b"<html>\n<title> - DEFENDING THE U.S. ELECTRIC GRID AGAINST CYBER THREATS</title>\n<body><pre>[House Hearing, 117 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                    DEFENDING THE U.S. ELECTRIC GRID\n                         AGAINST CYBER THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                   SUBCOMMITTEE ON NATIONAL SECURITY\n\n                                 OF THE\n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED SEVENTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 27, 2021\n\n                               __________\n\n                           Serial No. 117-36\n\n                               __________\n\n      Printed for the use of the Committee on Oversight and Reform\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                       Available at: govinfo.gov,\n                         oversight.house.gov or\n                             docs.house.gov\n                             \n                                __________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n45-371 PDF                 WASHINGTON : 2021                     \n          \n-----------------------------------------------------------------------------------                                \n                             \n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                CAROLYN B. MALONEY, New York, Chairwoman\n\nEleanor Holmes Norton, District of   James Comer, Kentucky, Ranking \n    Columbia                             Minority Member\nStephen F. Lynch, Massachusetts      Jim Jordan, Ohio\nJim Cooper, Tennessee                Paul A. Gosar, Arizona\nGerald E. Connolly, Virginia         Virginia Foxx, North Carolina\nRaja Krishnamoorthi, Illinois        Jody B. Hice, Georgia\nJamie Raskin, Maryland               Glenn Grothman, Wisconsin\nRo Khanna, California                Michael Cloud, Texas\nKweisi Mfume, Maryland               Bob Gibbs, Ohio\nAlexandria Ocasio-Cortez, New York   Clay Higgins, Louisiana\nRashida Tlaib, Michigan              Ralph Norman, South Carolina\nKatie Porter, California             Pete Sessions, Texas\nCori Bush, Missouri                  Fred Keller, Pennsylvania\nDanny K. Davis, Illinois             Andy Biggs, Arizona\nDebbie Wasserman Schultz, Florida    Andrew Clyde, Georgia\nPeter Welch, Vermont                 Nancy Mace, South Carolina\nHenry C. ``Hank'' Johnson, Jr.,      Scott Franklin, Florida\n    Georgia                          Jake LaTurner, Kansas\nJohn P. Sarbanes, Maryland           Pat Fallon, Texas\nJackie Speier, California            Yvette Herrell, New Mexico\nRobin L. Kelly, Illinois             Byron Donalds, Florida\nBrenda L. Lawrence, Michigan\nMark DeSaulnier, California\nJimmy Gomez, California\nAyanna Pressley, Massachusetts\nMike Quigley, Illinois\n\n                      Russ Anello, Staff Director\n                Dan Rebnord, Subcommittee Staff Director\n                    Amy Stratton, Deputy Chief Clerk\n\n                      Contact Number: 202-225-5051\n\n                  Mark Marin, Minority Staff Director\n                                 ------                                \n\n                   Subcommittee on National Security\n\n               Stephen F. Lynch, Massachusetts, Chairman\nPeter Welch, Vermont                 Glenn Grothman, Wisconsin, Ranking \nHenry C. ``Hank'' Johnson, Jr.,          Minority Member\n    Georgia                          Paul A. Gosar, Arizona\nMark DeSaulnier, California          Virginia Foxx, North Carolina\nKweisi Mfume, Maryland               Bob Gibbs, Ohio\nDebbie Wasserman Schultz, Florida    Clay Higgins, Louisiana\nJackie Speier, California\n                         \n                         \n                         C  O  N  T  E  N  T  S\n\n                              ----------                              \n                                                                   Page\nHearing held on July 27, 2021....................................     1\n\n                               Witnesses\n\nMr. Puesh M. Kumar, Acting Principal Deputy Assistant Secretary, \n  Office of Cybersecurity, Energy Security, and Emergency \n  Response Department of Energy\nOral Statement...................................................     4\nMr. Eric Goldstein, Executive Assistant Director for \n  Cybersecurity, Cybersecurity and Infrastructure Security \n  Agency, Department of Homeland Security\nOral Statement...................................................     