM.\n    Thank you.\n    Senator Cortez Masto. Thank you. I cannot stress that \nenough, and we have had hearings in other committees where the \ndiversity inclusion is key to increasing that workforce and it \nis a power that has not been tapped into. So thank you for \nthat.\n    Mr. Gates, I want to also highlight the fact that just in \nJune of this year the University of Nevada Reno, where I \ngraduated from, their Cybersecurity Center and DOE's Nevada \nNational Security Site announced a partnership for \ncybersecurity research and collaboration. I cannot thank you \nenough for that, but most importantly, I am excited because it \ngives the opportunity for a number of graduate and \nundergraduate students to engage in and have hands-on research, \non research, education, training and career development. I \nthink more of that needs to occur. I applaud you on taking \nadvantage of that, so thank you.\n    I know my time is almost up. I will submit the rest of my \nquestions for the record.\n    Thank you.\n    The Chairman. Thank you, Senator.\n    Continuing on Senator Cortez Masto's questions regarding \nthe workforce, Mr. O'Brien, I know that--and we have had \nconversations here this morning about supply chain security--\nyou have spoken to this issue as well as Mr. Conner. But not \nonly does PJM purchase from around the world, so when we think \nabout supply chain there, you also hire employees, contractors \nand consultants that come from other places around the world. \nHow can you be certain that you are not hiring an insider \nthreat? How do you address that challenge?\n    Mr. O'Brien. Well, first and foremost, that's very \ndifficult because, you know, a foreign adversary that has \nintent may very well find ways to get in, but the things that \nwe do is, you know, we have pretty good security background \nchecks and that's both for, you know, contractors and for \nemployees. The other thing that we do is, you know, and \nobviously I wouldn't get into the details, but we have an \ninsider threat program where we're looking at, you know, the \nactivities of what's happening inside our walls and those are \nthings that are very important because if you put your head in \nthe sand around the insider threat, it can be problematic. But \nI will just summarize it with good background checks, good \ninterviewing, good references and making sure you have the \nsolid insider threat protocol. Thank you.\n    The Chairman. Thank you.\n    Mr. Conner, do you want to add anything to that?\n    Mr. Conner. Yes, thank you for the question.\n    No, I think we actually make sure we do the background \nchecks here as well and we also, because this is relatively \nnew, you know, have actually been setting up programs with \nuniversities to try to run a curriculum to how do we get the \ntraining there. So more homegrown, we don't like to bring in \npeople from the outside to be doing some of this work for us. \nSo I think if you take a look at the programs we've put in, \nalong with the universities for the training, it's gone a long \nway for us.\n    The Chairman. I appreciate that.\n    Let me go to you, Mr. McClelland, and this is with regards \nto how we protect sensitive data. On an annual basis FERC \nrequires our electric utilities to submit detailed data on \ntheir power grid operations. Form 715 requires utilities to \nsubmit maps and diagrams of the grid as well as actual grid \ndata in electronic format. We acknowledge, FERC acknowledges, \nthat this data is critical energy infrastructure information \nand treats it as such. The first question here though goes to \nFERC's policy of releasing the data to the public on the basis \nof the public's right to know. I think we are all in favor of \nlevels of transparency, certainly. In general, the public does \nhave a right to know, but when it comes to schematics of \ncritical energy infrastructure information, it seems reasonable \nto me to be, perhaps, a little more circumspect here. Should \nFERC consider changing its policy regarding the release of this \ncritical energy infrastructure information to a need to know \nbasis?\n    Mr. McClelland. Thank you, Chairman, I appreciate the \nquestion.\n    FERC has to balance or must balance the right to know with \nthe sensitivity of the information. The CEII program that we \nconduct provides necessary but limited release of that \ninformation. In addition, all requesters are required to submit \nin writing their need for, to attest to and demonstrate their \nneed for this information. FERC then verifies that request. It \ncan do so with business references and online tools and after \nverification, FERC does require the execution of a non-\ndisclosure agreement. That non-disclosure agreement carries \nwith it sanctions if that non-disclosure agreement is violated \nand those sanctions can include a loss of access to CEII as \nwell as criminal prosecution.