[Senate Hearing 116-378]
[From the U.S. Government Publishing Office]


                                                       S. Hrg. 116-378

                  FEDERAL AND INDUSTRY EFFORTS TO IMPROVE 
                    CYBERSECURITY FOR THE ENERGY SECTOR,
                  INCLUDING HOW TO IMPROVE COLLABORATION 
                    ON VARIOUS CYBERSECURITY AND CRITICAL
                   INFRASTRUCTURE PROTECTION INITIATIVES

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             AUGUST 5, 2020

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                       Printed for the use of the
               Committee on Energy and Natural Resources

        Available via the World Wide Web: http://www.govinfo.gov       
        
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
41-402                      WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------
        
        
        
        
               COMMITTEE ON ENERGY AND NATURAL RESOURCES

                    LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming               JOE MANCHIN III, West Virginia
JAMES E. RISCH, Idaho                RON WYDEN, Oregon
MIKE LEE, Utah                       MARIA CANTWELL, Washington
STEVE DAINES, Montana                BERNARD SANDERS, Vermont
BILL CASSIDY, Louisiana              DEBBIE STABENOW, Michigan
CORY GARDNER, Colorado               MARTIN HEINRICH, New Mexico
CINDY HYDE-SMITH, Mississippi        MAZIE K. HIRONO, Hawaii
MARTHA McSALLY, Arizona              ANGUS S. KING, JR., Maine
LAMAR ALEXANDER, Tennessee           CATHERINE CORTEZ MASTO, Nevada
JOHN HOEVEN, North Dakota

                      Brian Hughes, Staff Director
                      Lucy Murfitt, Chief Counsel
                Jake McCurdy, Professional Staff Member
                    Robert Ivanauskas, FERC Detailee
                 Renae Black, Democratic Staff Director
                Sam E. Fowler, Democratic Chief Counsel
           Nicole Buell, Democratic Professional Staff Member
                            
                            
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1
Manchin III, Hon. Joe, Ranking Member and a U.S. Senator from 
  West Virginia..................................................     3
King, Jr., Hon. Angus S., a U.S. Senator from Maine..............     4

                               WITNESSES

Gates, Alexander, Senior Advisor, Office of Policy for 
  Cybersecurity, Energy Security, and Emergency Response, U.S. 
  Department of Energy...........................................     6
McClelland, Joseph, Director, Office of Energy Infrastructure 
  Security, Federal Energy Regulatory Commission.................    14
Conner, Steven C., President, Siemens Energy, Inc................    20
O'Brien, Thomas, Senior Vice President and Chief Information 
  Officer, PJM Interconnection, L.L.C............................    28

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Conner, Steven C.:
    Opening Statement............................................    20
    Written Testimony............................................    22
    Responses to Questions for the Record........................    80
Gates, Alexander:
    Opening Statement............................................     6
    Written Testimony............................................     8
    Responses to Questions for the Record........................    59
King, Jr., Hon. Angus S.:
    Opening Statement............................................     4
Manchin III, Hon. Joe:
    Opening Statement............................................     3
McClelland, Joseph:
    Opening Statement............................................    14
    Written Testimony............................................    16
    Responses to Questions for the Record........................    75
Murkowski, Hon. Lisa:
    Opening Statement............................................     1
O'Brien, Thomas:
    Opening Statement............................................    28
    Written Testimony............................................    30
    Responses to Questions for the Record........................    86

 
 FEDERAL AND INDUSTRY EFFORTS TO IMPROVE CYBERSECURITY FOR THE ENERGY 
SECTOR, INCLUDING HOW TO IMPROVE COLLABORATION ON VARIOUS CYBERSECURITY 
           AND CRITICAL INFRASTRUCTURE PROTECTION INITIATIVES

                              ----------                              


                       WEDNESDAY, AUGUST 5, 2020

                                       U.S. Senate,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:07 a.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Lisa 
Murkowski, Chairman of the Committee, presiding.

           OPENING STATEMENT OF HON. LISA MURKOWSKI, 
                    U.S. SENATOR FROM ALASKA

    The Chairman. Good morning, everyone. The Committee will 
come to order. We are here this morning to examine federal and 
industry efforts to improve the cybersecurity of the energy 
sector, including efforts to improve collaboration on various 
cybersecurity and critical infrastructure protection 
initiatives. It has been more than a year since we last held a 
hearing on cybersecurity for the energy sector, but I think it 
is fair to say that this is always a timely topic. It is also a 
critical priority that we cannot lose sight of, even as we 
grapple with COVID-19, lest it become the source of our next 
national crisis.
    There have been a few noteworthy developments since our 
last hearing. Earlier this year, the President issued an 
Executive Order focused on securing the bulk power system from 
both cyber and physical threats posed by hostile nation-state 
actors. This is an effort that will be led by the Department of 
Energy (DOE). Meanwhile, the Federal Energy Regulatory 
Commission (FERC) has published a paper detailing a potential 
structure for providing incentives to utilities to make 
cybersecurity investments following up on a technical 
conference examining the same issue in 2019. I am pleased this 
morning to be able to welcome our witnesses from DOE and the 
FERC and to look forward to hearing the latest from them. I 
also welcome the witnesses representing industry which will 
play an equally significant role in how these initiatives 
unfold.
    The threat of cyberattacks by foreign adversaries and other 
sophisticated entities is real, and it is growing. As I 
mentioned on the Senate Floor earlier this week when we 
confirmed Mark Menezes, cyberattacks are near constant and only 
growing more sophisticated. According to the latest worldwide 
threat assessment from the Office of the Director of National 
Intelligence, China, Russia and other foreign adversaries are 
using cyber operations to target our military and our critical 
infrastructure. Those near-peer adversaries already have the 
capability to launch cyberattacks against our electric and gas 
infrastructure. The COVID-19 pandemic has created a unique 
opportunity for cyber criminals to attack our networks, 
including critical energy infrastructure. The Department of 
Justice (DOJ) recently issued a press release announcing the 
indictment of two individuals backed by the Chinese Ministry of 
State Security. DOJ noted these two individuals not only 
targeted portions of our energy sector, including DOE's Hanford 
site, but also entities conducting research on a Coronavirus 
vaccine. We cannot allow hostile foreign nations to disrupt our 
way of life.
    Energy is the lifeline for all critical infrastructure 
sectors, and protecting our critical infrastructure is the 
first step in ensuring its continuity. Unfortunately, we have 
already seen the real-world ramifications of cyberattacks on 
the energy infrastructure, and this is most vividly seen in 
Russia's attacks on Ukraine. In December 2015, Russian hackers 
cut off power to nearly a quarter million people in Ukraine in 
an attempt to disrupt and intimidate. In the summer of 2017, 
Russian hackers infiltrated the industrial control system of a 
Saudi Arabian petrochemical plant and disabled the plant's 
safety systems. More recently, an advanced Russian government-
backed hacking group is alleged to have probed a U.S. energy 
entity's network, according to a release the DOE issued in 
January. We all know the stakes here. A successful hack could 
shut down power impacting hospitals, banks, gas pumps, military 
installations and cell phone service. The consequences would be 
widespread and devastating and only more so if we are in the 
midst of a global pandemic.
    The Federal Government and industry focus on cybersecurity 
is a major reason why the United States has not experienced an 
attack like Ukraine's. Protection of our critical assets is a 
shared responsibility demanding that federal, state and private 
sector partners work together to improve cyber defenses and 
coordinate responses to cyberattacks. The FAST Act of 2015 
contained provisions authored by our Committee to codify the 
Department of Energy as the sector-specific agency for the 
energy sector and to provide the Secretary with authority to 
address grid-related emergencies. We also sought to facilitate 
greater information sharing by protecting sensitive information 
from disclosure. Our American Energy Innovation Act also has 
numerous sections to enhance government industry partnerships 
in this space and establishes programs to enhance the cyber 
posture of smaller utilities. Most recently, I introduced a new 
bill, the Energy Infrastructure Protection Act, to update 
provisions in the Federal Power Act and restrict federal 
disclosures of certain sensitive energy information. I know 
that there are a few who may disagree with that approach, but 
the alternative, disclosing and displaying our vulnerabilities 
for our enemies, will hardly make us any safer.
    I am pleased to welcome a distinguished panel of witnesses 
who are truly at the front lines of the effort to protect our 
energy infrastructure from cyber threats. I thank you again for 
being with us this morning.
    I will now turn to my colleague and Ranking Member, Senator 
Manchin, for his opening remarks.

              STATEMENT OF HON. JOE MANCHIN III, 
                U.S. SENATOR FROM WEST VIRGINIA

    Senator Manchin. Thank you, Chair Murkowski, for convening 
this hearing today, and thank you to our witnesses for making 
yourselves available to join us and discuss efforts to improve 
the cybersecurity of the electric sector. As a Ranking Member 
of both this Committee and the Senate Armed Services 
Cybersecurity Committee, I am intensely focused on the security 
of our energy infrastructure. We just had a meeting yesterday 
on that, and it was quite enlightening. And the importance of 
our discussion today against the backdrop of a global pandemic 
is not lost on any of us, I believe, in this room.
    The COVID-19 crisis has made our nation, the world, acutely 
aware of the consequences of being underprepared for a 
catastrophic event. The pandemic has forced the energy industry 
to adapt to new challenges and vulnerabilities with more 
employees working remotely. There are certainly lessons to be 
learned from this moment in history about the need to invest in 
protections to avoid, to mitigate and respond to events that 
challenge our grid's resilience and thereby our national 
resilience. You all know well that threats to critical 
infrastructure are serious and increasing daily. In recent 
months, federal officials have warned of rising cybersecurity 
threats from China, and recent reports indicate Russia has 
shown renewed interest in targeting the U.S. power grid. Then 
last month, a national security agency and the Cybersecurity 
and Infrastructure Security Agency (CISA) issued an alert 
urging critical infrastructure operators to take immediate 
action to secure their operation technology assets. Legacy grid 
systems are/were not designed to defend themselves against 
modern cyberattacks, and as they grow more and more connected 
to the internet, our electric systems grow more and more 
vulnerable. On top of that, IBM recently issued a report that 
showed that the energy sector suffers particularly high costs 
from state-sponsored cyber threats. Compared with the previous 
year, the costs of cyber breaches are up 14 percent because of 
the increased number of attacks targeting power grid 
infrastructure and the magnitude of the damage caused.
    There is a lot of work being done across the sector to 
address these cybersecurity challenges. I would like to 
highlight the good work of my colleague, Senator King, who 
recently co-chaired the Cyberspace Solarium Commission. This 
Commission issued a report this spring identifying a number of 
recommendations to reduce the probability and impact of 
cyberattacks of critical infrastructure which he presented to 
the Senate Armed Services Committee yesterday, and it was truly 
quite enlightening. Although the report is broad in scope, many 
of the Commission's recommendations affect the electric 
industry, and I look forward to hearing about the impact to the 
electric sector today.
    A few months ago the President issued an Executive Order 
directing the Department of Energy to identify foreign-made 
grid components that pose an unacceptable security risk to the 
U.S. power grid. While I support this action, I was concerned 
that vendors and manufacturers of the grid equipment the order 
targets were not being adequately consulted. Senator Risch and 
I sent a letter to the DOE about these concerns and are eager 
to see DOE utilizing the valuable knowledge and experience of 
manufacturers as they implement this Executive Order. Having 
both DOE and industry representatives here today, I look 
forward to hearing how these engagements are going. There are 
certainly opportunities for Congress to facilitate action in 
this space as well, and I am proud that the American Energy 
Innovation Act included several pieces of legislation that 
support investments in programs that are of vital importance to 
securing and protecting our critical energy infrastructure. The 
bill would strengthen public-private partnerships like those I 
know our witnesses will discuss today and included my and 
Senator Murkowski's PROTECT Act which would establish 
incentives for electric utilities to invest in advanced 
cybersecurity technologies.
    I am still committed to passing this comprehensive 
bipartisan energy package so that these important programs can 
be put into action. We have lots to do to protect and secure 
our electric grid. I look forward to hearing from our agency 
and industry witnesses today and what efforts are working and 
what work still remains to be done.
    Thank you, Madam Chairman.
    The Chairman. Thank you, Senator Manchin, and you mentioned 
the work of Senator King on the Cyberspace Solarium Commission. 
Senator King, as a member of the Committee, has asked for a 
brief moment here to introduce just that and, as you have 
mentioned, he has had an opportunity before the Senate Armed 
Services. It is important to acknowledge that work.
    Senator King, if you would like to make any brief comment 
about that before we turn to our distinguished panel, you are 
certainly welcome to proceed.