6\nMr. Joseph H. McClelland, Director, Office of Energy \n  Infrastructure Security, Federal Energy Regulatory Commission\nOral Statement...................................................     8\n\nWritten opening statements and statements for the witnesses are \n  available on the U.S. House of Representatives Document \n  Repository at: docs.house.gov.\n\n                           Index of Documents\n\n                              ----------                              \n\n  * Statement for the Record by the American Public Power \n  Association and the National Rural Electric Cooperative \n  Association; submitted by Rep. Lynch.\n\n  * Questions for the Record: to Mr. Kumar; submitted by Rep. \n  Lynch. (No response)\n\n\nThe documents are available at: docs.house.gov.\n\n \n                    DEFENDING THE U.S. ELECTRIC GRID\n                         AGAINST CYBER THREATS\n\n                              ----------                              \n\n\n                         Tuesday, July 27, 2021\n\n                   House of Representatives\n          Subcommittee on National Security\n                          Committee on Oversight and Reform\n                                                   Washington, D.C.\n\n    The subcommittee met, pursuant to notice, at 3:11 p.m., in \nroom 2154, Rayburn House Office Building, Hon. Stephen F. Lynch \n(chairman of the subcommittee) presiding.\n    Present: Representatives Lynch, Welch, Johnson, DeSaulnier, \nWasserman Schultz, Speier, Langevin, Grothman, Gosar, and \nComer.\n    Also present: Representative Langevin.\n    Mr. Lynch. This committee will now come to order. Without \nobjection, the chair is authorized to declare a recess of the \ncommittee at any time. I now recognize myself for an opening \nstatement.\n    Good afternoon, everyone. Before we begin, I would like to \nthank each of our witnesses for testifying before our \nsubcommittee today. I would also like to thank my colleagues \nwho are participating at today's hearing, both remotely and in \nperson.\n    If you listened to the news over this past year, there's a \ngood chance that you have heard about one of many cyber attacks \nthat have targeted a high-profile technology company, research \ninstitution, energy pipeline, or even the Federal Government. \nToday, we will examine how this latest uptick in hacking \nattempts could affect the vital component of our critical \ninfrastructure, and even U.S. national security, and that is \nthe vulnerability of our electrical grid.\n    The electrical grid is the backbone of daily life here in \nAmerica. It provides energy to heat our homes, power our \nhospitals, and charge our smartphones. It also is a priority \ntarget for state and non-state cyber adversaries. A successful \nattack on the electrical grid could have devastating \nconsequences on U.S. national security and our economic \ninterests.\n    Last month, Secretary of Energy, Jennifer Granholm, \nconfirmed that cyber adversaries have the tools and \ncapabilities necessary to shut down our electrical grid.\n    In a recent statement, the Department of Energy warned, and \nthis is a quote, ``The United States faces a well-documented \nand increasing cyber threat from malicious actors seeking to \ndisrupt the electricity that Americans rely on to power our \nhomes and businesses every day.'' In response, President Biden \nhas taken decisive meaningful action since assuming office to \nstrengthen our national cyber defense and protect our critical \ninfrastructure.\n    For example, in April, President Biden announced a 100-day \nplan led by the Department of Energy and the Cybersecurity and \nInfrastructure Security Agency, CISA, to strengthen the \nsecurity and resilience of U.S.--of the U.S. electrical grid. \nAnd in May, President Biden issued an executive order that will \nmodernize our national cybersecurity defenses and improve \ninformation-sharing between the U.S. Government and private \nsector, which is ultimately responsible for operating and \nsecuring the electrical grid.\n    I want to applaud and I am grateful to President Biden for \nrecognizing the urgency of this threat; however, significant \nvulnerabilities continue to persist. And the Biden \nadministration should consider whether additional regulations \nor policy initiatives are needed to strengthen the cyber \ndefense and resiliency of our electrical grid. For example, as \na growing number of network consumer devices connect to \nelectrical distribution systems, these devices create \nadditional gateways that hackers can exploit to gain access to \nthe grid. These vulnerabilities are exacerbated by the fact \nthat Federal cybersecurity standards do not currently apply to \ndistribution systems, and are, instead, only mandatory for \ncertain power generation and transmission systems.