\n    To date, FERC is not aware of any individual that's \nviolated, intentionally violated, that non-disclosure \nagreement.\n    The Chairman. So Mr. McClelland, how does FERC audit how \nmembers of the public use that CEII information that they have \nreceived? Is there a follow-on? You mentioned the non-\ndisclosure, they then receive the information. What then \nhappens next in terms of just ensuring that there has been that \nlevel of compliance?\n    Mr. McClelland. Well, FERC doesn't actively monitor those \nthat sign non-disclosure agreements and receive the \ninformation, but FERC, however, has investigated allegations \nthat non-disclosure agreements have been violated and followed \nup appropriately.\n    The Chairman. So is it your view that perhaps FERC should \nlook to strengthening the provisions in the non-disclosure \nagreements?\n    Mr. McClelland. Well, to date, the non-disclosure agreement \nprocess has worked for FERC. As I said, we're not aware of any \nintentional violations of that non-disclosure agreement for \nthose that have received CEII information.\n    The Chairman. Okay.\n    Let me ask, I know Senator Manchin had asked about the \nwhite paper that FERC recently did. In the white paper, there \nis an observation that the standards-making process--for the \nmandatory reliability standards--the standards-making process \n``does not lend itself to addressing rapidly evolving \ncybersecurity threats.'' Does Congress or does FERC need to \nchange the development process for these standards?\n    Mr. McClelland. Well----\n    The Chairman. If you recognize that it is that cumbersome.\n    Mr. McClelland. I'm sorry, I'm glad you asked the question, \nChairman.\n    That's why FERC uses a tool called Approach. And the \nreliability standards, although they can be, they aren't \nrequired to be best practices. And in the context of these \nadvanced persistent threat adversaries that are specifically \ntargeting our most critical infrastructure facilities with \nprecision and with advanced tools and techniques, the \nCommission has found that it's necessary to use a dual-pronged \napproach. It's not to say that the standards development \nprocess isn't working because it's providing excellent \nfoundational standards that really are a shining example across \nall of the infrastructure types, but those are foundational \npractices.\n    The Commission, and we've heard this earlier from several \nSenators, the Commission's--it's recognized the need to convey \nthis most sensitive information to our utility partners so that \nthey can quickly react to it. In that context, and I just want \nto highlight one small example. We do work very closely with \nthe Director of National Intelligence, the National \nCounterintelligence and Security Center. They convey one day \nread in clearances. So a process that could take a year or more \nto conduct, we can get and we have, we've gotten state \nofficials and industry officials quickly cleared and then \nbrought them in for group classified briefings and working \nsessions to make sure they understand the threat that's before \nthem. We identify the best practices to mitigate against them \nand then they go out and take care of that. In the meantime, \nFERC then considers whether it would be appropriate to follow \non with actions and activities pursuant to the reliability \nstandards.\n    The Chairman. Let me ask you one more question on the white \npaper as well. Do you think that the white paper's proposal of \nfinancial incentives for the industry will be helpful or will \nit just serve to increase rates because, you know, you have the \npotential for a tradeoff here between higher rates or better \nprotection? And so, is that the answer there in terms of that \nprotection, is the financial incentive?\n    Mr. McClelland. Well, we hope so. We did solicit two \nseparate mechanisms by which industry can react and then \npropose comments back to the incentives. But it really, the \nfundamental, it's really just three questions that I think \nsummarize this issue very succinctly. The third question is do \nyou know where best practices belong because not all facilities \nare created equally. Some facilities are extremely strategic in \nnature and you can bet that's where our adversaries will be \ntargeting. So we hope or believe that the white paper that we \ndeveloped, the application of those incentives can be used to \ntarget those critical facilities to deny the adversary access \nand then in the future even exploit of those facilities.\n    So, and that would be also cost-effective. So instead of \nrequiring everyone to establish a best practices and follow \nthose best practices through a mandatory requirement, we can \nstrategically select those facilities and then apply these best \npractices to them. And we're hopeful we get great comments back \non that incentives white paper. We're very hopeful about that.