             STATEMENT OF HON. ANGUS S. KING, JR., 
                    U.S. SENATOR FROM MAINE

    Senator King. Absolutely. Thank you, Madam Chair. You 
outline very eloquently the danger, so I don't really have to 
spend a lot of time on that. Everybody in this hearing knows 
the level of risk that we have before us.
    Just let me tell you a bit about the Solarium. It was 
created in the 2019 National Defense Authorization Act (NDAA). 
It was a national commission whose mission was to establish a 
comprehensive strategy to defend this country in cyberspace. 
The structure of the Commission was somewhat unique. It had 14 
members including 4 sitting Members of Congress: myself; 
Senator Ben Sasse; Congressman Mike Gallagher, a Republican 
from Wisconsin; and Jim Langevin, who is a Democratic member of 
the House and a member of the Armed Services Committee from 
Rhode Island. We also had four members from the Executive 
Branch and six members from the private sector. One of the most 
valuable members of the entire Commission was Tom Fanning, who 
is the CEO of the Southern Company, which I think is the second 
largest electrical utility in the country. We had over 30 
meetings. We had about 90 percent attendance at all of our 
meetings, and we talked about a whole range of cyber issues.
    Our report really boils down to three simple points. One is 
reorganization. Reorganizing and organizing our government to 
be responsive to this problem and not operate in silos. 
Secondly is resilience. How to strengthen our resistance to 
cyberattacks and how to build up our defenses, if you will. And 
the third is response. How do we develop a deterrent doctrine 
so that our adversaries have to feel that they will pay a price 
for attacking this country, even if it is below the level of 
the threshold of the use of force?
    Energy, of course, is a major target. One of the 
challenging parts of this problem, which you and Ranking Member 
Manchin mentioned, is that this really has to be a partnership 
between the Federal Government and the private sector. Eighty-
five percent of the target space in cyberspace is in the 
private sector, a lot of that is the energy sector. And if 
there is one thing we learned from the pandemic, it is that the 
unthinkable can happen and a significant cyberattack is not 
unthinkable. We know that it is being planned, and we know that 
it is happening today. I spoke recently to a utility executive 
who told me that his system is attacked three million times a 
day, now, today. So this is not an abstract issue. This is 
something that we have to address, and the Commission made a 
number of legislative recommendations, more than two dozen of 
which we hope will be included in the final National Defense 
Act that is now headed to conference. I want to thank the 
Committee and the Chair and the Ranking Member for their 
cooperation on assisting us in getting those provisions into 
the National Defense Authorization Act. There will be others 
that we will be discussing over the next few months in this 
Committee.
    But I want to thank you for having this hearing. It is 
incredibly important. This is one of our prime issues, and I 
look forward to the testimony of our witnesses. Again, thank 
you for your work on this and if we work together, we can 
defend this country.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator King. Thank you for that 
brief summation and to those of you, including Senator Sasse, 
who were part of that very, very important Commission.
    Let's turn to our panel this morning.
    We have one of our witnesses that has joined us in person. 
We thank you for that. Mr. Alexander Gates, who is the Senior 
Advisor at the Office of Policy for Cybersecurity, Energy 
Security, and Emergency Response. It is a long name. We call it 
CESER there at the U.S. Department of Energy. We welcome you to 
the Committee, Mr. Gates.
    With us virtually today are Mr. Joseph McClelland, who is 
the Director of the Office of Energy Infrastructure Security at 
the Federal Energy Regulatory Commission. We welcome you, Mr. 
McClelland.
    Mr. Steve Conner is the President and CEO for Siemens 
Energy, and we thank you for being part of this panel this 
morning, Mr. Conner.
    Mr. Thomas O'Brien is the Senior Vice President and Chief 
Information Officer at PJM Interconnection. We appreciate that 
you have joined us as well and look forward to your input to 
today's discussion.
    With that, we will go in the order that I have introduced 
you. We will begin here in the Committee room with Mr. Gates. 
We would ask you all to try to keep your comments to about five 
minutes. Your full statements will be included as part of the 
record, and then we will have an opportunity for questions from 
those of us present and those of us online.
    Mr. Gates, welcome, and again, thank you for your 
leadership there at the Department of Energy. Please proceed.

STATEMENT OF ALEXANDER GATES, SENIOR ADVISOR, OFFICE OF POLICY 
  FOR CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, 
                   U.S. DEPARTMENT OF ENERGY

    Mr. Gates. Thank you, ma'am.
    Chairman Murkowski, Ranking Member Manchin and members of 
the Committee, thank you for the opportunity to appear before 
you to discuss the Department of Energy's important work to 
protect the energy infrastructure from cyber threats. A 
reliable, resilient and secure energy infrastructure is 
critical to U.S. economic competitiveness, national security 
and, to put it frankly, our way of life. As an organization 
responsible for safeguarding the nation's nuclear stockpile and 
as a member of the intelligence community, the Department of 
Energy is keenly aware of threats to our national security. 
Today that includes cyber threats to the energy sector. In the 
2019 and 2020 worldwide threat assessment, the Director of 
National Intelligence stated, ``Our adversaries and strategic 
competitors will increasingly use cyber capabilities to seek 
political, economic and military advantage over the United 
States and its allies and partners. China, Russia, Iran, North 
Korea increasingly use cyber operations to threaten both minds 
and machines in an expanding number of ways, to steal 
information, to influence our citizens and to disrupt critical 
infrastructure.''
    Within the Department, CESER and the Office of Electricity 
form a nucleus that provides products and services that improve 
the energy sector's cybersecurity and resilience. Whether it's 
electricity, oil, natural gas or renewables, CESER endeavors to 
increase the security of the United States' energy 
infrastructure against all hazards through the following 
priorities: improving emergency response and recovery, 
expanding cyber discovery activities, creating high fidelity 
situational awareness, providing more focused research and 
development, further solidifying our partnerships and 
increasing workforce development efforts. The Office of 
Electricity, on the other hand, is focused on long-term 
research and development to build a secure and resilient power 
grid. The Office has four strategic priorities: building 
advanced modeling capabilities, innovating in the field of 
megawatt scale grid storage, improving grid operations and 
performance through advanced sensing technology and securing 
defense critical electric infrastructure.
    Some key DOE initiatives that come out of those groups of 
priorities include the Cyber Risk Information Sharing Program, 
or CRISP, which is a public-private data sharing and analytic 
platform that facilitates the timely, bidirectional sharing of 
threat information amongst energy sector stakeholders. The 
North American Energy Resilience Model (NAERM), which is a 
modeling capability that analyzes risk and threats to the grid 
and other interdependent infrastructures, provides operational 
situational awareness. The Cybersecurity Testing of the 
Resilience of Industrial Control Systems, or CyTRICS, tests 
critical components to identify and mitigate embedded cyber 
vulnerabilities in industrial control systems within the energy 
sector. And, of course, Executive Order (EO) 13920, Securing 
the United States Bulk Power System in response to the growing 
threat the EO authorizes the Secretary of Energy, working with 
other federal departments and agencies and the private sector, 
to quickly and proactively protect the bulk power system.
    Cybersecurity in the energy sector is a complex endeavor 
that will require more authorities, laws, and in some respects, 
an extreme level of collaboration to achieve. As a sector-
specific agency, the Department of Energy relies on strong 
collaboration with FERC, NERC, and CISA, in order to make 
progress. Utility owners, coordinating councils, and trade 
groups are all very effective partners in this fight. 
Collectively these entities form the fabric of a public-private 
partnership that everyday serves to protect the nation's energy 
infrastructure. Despite all the progress made to date, the 
cyber threats to the sector are real and outpacing our 
collective solutions. Still, more action is needed to make the 
energy sector more resilient and cybersecure.
    Thank you for this opportunity to appear before your 
Committee. I look forward to working with you to address the 
nation's cyber and physical security challenges to the energy 
sector.
    [The prepared statement of Mr. Gates follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Mr. Gates, thank you very much for that 
testimony.
    We will now go online to Mr. McClelland, with the Federal 
Energy Regulatory Commission. Welcome.

  STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ENERGY 
 INFRASTRUCTURE SECURITY, FEDERAL ENERGY REGULATORY COMMISSION

    Mr. McClelland. Thank you, Chairman Murkowski, Ranking 
Member Manchin and members of the Committee. Thank you for the 
privilege to appear before you today to discuss potential 
threats to the bulk power system in the United Sates. My name 
is Joe McClelland, and I am the Director of the Office of 
Energy Infrastructure Security at the Federal Energy Regulatory 
Commission. I come before you as a Commission staff witness, 
but I should note that my remarks do not necessarily represent 
the views of the Commission or any individual Commissioner.
    In the Energy Policy Act of 2005, or EPACT 2005, 
specifically Section 215 of the Federal Power Act, Congress 
entrusted the Commission to approve and enforce mandatory 
reliability standards for the nation's bulk power system. 
Section 215 requires the Commission to certify an electric 
reliability organization or ERO that is responsible for 
proposing FERC Commission review and approval, reliability 
standards or modifications to existing reliability standards 
help protect and approve the reliability of the nation's bulk 
power system. The Commission certified the North American 
Electric Reliability Organization or North American Electric 
Reliability Corporation, or NERC, as the ERO. Section 215 of 
the Federal Power Act provides stakeholder input in the ERO's 
development of reliability standards for a bulk power system. 
This process works relatively well to develop standards to 
address traditional operations and planning related reliability 
events that may cause grid failures or blackouts such as from 
improper vegetation management or failures associated with the 
operation of protective equipment.
    The nature of national security threats by adversaries 
intent on attacking our nation's electric grid significantly 
differ from the reliability of vulnerabilities that have caused 
regional blackouts and reliability failures that we have faced 
in the past. Widespread disruption of electric service can 
quickly undermine the U.S. Government, its military and the 
economy, as well as endanger the health and safety of millions 
of our citizens. To help mitigate these advanced, persistent 
and rapidly evolving threats, the Commission uses a two-pronged 
approach regarding grid reliability employing mandatory 
reliability standards to establish foundation of practices 
while also working collaboratively with the industry, with 
states and other federal agencies to identify and promote best 
practices.
    While NERC reliability standards are the foundation of the 
Commission's work to address cybersecurity, there are 
additional measures that can and should be taken to further 
improve industry's cybersecurity posture in light of these 
rapidly evolving threats. That is why the Commission 
established our office, or OEIS. OEIS partners with industry, 
states and federal agencies to develop and promote best 
practices for critical infrastructure security. Working with 
these organizations, OEIS helps identify new and emerging 
threats, inform the private sector of them and then assist with 
mitigating action. One example of OEIS' work is that we conduct 
voluntary architectural assessments of utility computer 
networks, reviewing everything from the configuration of legacy 
equipment to the application of state-of-the-art protection 
systems. Another example is OEIS works with the Office of the 
Director of National Intelligence and the Department of Energy, 
specifically CESER, to conduct briefings and exchange 
information with state and industry officials about the current 
threats industry is facing and what can be done to address 
them. More broadly, OEIS works with the NERC Electricity 
Information Sharing and Analysis Center (E-ISAC) to rapidly 
issue bulletins and alerts informing industry of specific 
vulnerabilities and threats as well as best practices that can 
defend against them. And as a final example, OEIS assists with 
the planning and execution of tabletop exercise and 
participates in joint security programs with other government 
agencies. In fact, just last week, OEIS assisted the National 
Guard units and participating utilities in the New England 
states to conduct Cyber Yankee, a simulated cyberattack on 
utility networks. Exercises such as this are critical to 
maintaining readiness and ensuring our ability to respond to 
cybersecurity events.
    In conclusion, cybersecurity threats pose a serious risk to 
the bulk power system and its supporting infrastructures that 
serve our nation. These are complex, persistent and fast-
evolving issues. Therefore, the Commission has adopted this 
two-pronged approach to best address the important security 
matters. Thank you again for the opportunity to testify today, 
and I look forward to your questions.
    [The prepared statement of Mr. McClelland follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Mr. McClelland, thank you for that. We 
appreciate it.
    Let's next go to Mr. Conner from Siemens Energy. Mr. 
Conner, welcome.

           STATEMENT OF STEVEN C. CONNER, PRESIDENT, 
                      SIEMENS ENERGY, INC.

    Mr. Conner. Thank you, Chairwoman Murkowski, Ranking Member 
Manchin and members of the Committee, thank you for the 
opportunity to testify today. My name is Steve Conner. I'm the 
President of Siemens Energy, Inc., which is the U.S. regional 
entity of Siemens Energy. We have more than 11,000 employees in 
the U.S. supporting the country's grid operations at 21 power 
equipment and manufacturing service and innovation sites. Our 
headquarters is located in Orlando, Florida. The United States 
is our company's largest market worldwide, and Siemens Energy 
equipment provides secure, resilient technologies that support 
one-third of America's total daily energy needs. We have been 
working with our customers on solutions for the evolving 
demands of industry and society for more than 150 years. We 
have been a partner to the United States Government, America's 
energy producers and its energy providers for decades. We have 
a deep understanding of the safest and most resilient 
infrastructure technologies and processes necessary to secure 
one of our most essential national assets, America's power 
grid.
    Industrial cybersecurity is at the core of our Siemens 
Energy business. Our products and solutions have industrial 
security functions that are built in by design and turned on by 
default. They support the secure operation of plants, systems 
and machines and networks of our customers. We use this 
experience and expertise to establish partnerships that advance 
cybersecurity efforts. I would like to share with you some 
example of those collaborations with both the public and 
private sectors.
    In 2018, we created the Charter of Trust which is now a 
leading global initiative of companies and organizations 
focused on securing critical infrastructure. We're a founding 
member of the Energy Cybersecurity Alliance, a partnership of 
energy companies, manufacturers and service providers. We have 
a dedicated team of seasoned security experts which we call our 
ProductCERT team that manages the receipt, investigation, 
internal coordination and public reporting of security issues 
related to the Siemens products solutions and services. Any 
vulnerabilities discovered are shared with our governmental 
partners. And just last week, the New York Power Authority 
(NYPA) and Siemens Energy announced a new collaboration to 
develop an industrial Cybersecurity Center of Excellence. It 
will bring the public and private sectors together to develop 
innovative cybersecurity best practices that will serve as a 
model for deployment at other utilities. This first of its kind 
Industrial Cybersecurity Monitoring Research and Innovation 
Center will focus on detecting and defending against 
cyberattacks on critical infrastructure owned and operated by 
NYPA, the largest state-owned electric utility in the nation. 
Successful solutions have potential to be deployed and 
commercialized at other public and private organizations that 
operate critical infrastructure across the U.S.
    Supply chain security is just as important as 
cybersecurity. By ensuring the security of our supply chain, we 
enhance the reliability, security and resilience of America's 
energy infrastructure. This depends on close collaboration and 
involvement with our customers, partners, suppliers and 
governments around the world to secure for our supply chain. 
Some examples of our supply chain security policies and best 
practices include a supply chain management standard that 
performs regular supplier audits to address technical, 
commercial and cybersecurity risks and opportunities. We 
manage, track and control access to confidential data, chronic 
development and source code, both physically and virtually. We 
don't share any overall product development information with 
the suppliers. And utilizing select components from qualified 
suppliers only, which includes testing their hardware, software 
and security, only then including them in an approved 
components database. And lastly, we perform civil, criminal and 
governmental-sanctioned background checks as necessary.
    As you can see, Siemens Energy takes its responsibility to 
secure our country's critical energy infrastructure by 
collaborating with the public and private sector very 
seriously. We are constantly looking for additional ways to 
engage the public sector, including supporting vendor-driven 
forums that would improve industry involvement and promote 
wider discussion on the vulnerabilities and supply chain risks.
    Thank you again for inviting me to testify, and I, along 
with the 11,000+ U.S. employees of Siemens Energy, look forward 
to the continued collaboration necessary to ``keep the lights 
on'' in the U.S. energy infrastructure.
    [The prepared statement of Mr. Conner follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Mr. Conner. We appreciate your 
time before the Committee this morning.
    Finally, let's go to Mr. O'Brien with PJM Interconnection.

 STATEMENT OF THOMAS O'BRIEN, SENIOR VICE PRESIDENT AND CHIEF 
        INFORMATION OFFICER, PJM INTERCONNECTION, L.L.C.