\n    Even those mandatory reliability standards that apply to \nelectric generation and transmission systems do not fully \nincorporate leading cybersecurity guidance from the National \nInstitute of Standards and Technology.\n    In addition, many key components of the electrical grid are \nproduced, or rely upon parts produced by international \nsuppliers. This equipment is vulnerable to tampering or \nespionage by foreign actors. Some of this equipment, especially \nlarge power transformers, can take over a year to produce, \ntransport, and install. Even in an emergency, making the U.S. \nelectrical grid heavily dependent on overseas manufacturing.\n    Last, but certainly not least, multiple Federal agencies \nand state and local entities, each with its own role, its own \nresponsibilities, and its own authorities are all tasked with \nprotecting the electrical grid. This creates ample opportunity \nfor bureaucratic stovepiping and can undermine the incidence \nresponse to any events.\n    To that end, I look forward to hearing from our witnesses \nabout how they are working together in sharing information to \nensure malign cyber actors cannot slip through the cracks. With \nthat, I would like to thank our witnesses for their service and \nfor testifying before our subcommittee on this critically \nimportant issue. And I will now yield to my friend, the ranking \nmember from Wisconsin, Mr. Grothman, for five minutes.\n    Mr. Grothman. Thank you very much. And thank you for our \nwitnesses for showing up today. There's an issue with far-\nreaching repercussions, something that scared me for a long \ntime. An attack on the energy grid would be devastating for \nAmericans and our national security. Hours, even hours without \npower would cause chaos. Extended disruptions could pose \nserious consequences to our national defense. Cyber attacks are \ngrowing in frequency. Particularly, scary ones from state-\nsponsored groups in Russia and China. It would appear to the \ncasual observer that these actors are testing us, testing our \ndefenses, our response, our reaction.\n    Our defense must effectively and efficiently identify and \ndisrupt potential attacks. Our response must harness the powers \nof government and the private sector to mitigate the fallout. \nOur reaction must be swift and strong to future attacks.\n    Each of you, each of our witnesses plays a vital role in \nthe Nation's cyber defense. This hearing is a welcome \nopportunity to hear from all of you, and learn more about how \nour government operates in space, as well as what the fallback \nposition is going to be if any of these attacks are effective. \nIt's a balancing act between the government authority and the \noperation of private industry. The answer is not more \nunilateral costs of regulations--many more unilateral \nregulations. The answer lies within current authorities \navailable to you and, frankly, your ability to work with each \nother. I hope we can hear more about the collaboration today.\n    In closing, I would like to say, hopefully, in the future, \nwe can take up other security issues, the origin of the COVID, \nthe Chinese biological weapons program, dangers of a nuclear \nIran, a botched Iran deal, and President Biden's border crisis. \nI have been down there four times. I would love a hearing on \nthat. It's a huge number of people crossing the border. We're, \nright now, at about 70,000 people a month. What is further \ndisturbing is the vast number of illegal immigrants President \nBiden has been releasing in our country, well over 160,000 \nbetween Border Patrol and HHS.\n    The committee's held hearings after hearing during the \nTrump administration operating missions with the border. I have \nbeen down there four times. You would have a blast having a \nhearing on that. I hope, Mr. Chairman, we can work together to \ninvestigate these issues. I yield back and look forward to our \nwitnesses to tell them.