\n    The Chairman. I am sure you will get comments.\n    [Laughter.]\n    I appreciate that, Mr. McClelland.\n    I am going to give my colleagues an opportunity for a \nsecond round, but Senator Risch has just joined us. Senator, if \nyou would like to ask a question before we turn to Senator \nManchin.\n    Senator Risch. Thank you very much. Thank you, Madam \nChairman.\n    Cybersecurity is really important, and obviously this \nCommittee has overlapping jurisdiction with a number of other \ncommittees.\n    The Chairman. With everybody.\n    [Laughter.]\n    Senator Risch. Yes, with everybody, I guess that is right.\n    In Idaho, we are particularly sensitive to all this because \nof the Idaho National Laboratory (INL). The Idaho National \nLaboratory, as everyone knows, is the birthplace of nuclear \nenergy in America and it is now, it has been the flagship for \nnuclear energy, really, in America and in the world. Now the \nflag is going up for cyber because at the INL they have some \nunique capabilities that really call out for them to be the \nflagship lab also for cybersecurity. This is the result of \ntheir decades of experience in control systems. Obviously since \nit was the birthplace of nuclear power, control systems played \na very, very important role as they went forward building the \n52 different experimental--or some experimental, some actual--\nnuclear reactors that were built at the laboratory. Those \ncontrol systems were critical. They have great expertise in \nthat regard, plus they have some test beds that are important. \nSo the result of that is the INL is moving forward very rapidly \nin the cyberspace.\n    I have a question for Mr. Gates I would like to ask and \nhave him talk to us a little bit about the role that the INL \nand the other labs are playing in this regard. And as we know, \nearlier this year the Cyberspace Solarium Commission released \ndozens of recommendations to better secure the nation from \ncyberattacks--very important because this is so critical in our \ninfrastructure and everything else. The Department of Energy \nnational laboratories are playing a key role in this effort to \nmove these recommendations forward. In Idaho we have the Idaho \nNational Lab, as I said, which is the only national laboratory \nexplicitly mentioned in this report and that, of course, is \nbecause of its expertise that I just described and also because \nof their outsized role and growing role in cybersecurity.\n    So again, the question I have for you, Mr. Gates, is that \nas Congress looks as we all, in Congress, look to implement \nmany of the recommendations in this report, can you please talk \na little bit about what you think the INL, the role the INL can \nplay in that regard and the role that any other of the labs \nmight play in that regard? INL certainly has a unique place and \nunique capabilities, but I would like to hear your observations \nin that regard.\n    Mr. Gates. Thank you, Senator Risch.\n    INL, it's in many respects, particularly in the area of \ncontrol systems, it's a first among its equals. Certainly, \nCESER and the Department, the sector, relies on many labs. If \nyou look at what we are doing with NAERM, you know, there are \neight national labs that are collaborating on that project that \nwill allow us to obtain high-fidelity situational awareness on \nthe grid. INL is one of them. But INL has really taken a \nleadership role on some of our critical programs, CyTRICS, for \nexample, where we're going to be testing systems down to the \ncomponent level to look for and eliminate vulnerabilities. That \nprogram, I mean, INL is best suited for it. It was, CyTRICS, \nwas designed with INL in mind and what that is going to allow \nus to do is push the adversary further out of the \ninfrastructure using that and other programs. CyTRICS, centered \nat INL, is also going to allow us to execute the Executive \nOrder. It's a key component to DOE's ability to implement \n139920.\n    There are other programs. Just this year, I mentioned \nearlier that we sent a few Coast Guard cadets to INL for an \nintern program and we think that's a model for how to get \ntraining into the hands of those who will be helping us defend \ncontrol systems, whether they're controlling a weapon system or \nwhether they're controlling part of the critical \ninfrastructure. So that's just one of many programs. We rely on \nINL's expertise, even in classified settings. There's work \nthat's just uniquely suited for INL, but many of our other \nnational labs, it's almost a superpower for the Department of \nEnergy, our ability to rely on national labs to help us solve \nproblems and then get them into the sector.