    Mr. O'Brien. Chairman Murkowski, Ranking Member Manchin and 
Committee members, thank you for the opportunity to speak to 
you today on this critical topic. I appreciate the opportunity 
to represent PJM. I also appreciated the opening comments from 
the Chairwoman and some of the things that she covered 
specifically around the Energy Information Protection Act which 
is something that's very important to us at PJM and the 
industry.
    I'd like to thank my fellow panelists for their insights 
and contributions. I've worked with some of them in the past, 
and I really appreciate everything that you do.
    My written testimony covered a broad range of topics, 
including PJM's current approach to managing cybersecurity, 
partnership and collaboration, cybersecurity supply chain 
considerations, workforce and training and longer-term 
considerations. In my brief remarks, I will build off of some 
of the key points from my fellow panelists and leave you with 
three things for consideration and let the written testimony 
speak for itself.
    First, and this was highlighted by everybody, is 
collaboration and partnership is essential between and amongst 
government, industry and our service providers. It is essential 
and no one can do it by themselves. I'd like to share a couple 
of examples. DOE and DHS lead the charge on both classified and 
non-classified briefings, and this is critical to industry for 
managing priority and risk management. The Electric ISAC, which 
is part of NERC, is the hub of information sharing for the 
electric industry. They continue to evolve their information 
sharing programs and the industry relies on that significantly. 
The E-ISAC coordinates the cyber risk information sharing 
program which is just one way to get intelligence on what the 
adversaries are doing. DHS has a program for sharing threat 
indicators with industry and something that we use at PJM.
    I'd like to echo some of what Joe McClelland said. We work 
with FERC on things like risk management, best practices, and 
we appreciate their support. And again, I would emphasize the 
importance of protecting critical information, which again, was 
highlighted in the opening by Chairwoman Murkowski.
    Now let's talk about compliance for a second. Just because 
the electric industry is on the forefront of compliance, NERC 
sets standards but they don't do it blindly. They do it with 
industry engagement, and regional entities lead the audit 
process which essentially drives transparency and allows for 
consistency. I also wanted to speak to just one example that 
PJM is involved with around fuel security. We're looking at a 
phase three fuel security study at the moment. It's looking at 
major interstate pipelines, modeling, both physical and cyber 
scenarios and we've had great support from DOE, from FERC, and 
we'd like to thank them for that.
    The second takeaway that I'd like to leave with you is that 
risk management must be informed by clear understanding and 
appreciation of the adversary is informed by threat 
intelligence, likelihood on impact and requires adequate 
investments. On October 1st of 2020, the NERC cybersecurity 
supply chain management standard will go into effect. That's an 
excellent starting point for advancing controls to mitigate 
risks and associated threats, and I'm sure that will continue 
to evolve. Previously mentioned, we're looking at the impact of 
the Executive Order and that has potential sweeping and broad 
implications for the procurement of electrical equipment as 
well as legacy equipment. And while ISOs and RTOs do not own 
the assets, the order will have significant operational 
planning and marketing impacts. Consistent with the feedback 
from Bruce Walker from DOE, we agree that it should be a 
surgical approach.
    The final point that I'd like to leave you with is that 
metrics and key performance indicators are critically important 
to security operations. You can't improve what you don't 
measure, and you need to establish key targets so you can see 
how your progress is going. That will allow you to focus on 
transparency and continued recruitment.
    I'd like to thank you for the opportunity to appear before 
this Committee. I look forward to your questions, and I 
appreciate the opportunity to leave you with my three 
takeaways: collaboration and partnership between government, 
industry and our service providers is essential and no one can 
do this alone; risk management must be informed by clear 
understanding, appreciation of the adversary; and finally, 
metrics and KPIs are necessary for a clear security operating 
picture. Thank you for this opportunity.
    [The prepared statement of Mr. O'Brien follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    The Chairman. Thank you, Mr. O'Brien, and we thank each of 
the panelists that have appeared before us this morning.
    Mr. Gates, I want to start with you in terms of my 
questions. I think everyone on the panel this morning has 
mentioned the need and the necessity for collaboration and 
partnerships, but we all know that it is one thing to say I am 
going to partner with you, I am going to collaborate with you, 
but you have to trust one another. And sometimes when we are 
operating in a world of cybersecurity, you are not quite sure 
who to trust.
    So, as several have mentioned, the Executive Order on the 
bulk power system is going to require enhanced information 
sharing between the government and the entire energy sector, 
including our utilities, our vendors and our manufacturers. If 
you can speak to how, within DOE, we can improve the protection 
of sensitive data that it receives from the industry and then 
also, how can DOE improve its trust of the private sector when 
sharing sensitive government information? I know, oftentimes, 
what we will hear is the industry is required to give the 
information, but they don't feel like they have been fully read 
into the situations. And so, again, collaboration and 
partnership are key and important, but that is also built on 
trust. So can you speak to both sides of that, please?
    Mr. Gates. Thank you, Senator. I'll address the protection 
of the sensitive information from industry. That's always a 
challenge. Certainly, as it relates to collecting data from the 
Executive Order and the RFI that will allow us to implement the 
Executive Order, the RFI went out in July and ends in August. 
Protecting that information is, kind of, central to the 
program. The Department, when you look at information sharing, 
when you look at analysis and data gathering programs, not only 
CRISP but the CATT program that you may have heard of, the 
Cyber Analytics and Technical Techniques program. Those types 
of initiatives are central to understanding what's going on and 
then sharing information in a way that's protected. Liability 
protections for companies, for example, is part of that 
equation. The other part of that equation is the Department and 
the government protecting less than classified but very 
sensitive information. So we are designing systems and programs 
that the Department of Energy protects secrets and sensitive 
information in a number of endeavors from our science and 
research initiatives with the national labs to our nuclear 
stockpile and weapons protection programs, and cybersecurity is 
another aspect of that.
    As it relates to the sector trusting us, that's a tough 
one, but if you just look at what's happened in the last four 
or five months and our response to the pandemic, the sharing 
that we've had with the different coordinating councils, the 
use of the ISAC to share information, we think the trust in the 
sector is growing, that the Government is actually figuring out 
how to take even classified information through a process, 
sanitize it in a way that it can quickly be distributed through 
either CISA or the E-ISAC but out to the sector in timely 
enough fashion that it actually makes a difference. We haven't 
totally solved the problem, ma'am.
    The Chairman. Right.
    Mr. Gates. It's a work in progress, but we think the trust 
issue, the trust equation is improving in favor of both the 
Government and the sector.
    The Chairman. Well, and I think we recognize that it has to 
in order for this all to work.
    Let me ask you one more question. Hopefully this one is 
relatively brief. Many of us on this Committee have electric 
co-ops and municipal utilities that have benefited from the DOE 
initiative that is focused on improving the cyber and physical 
security posture of the electric sector. In Alaska, we are 
primarily served by our rural electric co-ops and our municipal 
utilities. Last year, Congress agreed to appropriations report 
language that encouraged CESER to continue this initiative. Our 
energy bill also includes language that encourages these types 
of public-private partnerships. We also established a grant 
program to improve the cyber posture of our smaller utilities. 
Can you give us any update on the status of this initiative? 
Has any funding been released in this regard?
    Mr. Gates. Ma'am, I'll get the exact details of the status 
of the program to you after this session. But we are working 
very hard to make sure that money flows to the sector and even 
outside of that program, the small utilities are, they're a 
soft, in some respects, a soft underbelly of the grid and we 
take great pride in, you know, certain research and development 
programs, like the Essence program that we think are going to 
be valuable in providing those entities the same level of 
protection as some of the larger utilities. So I'll get the 
detailed answers to you.
    The Chairman. Well I appreciate that and, again, that is 
something that, I think, we recognize there is a vulnerability. 
They may be small, but once you work your way in, you can do a 
lot of damage there and recognizing the cost then to these 
small, rural electric co-ops and our municipal utilities, this 
is something that we have been focused on.
    Let me turn to Senator Manchin.
    Senator Manchin. Thank you, Madam Chairman.
    First of all, to Mr. McClelland. As you are aware, Senator 
Murkowski and I introduced the PROTECT Act last year. The bill 
would establish incentives for electric utilities to invest in 
advanced cybersecurity technology. FERC's recent staff white 
paper exploring cybersecurity incentives considers several 
options that could work to achieve some of the objectives laid 
out in our bill. What are the next steps for FERC in 
considering cybersecurity incentive options, and can you share 
what some of the public comments have been in the docket?
    Mr. McClelland. I think I found the unmute button. Thank 
you, Senator, for the question and also I just want to thank 
you for your work on the bill and your continued support and 
interest in cybersecurity. The, as you're aware, the white 
paper was a FERC staff white paper. It went out on June 18th as 
a 60-day comment period. And the white paper proposes two 
mechanisms of incentives. One is to exceed the current 
obligation within the CIP, the NERC, Critical Infrastructure 
Protection, or CIP, reliability standards, that would be, say, 
for instance, if an entity went from a low designation to a 
medium or a high designation.
    The other is to follow the NIST framework. The NIST 
framework was established by Executive Order in February 2013 
and its purpose was to create a set of best standards that all 
critical infrastructure sectors could share, all 16 sectors 
could share. So the industry collaborated with government to 
produce that NIST framework. It was revised, subsequently it 
was revised twice. So it was produced in 2014 and revised in 
2018. So the white paper proposes either or both of those 
alternatives. We're awaiting comment. I don't have the status 
of what the current comments are to that proceeding, but we'd 
be happy to follow up with you.
    Next steps would be to consider those comments and then use 
that within the Commission as a mechanism to better understand 
how, where industry would like, where the most effective place 
to apply the cyber incentives might be.
    Senator Manchin. Thank you, sir.
    I only have a few minutes here, so I want to go through 
some things very quickly, if I can.
    Mr. Conner, we have talked about deterrents. How do we 
deter other nations from hitting us, especially in our grid 
system which would be very vulnerable and very harmful to our 
country? I guess, retaliation. How do you believe the 
retaliation--what we should do when we know these perpetrators 
are continually trying to do all the damage they can--what type 
of deterrents do you think that we, as the United States 
Government, should take against these perpetrators? Should we 
hit back? Should we hit back at their critical infrastructure 
or just give them a warning or what is the recommendation?
    Mr. Conner. Well, I think, as was mentioned earlier, we 
can't have, we can't have something that really has no meaning, 
but you know, it's true from our standpoint that, you know, the 
technology that's out there, we have to continue to fight this. 
This is not a matter of a ``nice to have,'' it's--or a ``needs 
to have.'' This is a ``needs to have'' and it changes daily. So 
as far as deterrents, you know, we don't really look at that 
from Siemens Energy Inc.'s viewpoint, but I do--but I believe 
there is something that we have to do to make it crucial for 
people who want to come in and attack our grid system.
    Senator Manchin. Yes. I would like to get some of you all's 
input to try to make sure that we are not out of sync with the 
rules of engagement, if you will, but we have used retaliation 
from our nuclear response to let them know that we would hit 
and hit hard. I think in order to stop this type of attack, we 
have to make sure that they understand that we will use every 
means that we have to come back at these countries who are 
going at us, to hinder us, really, and harm us. I would love to 
hear from you all in the industry, if you will.