\n    Mr. Lynch. The gentleman yields back. I have one important \nprocedural matter. Without objection, the distinguished member \nfrom Rhode Island, Mr. Langevin, is recognized and waived on to \nthe committee for the purpose of participating and questioning \nthese witnesses. Mr. Langevin is a senior member of the House \nArmed Services Committee where he serves as chairman of the \nSubcommittee on Cyber Innovative Technologies and Information \nSystems. Mr. Langevin has led on a number of key pieces of \nlegislation related to cybersecurity, including a bill to \nestablish a position of National Cyber Director in the White \nHouse. He is also a commissioner on the Cyberspace Solarium \nCommission, and is a co-chair of the congressional \nCybersecurity Caucus. So, welcome, Mr. Langevin.\n    Now, I would like to welcome our three witnesses. Today we \nare joined by Mr. Puesh Kumar, who is the Acting Principal \nDeputy Assistant Secretary in the Office of Cybersecurity, \nEnergy Security, and Emergency Response at the Department of \nEnergy. We are also joined by Mr. Eric Goldstein, who is the \nExecutive Assistant Director for Cybersecurity at the \nCybersecurity and Infrastructure Security Agency at the \nDepartment of Homeland Security. And we are also joined by Mr. \nJoseph McClelland who is the Director of the Office of Energy \nInfrastructure Security at the Federal Energy Regulatory \nCommission.\n    So, to all of our witnesses, thank you for your willingness \nto appear and to help the committee with its work. We look \nforward to your testimony.\n    It is the custom of the committee to swear our witnesses. \nSo, would the witnesses please stand and raise your right hand \nso that we can swear you in.\n    Do you swear or affirm that the testimony you are about to \ngive is the truth, the whole truth, and nothing but the truth, \nso help you God?\n    Let the record show that the witnesses have each answered \nin the affirmative. You may be seated. And thank you. And \nwithout objection, your written statements will be made part of \nthe record.\n    With that, Mr. Kumar, you are now recognized for five \nminutes of your summation of your written testimony.\n\nSTATEMENT OF PUESH M. KUMAR, ACTING PRINCIPAL DEPUTY ASSISTANT \n   SECRETARY, OFFICE OF CYBERSECURITY, ENERGY SECURITY, AND \n     EMERGENCY RESPONSE, ON BEHALF OF DEPARTMENT OF ENERGY\n\n    Mr. Kumar. Thank you, Chairman Lynch. Chairman Lynch, \nRanking Member Grothman, and distinguished members of the \nsubcommittee, thank you for the opportunity to testify on \nbehalf of the Department of Energy to discuss the \nadministration's continuing efforts to secure the Nation's \nenergy infrastructure, helping to ensure that all Americans may \nrely on a resilient, secure, and clean energy system.\n    The energy sector provides critical resources, electricity \nand fuel that we all depend upon. As we recently witnessed with \nthe Colonial Pipeline incident and impacts from extreme weather \nin Texas, disruptions to our energy system can have devastating \nimpacts to the U.S. economy, and the livelihoods of millions of \nAmericans. DOE's Office of Cybersecurity, Energy Security, and \nEnergy Response, commonly referred to as CESER, plays a leading \nrole in addressing the continuously evolving risks facing the \nenergy sector, including the growing cyber threats that pose a \nstrategic challenge to the United States.\n    Over the past few years, we have all witnessed an increase \nin the frequency and sophistication of attacks by a range of \nactors from cyber criminals to nation-states. As part of the \nFederal Government's coordinated efforts to proactively \nprotect, defend, and assist the energy sector with the \npreparedness and response to all hazards, DOE is designated as \nthe Sector Risk Management Agency, or the SRMA, for the energy \nsector, and is the coordinating agency for Emergency Support \nFunction 12 under the national response framework.\n    Through these roles, DOE works across the Federal \nGovernment. CISA and FERC are certainly on speed dial, as well \nas our partners at the state, local, territorial, and Tribal \nlevels.\n    Further, we have a strong relationship with the U.S. energy \nsector owners and operators. DOE and DHS serve as co-chairs of \nthe Electricity Subsector Coordinating Council and the Oil and \nNatural Gas Subsector Coordinating Council. The Sector \nCoordinating Council structure allows the government, a growing \nstate, to work closely with the industry to prepare for and \nrespond to national level disasters, or threats, to critical \ninfrastructure. Collective preparedness and collective response \nare at the heart of our work.