\n    Senator Risch. Thank you very much, and I appreciate your \nreference there to the national security matters and also the \nclassified nature. Sometimes when I am home in Idaho I try to \nexplain to people what they do at the INL. I can tell them \nabout some things and I can't tell them about others. Even the \nones that are classified are incredibly important. So thank you \nfor your work, I sincerely appreciate it.\n    Thank you for holding this hearing, Madam Chairman. I \nappreciate it.\n    The Chairman. Thank you, Senator Risch. As you know, I have \nbeen out to INL, have seen it, can't talk about it.\n    [Laughter.]\n    Senator Manchin.\n    Senator Risch. Some of it.\n    The Chairman. Some of it.\n    Senator Manchin. Thank you, Madam Chairman.\n    To Mr. Gates and Mr. Conner, I mentioned earlier I am \npleased to see DOE taking steps to ensure that we have safe and \nsecure supply chains for bulk power systems. However, in moving \nforward with identifying grid equipment that is at risk or \nequipment that could be part of a prequalified list, it is of \ncredible importance that the manufacturers of electric \nequipment are utilized for their knowledge and expertise. I \nknow the Executive Order established a task force to engage \nwith the energy industry, but manufacturers were not \nspecifically included in that process.\n    Mr. Gates, has the DOE considered establishing a task force \nequivalent for the manufacturers to the electric equipment to \ninform DOE to get response back for them and how is DOE fully \nengaging with these stakeholders?\n    Mr. Gates. Thank you for that question, Senator Manchin. \nYou know, since the issuance of the Executive Order, DOE has \nheld over 90 calls, not only to the asset owners, but that also \nincludes manufacturers. So they're part of the equation. And \neven in part of the CyTRICS program which is a key element of \nexecuting the Executive Order, we've already signed two \ncompanies. We're engaging others directly and having a \nconversation. A lot of those discussions are in the context of \nthe broader vulnerability identification and elimination \naspect, but we're also talking about implementation of the \nExecutive Order.\n    So over 3,000 individuals have engaged the Department since \nthe issuance of the Executive Order. Some of them are \nmanufacturers, a lot of utility owners, suppliers, and we're \ncomfortable, though we've taken the letter to heart and we're \nmaking sure that we're covering all our bases, we're \ncomfortable with our engagement strategy so far and we seek to \ndo more of that because we do want to be thorough and it \nrequires a partnership. We can't go it alone. So, you know, \nyour letter was taken to heart, sir.\n    Senator Manchin. Thank you, sir.\n    Mr. O'Brien, as the largest grid operator in the country, I \nappreciate that PJM takes cybersecurity seriously. The states \nand utilities that make up PJM service territory which includes \nmy State of West Virginia vary a lot in their ability to \naddress and get ahead of the cyber grid threats leaving an \nimportant role for PJM to make sure the system is not made \nvulnerable by any one actor who does not get it up to the \nstandards that you are asking for. So my question would be, \nwhat are the biggest risks in the PJM territory that you are \nconcerned about and what can other grid operators learn from \nwhat you have been able to address with these threats?\n    Mr. O'Brien. Yeah, thank you, Senator.\n    I think from my perspective, certainly from an operating \ncontrol aspect, is the biggest risk to PJM is that there's \nsignificant compromise of our members. I mean, we rely on \ninformation and data that comes into PJM and we're running all \ntypes of real-time analysis to keep the lights running. But if \nthere is any case where the telecommunications system is down, \nwe can't get that data, that information. I think it's a really \nhigh risk----\n    Senator Manchin. Let me ask you this, Mr. O'Brien. Are you \nall able to run scenarios that you can test to see if they are \nup to your standards, even if they are reporting they are? Do \nyou do, kind of, cyber test, if you will, to see if you are \nable to get into their system or basically show they have, \nstill, some vulnerabilities?\n    Mr. O'Brien. No, we don't do that. I mean, that's something \nthat we don't, you know, feel is in our jurisdiction based on \nhow we operate. We do collaborate a lot with the members, but \nno, we don't do, you know,----\n    Senator Manchin. Well, let me ask Mr. Gates. Let me ask him \nthen.\n    From the DOE, Mr. Gates, does any, I mean, if our systems \nare telling you, whether it be in West Virginia or any other of \nthe PJM states or any other areas of our country, if they are \nnot, if they are actually not really hardening their systems to \nprotect against the cyberattacks, how are you able to detect \nit? Do you just have to wait until something happens or are you \nall checking to see if they are doing it?