    Mr. Gates, if I can follow up real quick? Presidential 
Policy Directive 21 designated responsibilities to different, 
to various federal agencies, departments and agencies, to serve 
as sector-specific agencies and support the private sector in 
managing the risk and respective critical infrastructure 
sectors. This recommendation was incorporated into the House 
version of NDAA and will likely come up in conference. I 
support these discussions and hopefully they acknowledge and 
preserve the important role that DOE plays in protecting the 
electric grid.
    Mr. Gates, do you agree that DOE provides specific 
capabilities and expertise as a sector-specific agency (SSA)? 
Is there additional clarification that DOE needs to fulfill its 
responsibility in this regard, and how do you all interact with 
the sector-specific agencies to ensure their coordination, but 
not duplication?
    Mr. Gates. Thank you for the question, Senator Manchin.
    I think in many respects the Department of Energy is a 
unique SSA. Not only does the sector know us, but we know the 
sector and, in many respects, we're part of the sector. As you 
know, we're, we manage PMAs. We manage the SPRO. We're, in some 
respects, an operator and those kinds of requirements are 
important to us understanding what's going on, sharing 
information with our partners. So I think that unique aspect of 
DOE is important. It gives us credibility in the sector, and I 
think it allows us to go at the cyber problem and other 
problems really aggressively because, you know, you add our----
    Senator Manchin. Yes.
    Mr. Gates. ----our national lab complex and just the talent 
and expertise we can bring to the problem. We think it's 
important for us to serve a strong SSA role.
    Senator Manchin. Thank you.
    Thank you, Madam Chairman.
    The Chairman. Thank you, Senator Manchin.
    We will next go to Senator Cassidy, who is with us online.
    Senator Cassidy. Hello, gentlemen. Thank you, Madam Chair.
    Mr. Gates, last year we heard that one of the problems of 
information sharing was getting security clearances for 
partners in the private sector. Can you give us an update? Have 
we been able to better gain those security clearances, which is 
to say, better able to share this information?
    Mr. Gates. Senator, I do not have an answer, a specific 
solution. Clearing, you know, the thousands of owners in a way 
that allows us to share highly sensitive information is an 
incredibly difficult challenge. We've taken the, I think the 
approach that is more historic in trying to make the 
information still useful but not sensitive, so in a way that is 
useful to the sector but doesn't threaten sources and methods. 
It's a difficult challenge. It's been a difficult challenge 
clearing just individuals who actually work in national 
security. It's one that we need to tackle, but I'll give you an 
update offline on the status of that action.
    Senator Cassidy. I would appreciate that because, again, it 
was identified as an issue a year ago and it does seem as if it 
was highlighted a year ago as, kind of, the Achilles heel. And 
so, however we can address that, that would be great. I will 
accept that it should be offline.
    Mr. Conner, as an equipment manufacturer, how do you feel 
that this information sharing has progressed because it does 
seem as if there is a threat. It seems, again, as an equipment 
manufacturer, you need to be actively involved with the nature 
of the threat.
    Mr. Conner. Yeah, as I mentioned earlier, we have a number 
of tools, you know. Collaboration, I think Mr. O'Brien talked 
about, nobody can do it alone. So we have a number of tools 
that we go out with our partners and our customers on/with, 
when we take a look at, for instance, the DOE talking with 
them. We just had a meeting end of June with Secretary 
Brouillette and talked about what we can do on the order to 
help, kind of, guide this along. But again, I think it's hey, 
the collaboration, I think is good. We can always improve 
things, and we need to continue to improve things to keep this 
moving forward.
    Senator Cassidy. Mr. Conner, I am also very interested in 
counterfeit goods and the ability of counterfeit goods to 
basically serve as a sabotage instrument, and you mentioned the 
quality control that you have in order to prevent that from 
occurring. Can I ask, does any of your supply chain go through 
China? I say that because we know that the People's Liberation 
Army has allegedly inserted chips into servers that would allow 
information to go back, chips that were only found with 
forensic engineering. So again, to what degree do your supply 
chains go through China and do we have such a risk?
    Mr. Conner. Very minimal, very minimal supply chain usage 
for us out of China. We do have facilities in China, and we do 
serve that market. That's not on Siemens Energy Inc. side, my 
side in the U.S., but that's on the larger part of Siemens 
Energy as a whole. What we actually go through, as I mentioned 
in my testimony, we actually have preapproved vendor lists and 
these vendors have to go through rigorous testing. We take a 
look at all their products and then----
    Senator Cassidy. Let me ask, because I heard your 
testimony. I have also become aware that having a network of 
vendors represents a security challenge for actually the parent 
company, if you will. If it is a vendor to the Department of 
Defense (DoD) that they can, kind of, work their way up the 
information chain into a prime contract. Similarly, since we 
are concerned about the cybersecurity of our grid, the 
cybersecurity of Siemens itself, I am sure that you have a 
number of cyberattacks as well. With this network of providers/
vendors, how does Siemens avoid cyber espionage upon what you 
are doing and on cyber sabotage?
    Mr. Conner. Well, we actually have a significant group both 
in the U.S. and globally that goes through and tests every day. 
We get attacked thousands of times a day. I think somebody 
mentioned earlier, 300 million times a day. I don't think it's 
that much, but again, ours is, we have the, our approved vendor 
list. We go through and we have, to the extent we find 
something or from a compliance standpoint somebody doesn't meet 
that requirement, we kick them off. So it's almost, it's a 
significant amount of business that they would lose. And we 
also do, as I mentioned earlier, we do background checks and 
even through governmental, even the U.S. Government on who 
we're going to utilize as vendors, et cetera, to make sure they 
meet all the requirements to avoid having any counterfeit parts 
in our systems.
    Senator Cassidy. Okay.
    Thank you, Madam Chair. I yield the floor.
    The Chairman. Thank you, Senator Cassidy.
    Senator King.
    Senator King. Thank you, Madam Chair.
    There is one subject that we have not touched on today. It 
is not really within the jurisdiction of this Committee, but I 
just mention it in this context and that is the vulnerability 
of water systems. There was a recent alleged attack by Iran on 
an Israeli water system. Fortunately it was defended against 
successfully, but we have something like 50,000 water 
companies, separate water companies, in this country and that 
is a risk that the Congress needs to address.
    Secondly, an issue that has not come up yet today is the 
gas pipeline system, and in New England about 60 percent of our 
electricity comes from natural gas and all the natural gas 
comes through the pipeline system. So at least in our region, 
and I suspect in other areas of the country, the pipeline 
system is part of the energy grid. You can protect the energy 
grid, but if the gas can't get through for some reason, the 
lights are still going to go off. My concern is TSA, in 2005, 
was given the authority to regulate the pipeline system. They 
were given the authority to issue regulations which they never 
have, and I am reminded of Lincoln's famous letter to 
McClellan, ``If you're not gonna use the army, perhaps you 
could lend it to me for a while.'' If TSA is not going to use 
this authority, perhaps we should give the authority to 
somebody who will use it because this is an enormously 
important part. They are relying entirely on voluntary self-
regulation. I just don't think that is adequate given the level 
of risk. And I know that FERC has an interest in this. This is 
something I very much want to follow up on.
    A couple more specific questions to our panelists. Mr. 
O'Brien, do you red team your system? Do you do pen testing to 
see whether you have vulnerabilities? Do you have hackers for 
hire to test the security of your system?
    Mr. O'Brien. Yes, thank you for the question, Senator King. 
We do a couple things. One is we do continuous red teaming, and 
we partner with an outside firm that's constantly probing our 
system and looking for issues. Secondly, we do what we call 
compromise assessments. We've brought in a top forensics 
company, Mandiant, to comb through our network looking for 
issues. And finally, we do internal audits, penetration testing 
and all that. So yes, we do. Thank you.
    Senator King. That is very reassuring.
    I want to ask Mr. Gates and Mr. McClelland the same 
question. I was very disturbed a year or two ago when we had a 
hearing on this subject when I asked the fellow from NERC, do 
you red team? Do you pen test? And the answer was, I don't 
think so or something to that effect. Do you, as the agencies 
that are looking after this incredibly important 
infrastructure, do you do penetration testing and red teaming 
on the networks that you are responsible for?
    Mr. Gates?
    Mr. Gates. Senator King, thank you for that question.
    In the context of the federally-owned assets, the PMAs, the 
SPRO, there is a red teaming of other, kind of, security 
measures that are taken to verify certain aspects of the 
defenses of the system and----
    Senator King. What about the private systems that are part 
of your responsibility?
    Mr. Gates. So in that respect, and that's where the ESCC, 
the ONG, SCC and other forms are important where we can advise 
and consult and recommend defensive services such as red 
teaming, such as pen testing.
    Senator King. So the answer is no, you don't do this 
yourself. Is that correct?
    Mr. Gates. So we don't do it ourselves and we're not, we're 
not designed, CESER wasn't designed to provide that service.
    Senator King. But wasn't CESER designed to protect the 
grid?
    Mr. Gates. It's designed to protect the grid, yes, sir, but 
through using----
    Senator King. Isn't protecting the grid determining whether 
it is safe?
    Mr. Gates. It is, but using the authorities and the 
resources that have been allocated to do that mission which we 
believe we're operating in, we could do more, perhaps we should 
do more. I don't know if it gets to the level of pen testing or 
red teaming. There are certain people on my staff who would 
love to take that on. But again, right now, in the role with 
the responsibilities and authorities we have and the 
partnerships, it's an advisory service that we're providing at 
this point.
    Senator King. Well, if you need additional authorities, I 
hope you will take for the record a question to let us know 
what additional authorities you need. I don't see how you can 
carry out a mission of protecting the grid without testing the 
grid's vulnerability.
    Mr. McClelland, I did not get a chance to follow up, but I 
want to ask, I want you to think about the same question.
    Finally, Madam Chair, I just hope that we could follow up 
this hearing with a hearing on the natural gas pipeline system, 
because I think it is a crucial part of our energy system and I 
am very concerned that we don't have the level of standards, 
testing and examination on that system that we have on the 
grid.
    Thank you very much, Madam Chair, I appreciate it. I yield 
the floor.
    The Chairman. Thank you, Senator King, and know that I 
certainly agree in terms of our energy infrastructure as it 
relates to our pipelines.
    I don't see Senator Gardner on--I know he is popping in 
between three hearings this morning--so let's go to Senator 
Hyde-Smith.
    Senator Hyde-Smith. Thank you, Chairman Murkowski, and 
thank you, panel, for appearing today because your testimony is 
very valuable to this Committee. Your insight is very 
important, and I certainly appreciate you guys taking the time 
and being with us today.
    My question is for all of you. It is well known that our 
nation's critical infrastructure is under constant threat of 
attack from our adversaries as we have been discussing. Couple 
this with the aging and fragile nature of systems running 
critical energy delivery systems and you have a potential 
recipe for disaster with our aging infrastructure. I know a lot 
of time and resources are dedicated to implementing the best 
practices and standards to secure these assets; however, best 
practices and standards do not often stop increasingly 
sophisticated bad actors for long. In your judgment, how much 
more should we be investing in time and resources recruiting 
private or government entities that specialize in protecting 
the energy sector and counteracting these threats?
    We will start with whoever wants to go first.
    Mr. Gates. Thank you for the question, Senator Hyde-Smith.
    Investment is always a tricky and difficult question, 
particularly from the government perspective when you have, you 
know, so much private ownership of an entity. So finding the 
right balance is a challenge. I think I can say, as you've 
stated, we're not investing enough, but how much of that should 
be public or private investment is a fair question. As Senator 
King mentioned regarding the pen testing, there are other 
security services that can be provided to identify threats. I 
think what we're doing in the Department to create products 
like the NAERM, the North American Energy Resilience Model, 
DCEI, CRISP--I think those are things that are helping, but 
more can be done on the ground to help sense more, to provide 