\n    With that in mind, there are five priorities that I have \nset for the CESER office to really ensure that we are targeting \nour resources on the critical issues that are facing the U.S. \nenergy sector. The first priority is to increase the visibility \nof cyber threats, targeting industrial control systems of \nenergy companies. This includes enhancing the government and \nindustry's ability to detect and deter cyber threats.\n    As you mentioned, Chairman, we just launched the 100-day \ninitiative for industrial control systems. And the goal there \nis to really start to get visibility into a part of the energy \nsystem that we haven't had as much visibility on before. Really \nstarting to see the cyber threat actors in that environment and \nbe able to quickly collaborate with them.\n    The second priority is to identify supply chain threats, \nand disclose vulnerabilities in the energy sector, both in \ntheir hardware, but also the software and the digital supply \nchain.\n    One of the efforts we have underway at CESER right now is a \nprogram called Cyber Testing for Resilient Industrial Control \nSystems. The idea behind the program as is commonly referred to \nas CyTRICS is to partner with manufacturers and suppliers for \nthe most critical components in the energy sector, so that we \ncan test for hardware and software vulnerabilities before those \nsystems are ever deployed in the energy sector. And we're \nhaving tremendous success along those lines.\n    The third priority is to encourage the concept of security \nby design, and ensuring that cybersecurity is just built into \nthe relevant research and development and demonstration across \nDOE and our national laboratories. It should be core component \nof everything we do.\n    To that end, we are focused on an effort we call cyber-\ninformed engineering. The goal is to develop a framework so \nthat when we have our engineers designing the next generation \nenergy systems, cybersecurity is a core component of those \nearly designs so that we're not trying to bolt on cybersecurity \nafter the fact, but we're really building it in as a \nrequirement to any design that we build in the energy sector in \nthe United States.\n    The fourth priority is capacity building in the industry \nand the state, local, territorial, and Tribal communities. \nWorking to strengthen things like threat information sharing, \nexercising with a sector so we're prepared to respond. And \nalso, work force development is another key priority for us. \nAnd we just released an updated tool for the industry called \nCybersecurity Capability Maturity Model, C2M2. We just released \nversion two last week. The C2M2 model lets companies assess the \nmaturity of their cybersecurity programs and make targeted \ninvestments in their programs going forward.\n    And, finally, the fifth priority is to ensure that when an \nincident does occur, regardless of hazard, CESER is ready to \nsupport the sector, and mitigate impacts and ensure the safe \nand sufficient restoration of the Nation's energy \ninfrastructure. We do this through the deep subject matter \nexpertise of energy systems across the DOE complex, including \nheadquarters, national laboratories, power marketing \nadministrations, the Energy Information Administration, and the \nNational Nuclear Security Administration. We're able to bring \nthe different resources to the table in support of the \nresponse--in the case of a cyber response and work closely with \nour partners at CISA and FBI to ensure that we can have a \ncoordinated response like we did with the Colonial Pipeline \nincident. Thank you for the opportunity to testify. I look \nforward to your questions.\n    Mr. Lynch. Thank you. Mr. Goldstein, you are now recognized \nfive minutes.\n\n STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE ASSISTANT DIRECTOR FOR \n   CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY \n      AGENCY, ON BEHALF OF DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Goldstein. Thank you. Chairman Lynch, Ranking Member \nGrothman, members----\n    Mr. Lynch. Can you turn your mic on?\n    Mr. Goldstein. It's on, but I will move it a bit closer.\n    Mr. Lynch. OK.\n    Mr. Goldstein. It should be better.\n    Mr. Lynch. Thank you.\n    Mr. Goldstein. Chairman Lynch, Ranking Member Grothman, \nmembers of the subcommittee, thank you for the chance to \ntestify today on behalf of CISA. And thank you for your focus \non this critical issue and bringing us here to discuss the work \nthat we have done so far and the need to make further progress \nin addressing risk to the Nation's energy grid and broader \ncritical infrastructure.