\n    Mr. Gates. We're not. There is a reporting mechanism in \nplace.\n    Senator Manchin. No one is checking, I can tell right now. \nNo one. No one is testing to make sure. If I wanted to find out \nif you did what you told me you did, I would have one of my \nsmart people try to hack into that and see if I show the \nfallacy there. So we are not doing those types of tests?\n    Mr. Gates. I think that's fair, though if you look at what \nCISA is doing, some of the work they're doing in the sector and \nthe Department and the advice from FERC and NERC, there are \nmechanisms to engage them, but as far as overseeing the \nimplementation of certain things in a private utility, again, \nthere are some limitations in the current----\n    Senator Manchin. Well, again, I would ask PJM. Mr. O'Brien, \nhow do you all plan to continue monitoring these evolving risks \nif you really can't check to see if they have been hardened? It \ncan't be done. Has the risk been eliminated?\n    Mr. O'Brien. Yeah, I think, Senator, the thing that we rely \non, relative to our members, is, you know, the NERC compliance \nand they're all held to a standard, they're held to an audit \nand we're counting on that. Now we do a lot of collaboration \nand discussions on best practices, but it's not within our \njurisdiction to actually red team or try to hack into their \nsystems right now.\n    Senator Manchin. Well, we will have to check with NERC \nthen. We have to check with somebody to see if somebody is \nchecking anything.\n    Alright, thank you.\n    Thank you, Madam Chairman, and thank all of you. I am very, \nvery appreciative.\n    The Chairman. Thank you, Senator.\n    Senator Hoeven has joined us.\n    Senator Hoeven. Thank you, Madam Chairman.\n    My first question is to Mr. McClelland. As consumers we \nhave benefited from centralized baseload generating assets and \nour ability to [inaudible]--to provide power, especially during \nextreme weather events, polar vortexes and so forth. And we now \nsee more centralized, intermittent generation on the grid and \nso forth which creates opportunities, but also, risks. Mr. \nMcClelland, what measures has [the company] taken to manage \nliability and cybersecurity risks in these new technologies?\n    Mr. McClelland. So as users, owners and operators of the \npower grid, these facilities may be subject, would likely be \nsubject to the NERC reliability standards if they reach a \ncertain threshold and they are interconnected to the bulk power \nsystem. So that's where the Commission's jurisdiction is, under \nthe Federal Power Act, Section 215. If these facilities \ninterconnect to the bulk power system, they'll be held to that \nminimum standard. And in addition, Senator, we do have a \nprogram, a collaborative program that is available to any \nentity where we will, for instance, do an onsite assessment of \ntheir facilities, identify vulnerabilities and then assist them \nwith mitigating action. So it's the same level of \naccountability that all generation resources under the \nCommission's jurisdiction would have.\n    Senator Hoeven. Does Congress need to provide the FERC with \nany additional tools or capabilities to make sure that FERC is \ncontinuing to protect and improve the reliability of the bulk \npower system?\n    Mr. McClelland. Well, the Commission now is using a dual-\nfold approach. So we're establishing baseline standards and \nthey're good, the reliability standards for cybersecurity \nthrough the NERC process, but this process is open and \ndeliberative and it's not necessarily reflects best practices. \nOn the other side, we're collaborating very closely with the \nintelligence community. That'd be our friend, Alex Gates at the \nDepartment of Energy, Department of Homeland Security and other \nagencies to stay current on those threats. And then we're \nactively engaging with industry to push out this information so \nthat they can be aware of the threats. This bill would actually \nadd to that authority. It would add to our voluntary assistance \nwork with industry, providing us with additional authorities.\n    Senator Hoeven. For Mr. Conner, how do we continue to \nstrengthen the relationship between the public and private \nsectors to ensure that information is shared and also protected \nfrom inappropriate disposal?\n    Mr. Conner. Yes, thank you for the question.\n    I think, as we mentioned earlier in my testimony, if I just \ntake a look at the partnership that we've done with NYPA. \nThat's more on the public side. That was just last week, and \nit's to develop the new think tank with them. I also take a \nlook at all the partnerships that we have in the private sector \nwith some of our vendors and our supply chain management. And \nas I also testified earlier, we make sure that despite all of \nthat, that we actually do testing on hardware, software, \nsecurity testing of everything that we get out of our suppliers \nas well to cover that side.