more analysis to identify threats more quickly and mitigate 
them.
    What that investment looks like, I can't say, but I know 
it's not enough. The system is so large and expansive and you 
have such a different kind of stakeholder--stakeholders that 
can invest a lot on their own--and then you have communities 
that are on limited budgets. So it's a complicated problem that 
needs to be addressed, but it will require more investment.
    Mr. O'Brien. Yeah, Senator Hyde-Smith, this is Tom O'Brien 
and I would add to what Alexander Gates discussed is, you 
brought up a really good point that there are legacy systems 
and there's older systems that are out there and we need to 
protect our systems. And I would go back to what we talked 
about earlier around the cybersecurity framework. We know how 
sophisticated the adversaries are. We still need to be able to 
protect our assets. We need to be able to detect when a bad 
actor is getting into our systems and we need to be able to 
recover and respond when that happens. That will require 
increased investment by everybody and I think it needs to scale 
based on the risks that you have. So just as a short answer, 
that would be my feedback.
    Thank you.
    Senator Hyde-Smith. Thank you.
    Mr. McClelland. If I might add, Senator, just add one other 
perspective?
    Our office conducts individual assessments at utility 
networks. In many cases, these networks are large and complex. 
They're having tens of thousands of points. One of the 
recommendations we make, because it is so difficult, the 
challenges so sophisticated, and it's so rapid as far as its 
movement, one of the recommendations we make is that the 
utilities consider hiring outside expertise, contractors, that 
would assist during an emergency. So if their systems were 
breached, if they were having difficulty, they would bring in 
the outside contractors who have already helped preconfigure 
and arrange those networks so that they could be more 
resilient, better able to come back online and then it wouldn't 
be a matter of scrambling to try to find a contractor that 
could provide some assistance at the last minute.
    So we actually focus this more toward the private sector to 
say FERC can provide cost recovery. We can provide incentives. 
We're seeking comments about how those incentives and that cost 
recovery structure would best benefit the private sector, but 
at the same time, we are offering recommendations to address 
the issue that you raised.
    Senator Hyde-Smith. Thank you very much.
    My second question----
    Mr. Conner. Yes, Senator----
    Senator Hyde-Smith. I am sorry.
    Mr. Conner. I was just going to respond.
    Senator Hyde-Smith. Oh.
    Mr. Conner. You know, as I mentioned earlier, Senator, in 
my responses, companies of all sizes need the technology 
workforce and the resources to manage these attacks and 
critical infrastructure. Cyberattacks are not going to be going 
away and we need to defend against them and make it a priority. 
And you know, I talked about the latest collaboration that we 
have with NYPA, New York Power Authority, to put together a 
state-of-the-art cyberattack and critical infrastructure group 
there. So, you know, the intent is that as we learn things in 
industry, as the governments learn them, as the states learn 
them, that we all collaborate and then we actually can filter 
that down and share that, those solutions, amongst the other 
utilities, not only energy, but I think we had mentioned water 
earlier, Senator. So things that we can learn there as well.
    Senator Hyde-Smith. Thank you very much.
    Madam Chairman, I have a second question, if we have time 
for that? We will be brief.
    The Chairman. Go ahead.
    Senator Hyde-Smith. It is on the cybersecurity defense, 
just the collaboration. Mr. Gates, this will be to you. With 
respect to protecting our nation's critical energy 
infrastructure, please provide the Committee with your primary 
recommendations on how the Department of Energy, the 
intelligence community and the private sector can collaborate 
better to defend against these cyber threats from, obviously, 
foreign adversaries, more effectively? Just on the 
collaboration.
    Mr. Gates. Well, fortunately, we're working from a decent 
base with the CRISP program, the briefings that we provide the 
sector and our collaboration with the IC. The IC is, of course, 
the Intelligence Community, is critical. It is better to engage 
the adversary outside of our networks instead of inside. That 
shouldn't be the first point of an engagement. And so, the IC's 
role in that is critical and that's not just my bias because 
that's where I sort of grew up, but the collaboration is 
getting stronger. It needs to get better. It needs to be 
seamless, and it needs to be real time.
    The Solarium Commission proposed some things that kind of 
speak to that, but I think more can happen. Information sharing 
and, ma'am, you mentioned the trust issue earlier, when you're 
talking about the Intelligence Community, sensitive information 
and sharing it rapidly, that those are oxymorons in some 
respects. We need to do more to figure out how to get useful, 
kind of, sensitive information into the hands of network 
operators so they can make decisions and take actions. It's a 
work in progress. I will be--I would gladly provide you a list 
of recommendations on how to improve that process.
    Senator Hyde-Smith. Thank you very much.
    The Chairman. Thank you, Senator.
    Let's go to Senator Cortez Masto.
    Senator Cortez Masto. Thank you. Gentlemen, thank you so 
much for this important conversation. I want to thank the Chair 
and Ranking Member for holding this hearing.
    Let's talk a little bit about workforce. I know, Mr. Gates, 
in your testimony you highlighted one of the priorities for 
CESER is to build a superior workforce. And then Mr. O'Brien, 
in your testimony, you also highlighted that the future success 
on the electricity industry depends on the development and 
leadership of the next generation of utility employees 
including cybersecurity analysts. So let's start with both of 
you and, Mr. Gates, I will start with you. Can you speak more 
about DOE's efforts and methods to deliver on your goals of 
building a superior workforce? And then Mr. O'Brien, I would 
ask you to also talk about the importance of the need for 
building that cybersecurity workforce across both the public 
and private energy sectors. Mr. Gates.
    Mr. Gates. Thank you, Senator.
    This is a challenge for the country. Most of the estimates 
are that even, you know, at current rates we're going to be 
short of not only IT cybersecurity professionals, but it's even 
starker when we talk about industrial control systems. We 
started a number of initiatives from CyberForce, for example, 
to help with training of those who are inclined to enter this 
space as a profession. We think there's more that can be done. 
Certainly we're looking at models, similar to the Center of 
Academic Excellence that DHS and NSA run for cybersecurity and 
intelligence programs. We think there's a carve-out possible 
for those who are inclined to go into defensive industrial 
control systems. Using our national lab complex, we actually 
started this year a collaboration with one of the military 
academies to do internships to get them training with one of 
the national labs in this area and we think there's just more. 
This is something where it's not just the Department, but the 
government and the private sector will need to invest to get 
the experience, the senior and junior engineers more training, 
those who are in the business and build on ramps for those 
coming out of college or in college to enter the business so we 
can build that, not only cybersecurity workforce, but one 
that's, kind of, geared toward the energy sector.
    Senator Cortez Masto. Thank you.
    Mr. O'Brien, your thoughts on what more we can be doing?
    Mr. O'Brien. Yeah, thank you for the question and I think 
you're highlighting a really good point that the supply and 
demand on cybersecurity resources is somewhat problematic, and 
from our perspective we're looking at growing talent from the 
inside where we can and we've established things like 
rotational development programs and really teaching people the 
business, teaching people the different technologies so that 
they can fight the cybersecurity issue. I think the other thing 
that we've done, and it's yielded some pretty good results, is 
we have some great partnerships with, you know, academia. We've 
had great partnerships with DoD, DOE and really engaging our 
workforce on that. The E-ISAC has done a very nice job with 
workshops and you've really got to commit to getting your 
people to those so that they can learn.
    And then the other thing that I referenced in my testimony 
was I think we need to look at the diversity inclusion as an 
opportunity for untapped potential and that's something that 
we're doing at PJM.
    Thank you.
    Senator Cortez Masto. Thank you. I cannot stress that 
enough, and we have had hearings in other committees where the 
diversity inclusion is key to increasing that workforce and it 
is a power that has not been tapped into. So thank you for 
that.
    Mr. Gates, I want to also highlight the fact that just in 
June of this year the University of Nevada Reno, where I 
graduated from, their Cybersecurity Center and DOE's Nevada 
National Security Site announced a partnership for 
cybersecurity research and collaboration. I cannot thank you 
enough for that, but most importantly, I am excited because it 
gives the opportunity for a number of graduate and 
undergraduate students to engage in and have hands-on research, 
on research, education, training and career development. I 
think more of that needs to occur. I applaud you on taking 
advantage of that, so thank you.
    I know my time is almost up. I will submit the rest of my 
questions for the record.
    Thank you.
    The Chairman. Thank you, Senator.
    Continuing on Senator Cortez Masto's questions regarding 
the workforce, Mr. O'Brien, I know that--and we have had 
conversations here this morning about supply chain security--
you have spoken to this issue as well as Mr. Conner. But not 
only does PJM purchase from around the world, so when we think 
about supply chain there, you also hire employees, contractors 
and consultants that come from other places around the world. 
How can you be certain that you are not hiring an insider 
threat? How do you address that challenge?
    Mr. O'Brien. Well, first and foremost, that's very 
difficult because, you know, a foreign adversary that has 
intent may very well find ways to get in, but the things that 
we do is, you know, we have pretty good security background 
checks and that's both for, you know, contractors and for 
employees. The other thing that we do is, you know, and 
obviously I wouldn't get into the details, but we have an 
insider threat program where we're looking at, you know, the 
activities of what's happening inside our walls and those are 
things that are very important because if you put your head in 
the sand around the insider threat, it can be problematic. But 
I will just summarize it with good background checks, good 
interviewing, good references and making sure you have the 
solid insider threat protocol. Thank you.
    The Chairman. Thank you.
    Mr. Conner, do you want to add anything to that?
    Mr. Conner. Yes, thank you for the question.
    No, I think we actually make sure we do the background 
checks here as well and we also, because this is relatively 
new, you know, have actually been setting up programs with 
universities to try to run a curriculum to how do we get the 
training there. So more homegrown, we don't like to bring in 
people from the outside to be doing some of this work for us. 
So I think if you take a look at the programs we've put in, 
along with the universities for the training, it's gone a long 
way for us.
    The Chairman. I appreciate that.
    Let me go to you, Mr. McClelland, and this is with regards 
to how we protect sensitive data. On an annual basis FERC 
requires our electric utilities to submit detailed data on 
their power grid operations. Form 715 requires utilities to 
submit maps and diagrams of the grid as well as actual grid 
data in electronic format. We acknowledge, FERC acknowledges, 
that this data is critical energy infrastructure information 
and treats it as such. The first question here though goes to 
FERC's policy of releasing the data to the public on the basis 
of the public's right to know. I think we are all in favor of 
levels of transparency, certainly. In general, the public does 
have a right to know, but when it comes to schematics of 
critical energy infrastructure information, it seems reasonable 
to me to be, perhaps, a little more circumspect here. Should 
FERC consider changing its policy regarding the release of this 
critical energy infrastructure information to a need to know 
basis?
    Mr. McClelland. Thank you, Chairman, I appreciate the 
question.
    FERC has to balance or must balance the right to know with 
the sensitivity of the information. The CEII program that we 
conduct provides necessary but limited release of that 
information. In addition, all requesters are required to submit 
in writing their need for, to attest to and demonstrate their 
need for this information. FERC then verifies that request. It 
can do so with business references and online tools and after 
verification, FERC does require the execution of a non-
disclosure agreement. That non-disclosure agreement carries 
with it sanctions if that non-disclosure agreement is violated 
and those sanctions can include a loss of access to CEII as 
well as criminal prosecution.
    To date, FERC is not aware of any individual that's 
violated, intentionally violated, that non-disclosure 
agreement.
    The Chairman. So Mr. McClelland, how does FERC audit how 
members of the public use that CEII information that they have 