\n    Cyber intrusions targeting organizations across all sectors \nof the economy reflect that is now an urgent threat to our \nnational security, economic security, and public health and \nsafety. As the lead agency for civilian cybersecurity, CISA \nseeks to actively reduce risks and reduce vulnerabilities \nacross critical infrastructure in close partnership with sector \nrisk management agencies, like the Department of Energy. In \nthis role, we're particularly focused on reducing risk to \nnational critical functions. Those services that are so \nessential to the American people that degradation of them would \nlead to debilitating effects on our economy, our security, or \nour ways of life.\n    Of course, the energy sector is essential to numerous \nnational critical functions. Not only the power itself, but, of \ncourse, its dependencies: water, telecommunications, the \nability to move around our communities.\n    Through a close partnership with DOE and our private sector \npartners, we seek to improve cybersecurity at a national level. \nAnd we do this in five principal ways: First, we seek to share \ntimely and actionable information across the country with \npartners in the energy sector and across sectors to ensure that \nevery organization has the information they need to secure \ntheir networks against current and emerging threats.\n    Second, we provide voluntary services, such as \nvulnerability assessments, red-teaming, penetration tests to \nhelp organizations understand vulnerabilities in their \nnetworks, and fix them before an adversary can intrude and \ncause a compromise.\n    Third, when an incident does occur, we provide incident \nresponse and threat-hunting assistance and coordinate the \nnational asset response to cybersecurity incidents to mitigate \nthe event and bring it to a swift resolution.\n    Fourth, we provide active detection tools to help companies \non a voluntary basis, detect threats on their networks.\n    And fifth and finally, we conduct cross-sector analysis to \nunderstand how a cyber intrusion can cascade across sectors and \nimpact national critical functions.\n    And as my colleague at DOE noted, we are doing a lot of \nthis work today under the auspices of the White House's 100-day \nControl Systems Plan, in which we are focus on improving both \nsecurity practices and the ability to detect threats across \ncritical entities in the energy sector.\n    Going forward, it's clear that we have more to do. It is \nclear that we must act urgently to address this increasing \nthreat to our national security. We are looking to drive this \nprogress at CISA in a few ways.\n    First, we continue to work urgently on a voluntary basis \nwith government and the private sector partners to gain \nvisibility into cybersecurity threats and intrusions across the \ncountry. With this visibility, we are able to disseminate more \nactionable and timely information, we're able to provide more \ntailored response, and we're able to understand the breadth of \nrisks affecting entities in this country. We look forward to \nworking with Congress on enabling incident reporting \nlegislation that will provide CISA with this needed visibility. \nAnd we're also looking to more broadly deploy our detection \ntool, such as the CyberSentry Program, which allows us to use \ncommercial tools and government information to expand \nvisibility into risks affecting the Nation's most critical \ninfrastructure.\n    Additionally, we must continue to mature our voluntary \npartnerships with government in the private sector. We are \nshortly launching our newly renamed joint cyber defense \ncollaborative as established in last year's NDAA to formalize \nour work between government and the private sector around \nmitigating and understanding emerging cyber campaigns affecting \nour country.\n    And, last, we must recognize that we are not going to, in \nthe near term, prevent every cybersecurity intrusion. And we \nmust focus on resilience and functional continuity. To this \nend, the Cyber Response and Recovery Fund, an initiative \nrecommended by the Cyberspace Solarium Commission, and recently \npassed by the Senate, will significantly help CISA have the \ncapacity to help entities respond and recover when damaging \nintrusions occur.\n    We know that the problem is severe, and trends are not \npointing in the right direction. We are doing more, and we must \nact with urgency in managing this threat we are facing. CISA is \nprepared to lead this national effort in coordination with the \nSRMAs, with Federal law enforcement, our partners across this \ncountry. I will look forward to working with Congress in so \ndoing. Thank you again for your time. I look forward to your \nquestions.