\n    So I think it's collaboration. We talked about it earlier. \nNobody gets there by themselves, but it's continue to \ncollaborate and communicate across the board.\n    Senator Hoeven. And then for Mr. Gates. Do you believe that \nthe Department of Energy has sufficient ability over the \nnation's energy delivery system to properly address the attacks \nand vulnerabilities----\n    Mr. Gates. Thank you for the question, Senator.\n    I'm not sure anyone has the visibility to address all the \nthreats. If we had that visibility, whether it was the \nDepartment, whether it was in the private sector, we would be \ndoing more to develop solutions and push the adversary further \naway from our infrastructure. But that's why investments like \nNAERM and developing other tools and why information sharing \nthrough the ISACs and other mechanisms, the intelligence \nbriefings, are so important. But we do need better tools. We \nneed better sensors, and we're investing in that. We need \nbetter analytics which we're developing at the national labs. \nPulling all that together to have better situational awareness, \nhigh fidelity is the answer. We haven't achieved it yet, but it \nis a goal and it's a pressing goal for the Department.\n    Senator Hoeven. Is there additional assistance Congress can \nprovide or resources, in your opinion, at this time that would \nbe critical to test?\n    Mr. Gates. There's always room for additional support, sir. \nTargeted support at specific programs that allow us to develop \nsome of these solutions more rapidly is always effective, \nmaking it easier for us to fund pilots and work with the \nnational labs, with the private sector. There are pretty \ninteresting developments in private industry, tools that are \nuseful for us, but even that requires integration and testing. \nSo clearly, the whole sector, including the Department could \nuse more support.\n    Senator Hoeven. But you don't have a specific in mind?\n    Mr. Gates. I do have specifics in mind, sir, and I would \ngladly provide those to you offline.\n    Senator Hoeven. Alright. Thank you very much.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Hoeven.\n    Gentlemen, we appreciate the discussion that we have had \nhere this morning. I know Senator Manchin and I have no further \nquestions.\n    Senator King, did you have anything further that you wanted \nto add?\n    Senator King. Yes, just two things.\n    The first, Senator Manchin, in your usual commonsense way, \nyou put your finger on something very important which we talked \nabout earlier which is red teaming or hackers for hire or \npenetration testing, whatever you want to call it. We need more \nof it. We need authority to do it in Mr. Gates' agency and \nperhaps at FERC. People can certify that they are secure but \nthere is no way to really test that until you have really tried \nto penetrate their network. So I have asked Mr. Gates to supply \nus with what he feels he needs in the way of additional \nauthorities to make that happen. So I want to associate myself \nwith that question.\n    One other question that has not come up today, and I don't \nknow whether this should be to Mr. McClelland or to Mr. Gates, \nbut isn't distributed energy, that is, generation at the home \nor in the neighborhood which is now available to us in part \nthrough the use of solar, isn't that part of a national \nsecurity solution to try to avoid the risk of the giant grid \nwith the giant generating plant that if it goes online, \neverybody goes down? Is anybody thinking about that? Mr. Gates, \nis that something that you all have looked at?\n    Mr. Gates. Senator King, it is something the Department is \nconcerned with, particularly when we look at some of the grid \nmodernization initiatives, you know, baking security into that \nmodernization, whether they're microgrids and so forth is an \nimportant aspect of it. But there are those who also believe \nthat if we don't bake in security that we're distributing the \nproblem. Those systems still are dependent on technologies \nthat, you know, could be vulnerable and just change the nature \nof an attack, make it a----\n    Senator King. But if you have a solar array on your house \nthat supplies your needs, you don't care if something happens \nto a generating plant 200 miles away. That is my point. It \nseems to me that there is a resilience redundant kind of effect \nhere, and I realize integration into the grid and all those are \ntechnical questions, but the decentralization, I mean, the \nwhole history of our electrical system has been centralization. \nWe are now in a place where technology allows us to \ndecentralize, and it seems to me that could be an important \nadvantage in terms of securing electric supply to individuals \nand businesses.