received? Is there a follow-on? You mentioned the non-
disclosure, they then receive the information. What then 
happens next in terms of just ensuring that there has been that 
level of compliance?
    Mr. McClelland. Well, FERC doesn't actively monitor those 
that sign non-disclosure agreements and receive the 
information, but FERC, however, has investigated allegations 
that non-disclosure agreements have been violated and followed 
up appropriately.
    The Chairman. So is it your view that perhaps FERC should 
look to strengthening the provisions in the non-disclosure 
agreements?
    Mr. McClelland. Well, to date, the non-disclosure agreement 
process has worked for FERC. As I said, we're not aware of any 
intentional violations of that non-disclosure agreement for 
those that have received CEII information.
    The Chairman. Okay.
    Let me ask, I know Senator Manchin had asked about the 
white paper that FERC recently did. In the white paper, there 
is an observation that the standards-making process--for the 
mandatory reliability standards--the standards-making process 
``does not lend itself to addressing rapidly evolving 
cybersecurity threats.'' Does Congress or does FERC need to 
change the development process for these standards?
    Mr. McClelland. Well----
    The Chairman. If you recognize that it is that cumbersome.
    Mr. McClelland. I'm sorry, I'm glad you asked the question, 
Chairman.
    That's why FERC uses a tool called Approach. And the 
reliability standards, although they can be, they aren't 
required to be best practices. And in the context of these 
advanced persistent threat adversaries that are specifically 
targeting our most critical infrastructure facilities with 
precision and with advanced tools and techniques, the 
Commission has found that it's necessary to use a dual-pronged 
approach. It's not to say that the standards development 
process isn't working because it's providing excellent 
foundational standards that really are a shining example across 
all of the infrastructure types, but those are foundational 
practices.
    The Commission, and we've heard this earlier from several 
Senators, the Commission's--it's recognized the need to convey 
this most sensitive information to our utility partners so that 
they can quickly react to it. In that context, and I just want 
to highlight one small example. We do work very closely with 
the Director of National Intelligence, the National 
Counterintelligence and Security Center. They convey one day 
read in clearances. So a process that could take a year or more 
to conduct, we can get and we have, we've gotten state 
officials and industry officials quickly cleared and then 
brought them in for group classified briefings and working 
sessions to make sure they understand the threat that's before 
them. We identify the best practices to mitigate against them 
and then they go out and take care of that. In the meantime, 
FERC then considers whether it would be appropriate to follow 
on with actions and activities pursuant to the reliability 
standards.
    The Chairman. Let me ask you one more question on the white 
paper as well. Do you think that the white paper's proposal of 
financial incentives for the industry will be helpful or will 
it just serve to increase rates because, you know, you have the 
potential for a tradeoff here between higher rates or better 
protection? And so, is that the answer there in terms of that 
protection, is the financial incentive?
    Mr. McClelland. Well, we hope so. We did solicit two 
separate mechanisms by which industry can react and then 
propose comments back to the incentives. But it really, the 
fundamental, it's really just three questions that I think 
summarize this issue very succinctly. The third question is do 
you know where best practices belong because not all facilities 
are created equally. Some facilities are extremely strategic in 
nature and you can bet that's where our adversaries will be 
targeting. So we hope or believe that the white paper that we 
developed, the application of those incentives can be used to 
target those critical facilities to deny the adversary access 
and then in the future even exploit of those facilities.
    So, and that would be also cost-effective. So instead of 
requiring everyone to establish a best practices and follow 
those best practices through a mandatory requirement, we can 
strategically select those facilities and then apply these best 
practices to them. And we're hopeful we get great comments back 
on that incentives white paper. We're very hopeful about that.
    The Chairman. I am sure you will get comments.
    [Laughter.]
    I appreciate that, Mr. McClelland.
    I am going to give my colleagues an opportunity for a 
second round, but Senator Risch has just joined us. Senator, if 
you would like to ask a question before we turn to Senator 
Manchin.
    Senator Risch. Thank you very much. Thank you, Madam 
Chairman.
    Cybersecurity is really important, and obviously this 
Committee has overlapping jurisdiction with a number of other 
committees.
    The Chairman. With everybody.
    [Laughter.]
    Senator Risch. Yes, with everybody, I guess that is right.
    In Idaho, we are particularly sensitive to all this because 
of the Idaho National Laboratory (INL). The Idaho National 
Laboratory, as everyone knows, is the birthplace of nuclear 
energy in America and it is now, it has been the flagship for 
nuclear energy, really, in America and in the world. Now the 
flag is going up for cyber because at the INL they have some 
unique capabilities that really call out for them to be the 
flagship lab also for cybersecurity. This is the result of 
their decades of experience in control systems. Obviously since 
it was the birthplace of nuclear power, control systems played 
a very, very important role as they went forward building the 
52 different experimental--or some experimental, some actual--
nuclear reactors that were built at the laboratory. Those 
control systems were critical. They have great expertise in 
that regard, plus they have some test beds that are important. 
So the result of that is the INL is moving forward very rapidly 
in the cyberspace.
    I have a question for Mr. Gates I would like to ask and 
have him talk to us a little bit about the role that the INL 
and the other labs are playing in this regard. And as we know, 
earlier this year the Cyberspace Solarium Commission released 
dozens of recommendations to better secure the nation from 
cyberattacks--very important because this is so critical in our 
infrastructure and everything else. The Department of Energy 
national laboratories are playing a key role in this effort to 
move these recommendations forward. In Idaho we have the Idaho 
National Lab, as I said, which is the only national laboratory 
explicitly mentioned in this report and that, of course, is 
because of its expertise that I just described and also because 
of their outsized role and growing role in cybersecurity.
    So again, the question I have for you, Mr. Gates, is that 
as Congress looks as we all, in Congress, look to implement 
many of the recommendations in this report, can you please talk 
a little bit about what you think the INL, the role the INL can 
play in that regard and the role that any other of the labs 
might play in that regard? INL certainly has a unique place and 
unique capabilities, but I would like to hear your observations 
in that regard.
    Mr. Gates. Thank you, Senator Risch.
    INL, it's in many respects, particularly in the area of 
control systems, it's a first among its equals. Certainly, 
CESER and the Department, the sector, relies on many labs. If 
you look at what we are doing with NAERM, you know, there are 
eight national labs that are collaborating on that project that 
will allow us to obtain high-fidelity situational awareness on 
the grid. INL is one of them. But INL has really taken a 
leadership role on some of our critical programs, CyTRICS, for 
example, where we're going to be testing systems down to the 
component level to look for and eliminate vulnerabilities. That 
program, I mean, INL is best suited for it. It was, CyTRICS, 
was designed with INL in mind and what that is going to allow 
us to do is push the adversary further out of the 
infrastructure using that and other programs. CyTRICS, centered 
at INL, is also going to allow us to execute the Executive 
Order. It's a key component to DOE's ability to implement 
139920.
    There are other programs. Just this year, I mentioned 
earlier that we sent a few Coast Guard cadets to INL for an 
intern program and we think that's a model for how to get 
training into the hands of those who will be helping us defend 
control systems, whether they're controlling a weapon system or 
whether they're controlling part of the critical 
infrastructure. So that's just one of many programs. We rely on 
INL's expertise, even in classified settings. There's work 
that's just uniquely suited for INL, but many of our other 
national labs, it's almost a superpower for the Department of 
Energy, our ability to rely on national labs to help us solve 
problems and then get them into the sector.
    Senator Risch. Thank you very much, and I appreciate your 
reference there to the national security matters and also the 
classified nature. Sometimes when I am home in Idaho I try to 
explain to people what they do at the INL. I can tell them 
about some things and I can't tell them about others. Even the 
ones that are classified are incredibly important. So thank you 
for your work, I sincerely appreciate it.
    Thank you for holding this hearing, Madam Chairman. I 
appreciate it.
    The Chairman. Thank you, Senator Risch. As you know, I have 
been out to INL, have seen it, can't talk about it.
    [Laughter.]
    Senator Manchin.
    Senator Risch. Some of it.
    The Chairman. Some of it.
    Senator Manchin. Thank you, Madam Chairman.
    To Mr. Gates and Mr. Conner, I mentioned earlier I am 
pleased to see DOE taking steps to ensure that we have safe and 
secure supply chains for bulk power systems. However, in moving 
forward with identifying grid equipment that is at risk or 
equipment that could be part of a prequalified list, it is of 
credible importance that the manufacturers of electric 
equipment are utilized for their knowledge and expertise. I 
know the Executive Order established a task force to engage 
with the energy industry, but manufacturers were not 
specifically included in that process.
    Mr. Gates, has the DOE considered establishing a task force 
equivalent for the manufacturers to the electric equipment to 
inform DOE to get response back for them and how is DOE fully 
engaging with these stakeholders?
    Mr. Gates. Thank you for that question, Senator Manchin. 
You know, since the issuance of the Executive Order, DOE has 
held over 90 calls, not only to the asset owners, but that also 
includes manufacturers. So they're part of the equation. And 
even in part of the CyTRICS program which is a key element of 
executing the Executive Order, we've already signed two 
companies. We're engaging others directly and having a 
conversation. A lot of those discussions are in the context of 
the broader vulnerability identification and elimination 
aspect, but we're also talking about implementation of the 
Executive Order.
    So over 3,000 individuals have engaged the Department since 
the issuance of the Executive Order. Some of them are 
manufacturers, a lot of utility owners, suppliers, and we're 
comfortable, though we've taken the letter to heart and we're 
making sure that we're covering all our bases, we're 
comfortable with our engagement strategy so far and we seek to 
do more of that because we do want to be thorough and it 
requires a partnership. We can't go it alone. So, you know, 
your letter was taken to heart, sir.
    Senator Manchin. Thank you, sir.
    Mr. O'Brien, as the largest grid operator in the country, I 
appreciate that PJM takes cybersecurity seriously. The states 
and utilities that make up PJM service territory which includes 
my State of West Virginia vary a lot in their ability to 
address and get ahead of the cyber grid threats leaving an 
important role for PJM to make sure the system is not made 
vulnerable by any one actor who does not get it up to the 
standards that you are asking for. So my question would be, 
what are the biggest risks in the PJM territory that you are 
concerned about and what can other grid operators learn from 
what you have been able to address with these threats?
    Mr. O'Brien. Yeah, thank you, Senator.
    I think from my perspective, certainly from an operating 
control aspect, is the biggest risk to PJM is that there's 
significant compromise of our members. I mean, we rely on 
information and data that comes into PJM and we're running all 
types of real-time analysis to keep the lights running. But if 
there is any case where the telecommunications system is down, 
we can't get that data, that information. I think it's a really 
high risk----
    Senator Manchin. Let me ask you this, Mr. O'Brien. Are you 
all able to run scenarios that you can test to see if they are 
up to your standards, even if they are reporting they are? Do 
you do, kind of, cyber test, if you will, to see if you are 
able to get into their system or basically show they have, 
still, some vulnerabilities?
    Mr. O'Brien. No, we don't do that. I mean, that's something 
that we don't, you know, feel is in our jurisdiction based on 
how we operate. We do collaborate a lot with the members, but 
no, we don't do, you know,----
    Senator Manchin. Well, let me ask Mr. Gates. Let me ask him 
then.
    From the DOE, Mr. Gates, does any, I mean, if our systems 
are telling you, whether it be in West Virginia or any other of 
the PJM states or any other areas of our country, if they are 
not, if they are actually not really hardening their systems to 
protect against the cyberattacks, how are you able to detect 
it? Do you just have to wait until something happens or are you 