\n    Mr. McClelland, are you guys looking at that at FERC?\n    Mr. McClelland. Thank you, Senator, for the question.\n    In some ways, and to add to Mr. Gates' point, in some ways \nthe addition of new technologies, new systems, especially \nsupply chain concerns can complicate security. However, to your \npoint, there's a vast reduction of interdependencies associated \nwith a self-sufficient plant. So I think that so long as the \nfacility, and I am speaking for myself, so long as the facility \nis secure, has/is abiding by best practices to counter those \nadversarial attacks, it certainly makes it easier to protect a \nself-contained, fuel secure facility, such as renewables versus \na facility that depends on many other types of infrastructure \nto produce generation.\n    Senator King. Thank you.\n    Thank you, Madam Chair, I appreciate it.\n    The Chairman. Thank you.\n    This has been a really instructive hearing, again, and I \nappreciate the input that we have received, not only from those \nwithin the Department, the agencies, but also the private \nsector. I think it was important to have that.\n    Senator Manchin. Can I say one thing?\n    Senator King, Angus, are you still on?\n    The Chairman. Yes.\n    Senator Manchin. Angus, the only thing I wanted to ask, I \nknow you asked directly with DOE if they could check, you know, \nby basically hiring the real smart people we talk about that \nare able to find out if we are on our game or not.\n    Senator King. Right.\n    Senator Manchin. But how about with PJM? Are they not \nresponsible then, basically if they are the carrier, I mean, \nthey are one of the largest in the country? They are all over \nmy state. Should they not be----\n    Senator King. I asked PJM that question and I think the \nresponse was that they do do pen testing and red teaming. Isn't \nthat correct, Mr. O'Brien? I thought that was what you said.\n    Mr. O'Brien. Yeah, thank you. Let me clarify. We do \nextensive red teaming on our own systems. We do extensive \npenetration testing on our own systems. What we don't do is red \nteaming and penetration testing on our member company systems \nwhere data flows into us. So that's the little nuance to the \nquestion.\n    Senator Manchin. So you don't have the jurisdiction for \nthat, is what you are saying, why you don't do it?\n    Mr. O'Brien. We do not. No.\n    Senator Manchin. Okay. Angus, that gives us something else \nto work on.\n    The Chairman. Yes.\n    Mr. O'Brien. And again, I think NERC plays a role in that \nas well.\n    Senator Manchin. Sure.\n    Mr. O'Brien. With the--thank you.\n    The Chairman. But that is your vulnerability. You can be \nsecure here----\n    Senator Manchin. Absolutely. Absolutely.\n    The Chairman. ----but then feed into where you are.\n    Senator Manchin. I just want to thank Angus, Senator King, \nand Congressman Gallagher for what they have done in the last \ntwo years. I mean, it is truly amazing and it needs to be \nbrought--it is just common sense. It is just pure common sense. \nAnd we have to do all the checking we can. So maybe this is \nsomething that we could work on with NERC and get some of these \nbarriers broken down for you so we really have thorough \nchecking and thorough testing.\n    Thank you.\n    The Chairman. Well, I think we recognize that the threat \nfrom cyber, whether it is to our energy systems or any aspect \nof, really, our economy, there is vulnerability that we \nrecognize and again, we are talking about collaboration, we are \ntalking about partnership, built on the trust. And so how we \ncan help facilitate that is important. When you can't trust, \nyou have to test. Trust but verify. I think this is some of the \nconversation that we have had here today.\n    There are some requests that Committee members have made \nthat, I think, Mr. Gates, you acknowledge that you would be \nable to provide members of the Committee a response. We look \nforward to that and if other members have further questions for \nthe record, we would hope that you would be able to respond.\n    We appreciate the time that you have given us and the \ninformation that you have provided us as we focus on this \ncritically, critically important aspect of protecting our \nenergy sector.\n    With that, the Committee stands adjourned.\n    [Whereupon, at 11:53 a.m. the hearing was adjourned.]\n\n                      APPENDIX MATERIAL SUBMITTED\n\n                              ----------                              \n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                              [all]\n</pre></body></html>\n"