all checking to see if they are doing it?
    Mr. Gates. We're not. There is a reporting mechanism in 
place.
    Senator Manchin. No one is checking, I can tell right now. 
No one. No one is testing to make sure. If I wanted to find out 
if you did what you told me you did, I would have one of my 
smart people try to hack into that and see if I show the 
fallacy there. So we are not doing those types of tests?
    Mr. Gates. I think that's fair, though if you look at what 
CISA is doing, some of the work they're doing in the sector and 
the Department and the advice from FERC and NERC, there are 
mechanisms to engage them, but as far as overseeing the 
implementation of certain things in a private utility, again, 
there are some limitations in the current----
    Senator Manchin. Well, again, I would ask PJM. Mr. O'Brien, 
how do you all plan to continue monitoring these evolving risks 
if you really can't check to see if they have been hardened? It 
can't be done. Has the risk been eliminated?
    Mr. O'Brien. Yeah, I think, Senator, the thing that we rely 
on, relative to our members, is, you know, the NERC compliance 
and they're all held to a standard, they're held to an audit 
and we're counting on that. Now we do a lot of collaboration 
and discussions on best practices, but it's not within our 
jurisdiction to actually red team or try to hack into their 
systems right now.
    Senator Manchin. Well, we will have to check with NERC 
then. We have to check with somebody to see if somebody is 
checking anything.
    Alright, thank you.
    Thank you, Madam Chairman, and thank all of you. I am very, 
very appreciative.
    The Chairman. Thank you, Senator.
    Senator Hoeven has joined us.
    Senator Hoeven. Thank you, Madam Chairman.
    My first question is to Mr. McClelland. As consumers we 
have benefited from centralized baseload generating assets and 
our ability to [inaudible]--to provide power, especially during 
extreme weather events, polar vortexes and so forth. And we now 
see more centralized, intermittent generation on the grid and 
so forth which creates opportunities, but also, risks. Mr. 
McClelland, what measures has [the company] taken to manage 
liability and cybersecurity risks in these new technologies?
    Mr. McClelland. So as users, owners and operators of the 
power grid, these facilities may be subject, would likely be 
subject to the NERC reliability standards if they reach a 
certain threshold and they are interconnected to the bulk power 
system. So that's where the Commission's jurisdiction is, under 
the Federal Power Act, Section 215. If these facilities 
interconnect to the bulk power system, they'll be held to that 
minimum standard. And in addition, Senator, we do have a 
program, a collaborative program that is available to any 
entity where we will, for instance, do an onsite assessment of 
their facilities, identify vulnerabilities and then assist them 
with mitigating action. So it's the same level of 
accountability that all generation resources under the 
Commission's jurisdiction would have.
    Senator Hoeven. Does Congress need to provide the FERC with 
any additional tools or capabilities to make sure that FERC is 
continuing to protect and improve the reliability of the bulk 
power system?
    Mr. McClelland. Well, the Commission now is using a dual-
fold approach. So we're establishing baseline standards and 
they're good, the reliability standards for cybersecurity 
through the NERC process, but this process is open and 
deliberative and it's not necessarily reflects best practices. 
On the other side, we're collaborating very closely with the 
intelligence community. That'd be our friend, Alex Gates at the 
Department of Energy, Department of Homeland Security and other 
agencies to stay current on those threats. And then we're 
actively engaging with industry to push out this information so 
that they can be aware of the threats. This bill would actually 
add to that authority. It would add to our voluntary assistance 
work with industry, providing us with additional authorities.
    Senator Hoeven. For Mr. Conner, how do we continue to 
strengthen the relationship between the public and private 
sectors to ensure that information is shared and also protected 
from inappropriate disposal?
    Mr. Conner. Yes, thank you for the question.
    I think, as we mentioned earlier in my testimony, if I just 
take a look at the partnership that we've done with NYPA. 
That's more on the public side. That was just last week, and 
it's to develop the new think tank with them. I also take a 
look at all the partnerships that we have in the private sector 
with some of our vendors and our supply chain management. And 
as I also testified earlier, we make sure that despite all of 
that, that we actually do testing on hardware, software, 
security testing of everything that we get out of our suppliers 
as well to cover that side.
    So I think it's collaboration. We talked about it earlier. 
Nobody gets there by themselves, but it's continue to 
collaborate and communicate across the board.
    Senator Hoeven. And then for Mr. Gates. Do you believe that 
the Department of Energy has sufficient ability over the 
nation's energy delivery system to properly address the attacks 
and vulnerabilities----
    Mr. Gates. Thank you for the question, Senator.
    I'm not sure anyone has the visibility to address all the 
threats. If we had that visibility, whether it was the 
Department, whether it was in the private sector, we would be 
doing more to develop solutions and push the adversary further 
away from our infrastructure. But that's why investments like 
NAERM and developing other tools and why information sharing 
through the ISACs and other mechanisms, the intelligence 
briefings, are so important. But we do need better tools. We 
need better sensors, and we're investing in that. We need 
better analytics which we're developing at the national labs. 
Pulling all that together to have better situational awareness, 
high fidelity is the answer. We haven't achieved it yet, but it 
is a goal and it's a pressing goal for the Department.
    Senator Hoeven. Is there additional assistance Congress can 
provide or resources, in your opinion, at this time that would 
be critical to test?
    Mr. Gates. There's always room for additional support, sir. 
Targeted support at specific programs that allow us to develop 
some of these solutions more rapidly is always effective, 
making it easier for us to fund pilots and work with the 
national labs, with the private sector. There are pretty 
interesting developments in private industry, tools that are 
useful for us, but even that requires integration and testing. 
So clearly, the whole sector, including the Department could 
use more support.
    Senator Hoeven. But you don't have a specific in mind?
    Mr. Gates. I do have specifics in mind, sir, and I would 
gladly provide those to you offline.
    Senator Hoeven. Alright. Thank you very much.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator Hoeven.
    Gentlemen, we appreciate the discussion that we have had 
here this morning. I know Senator Manchin and I have no further 
questions.
    Senator King, did you have anything further that you wanted 
to add?
    Senator King. Yes, just two things.
    The first, Senator Manchin, in your usual commonsense way, 
you put your finger on something very important which we talked 
about earlier which is red teaming or hackers for hire or 
penetration testing, whatever you want to call it. We need more 
of it. We need authority to do it in Mr. Gates' agency and 
perhaps at FERC. People can certify that they are secure but 
there is no way to really test that until you have really tried 
to penetrate their network. So I have asked Mr. Gates to supply 
us with what he feels he needs in the way of additional 
authorities to make that happen. So I want to associate myself 
with that question.
    One other question that has not come up today, and I don't 
know whether this should be to Mr. McClelland or to Mr. Gates, 
but isn't distributed energy, that is, generation at the home 
or in the neighborhood which is now available to us in part 
through the use of solar, isn't that part of a national 
security solution to try to avoid the risk of the giant grid 
with the giant generating plant that if it goes online, 
everybody goes down? Is anybody thinking about that? Mr. Gates, 
is that something that you all have looked at?
    Mr. Gates. Senator King, it is something the Department is 
concerned with, particularly when we look at some of the grid 
modernization initiatives, you know, baking security into that 
modernization, whether they're microgrids and so forth is an 
important aspect of it. But there are those who also believe 
that if we don't bake in security that we're distributing the 
problem. Those systems still are dependent on technologies 
that, you know, could be vulnerable and just change the nature 
of an attack, make it a----
    Senator King. But if you have a solar array on your house 
that supplies your needs, you don't care if something happens 
to a generating plant 200 miles away. That is my point. It 
seems to me that there is a resilience redundant kind of effect 
here, and I realize integration into the grid and all those are 
technical questions, but the decentralization, I mean, the 
whole history of our electrical system has been centralization. 
We are now in a place where technology allows us to 
decentralize, and it seems to me that could be an important 
advantage in terms of securing electric supply to individuals 
and businesses.
    Mr. McClelland, are you guys looking at that at FERC?
    Mr. McClelland. Thank you, Senator, for the question.
    In some ways, and to add to Mr. Gates' point, in some ways 
the addition of new technologies, new systems, especially 
supply chain concerns can complicate security. However, to your 
point, there's a vast reduction of interdependencies associated 
with a self-sufficient plant. So I think that so long as the 
facility, and I am speaking for myself, so long as the facility 
is secure, has/is abiding by best practices to counter those 
adversarial attacks, it certainly makes it easier to protect a 
self-contained, fuel secure facility, such as renewables versus 
a facility that depends on many other types of infrastructure 
to produce generation.
    Senator King. Thank you.
    Thank you, Madam Chair, I appreciate it.
    The Chairman. Thank you.
    This has been a really instructive hearing, again, and I 
appreciate the input that we have received, not only from those 
within the Department, the agencies, but also the private 
sector. I think it was important to have that.
    Senator Manchin. Can I say one thing?
    Senator King, Angus, are you still on?
    The Chairman. Yes.
    Senator Manchin. Angus, the only thing I wanted to ask, I 
know you asked directly with DOE if they could check, you know, 
by basically hiring the real smart people we talk about that 
are able to find out if we are on our game or not.
    Senator King. Right.
    Senator Manchin. But how about with PJM? Are they not 
responsible then, basically if they are the carrier, I mean, 
they are one of the largest in the country? They are all over 
my state. Should they not be----
    Senator King. I asked PJM that question and I think the 
response was that they do do pen testing and red teaming. Isn't 
that correct, Mr. O'Brien? I thought that was what you said.
    Mr. O'Brien. Yeah, thank you. Let me clarify. We do 
extensive red teaming on our own systems. We do extensive 
penetration testing on our own systems. What we don't do is red 
teaming and penetration testing on our member company systems 
where data flows into us. So that's the little nuance to the 
question.
    Senator Manchin. So you don't have the jurisdiction for 
that, is what you are saying, why you don't do it?
    Mr. O'Brien. We do not. No.
    Senator Manchin. Okay. Angus, that gives us something else 
to work on.
    The Chairman. Yes.
    Mr. O'Brien. And again, I think NERC plays a role in that 
as well.
    Senator Manchin. Sure.
    Mr. O'Brien. With the--thank you.
    The Chairman. But that is your vulnerability. You can be 
secure here----
    Senator Manchin. Absolutely. Absolutely.
    The Chairman. ----but then feed into where you are.
    Senator Manchin. I just want to thank Angus, Senator King, 
and Congressman Gallagher for what they have done in the last 
two years. I mean, it is truly amazing and it needs to be 
brought--it is just common sense. It is just pure common sense. 
And we have to do all the checking we can. So maybe this is 
something that we could work on with NERC and get some of these 
barriers broken down for you so we really have thorough 
checking and thorough testing.
    Thank you.
    The Chairman. Well, I think we recognize that the threat 
from cyber, whether it is to our energy systems or any aspect 
of, really, our economy, there is vulnerability that we 
recognize and again, we are talking about collaboration, we are 
talking about partnership, built on the trust. And so how we 
can help facilitate that is important. When you can't trust, 
you have to test. Trust but verify. I think this is some of the 
conversation that we have had here today.
    There are some requests that Committee members have made 
that, I think, Mr. Gates, you acknowledge that you would be 
able to provide members of the Committee a response. We look 
forward to that and if other members have further questions for 
the record, we would hope that you would be able to respond.
    We appreciate the time that you have given us and the 
information that you have provided us as we focus on this 
critically, critically important aspect of protecting our 
energy sector.
    With that, the Committee stands adjourned.
    [Whereupon, at 11:53 a.m. the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------                              


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                              [all]