\n    Mr. Lynch. Thank you. Mr. McClelland, you are now \nrecognized for a five-minute summation for your testimony. \nThank you.\n\n STATEMENT OF JOSEPH H. MCCLELLAND, DIRECTOR, OFFICE OF ENERGY \nINFRASTRUCTURE SECURITY, ON BEHALF OF FEDERAL ENERGY REGULATORY \n                           COMMISSION\n\n    Mr. McClelland. Chairman Lynch, Ranking Member Grothman, \nand members of the subcommittee, thank you for the privilege to \nappear before you today to discuss defending the U.S. Electric \nGrid Against Cyber Threats. My name is Joe McClelland. I am the \nDirector of the Office of Energy Infrastructure Security at the \nFederal Energy Regulatory Commission. I come before you as a \ncommission staff witness, but I should note my remarks do not \nnecessarily represent the views of the Commission or any other \nindividual commissioner.\n    In the Energy Policy Act of 2005, specifically, through \nSection 15 of the Federal Power Act, Congress entrusted the \nCommission to approve and enforce mandatory reliability \nstandards for the Nation's bulk power system. Section 215 \nrequires the Commission to certify an electric reliability \norganization, or ERO, that is responsible for proposing for \ncommission review and approval reliability standards, or \nmodifications to existing reliability standards to help protect \nand improve the reliability of the Nation's bulk power system.\n    The Commission certified the North American Electric \nReliability Corporation, or NERC as the ERO. By statute, the \nbulk power system does not include electric distribution \nfacilities. Section 215 of the Federal Power Act provides for \nstakeholder input into the ERO's development of reliability \nstandards for the bulk power system. This process works \nrelatively well to develop standards to address traditional \noperations and planning-related reliability events that may \ncause grid failures, or blackouts, such as from improper \nvegetation management, or failures associated with the \noperation of protection equipment. The nature of the national \nsecurity threats from adversaries' intent on attacking our \nNation's electric grid significantly differ from reliability \nvulnerabilities that have caused regional blackouts and \nreliability failures we have seen in the past. Widespread \ndisruption of electric service can quickly undermine the U.S. \nGovernment, its military, and the economy as well as endanger \nthe health and safety of millions of our citizens.\n    To help mitigate these advanced persistent and rapidly \nevolving threats, the Commission uses a two-pronged approach \nwith regard to grid reliability, employing mandatory \nreliability standards to establish foundational practices, \nwhile also working collaboratively with industry the states and \nother Federal agencies to identify and promote best practices.\n    While the NERC Critical Infrastructure Protection, or CIP \nreliability standards are the foundation of the commission's \nwork to address cybersecurity, there are additional measures \nthat can and should be taken to further improve the industry's \ncybersecurity posture, considering these rapidly evolving \nthreats. That is why the Commission established OEIS. OEIS \npartners with other Federal agencies, states, and industry to \ndevelop and promote best practices for critical infrastructure \nsecurity. Working with these entities, OEIS helps identify new \nand emerging threats, informs the private sector of them, \nperforms voluntary cybersecurity evaluations, and assists with \nmitigating actions.\n    For example, OEIS conducts voluntary architecture \nassessments of interested commission jurisdictional utilities' \ncomputer networks that can control the operations of their \nfacilities. Conducted onsite, these assessments are specific to \nthe organization, reviewing everything from the configuration \nof legacy equipment to the application of state-of-the-art \nprotection systems.\n    Another example is that OEIS works with the Office of \nDirector of National Intelligence, specifically, the National \nCounterintelligence and Security Center to conduct briefings \nand exchange information with state and industry officials \nabout the current threats the industry is facing and what can \nbe done to address them.\n    More broadly, OEIS works with the NERC Electricity \nInformation Sharing and Analysis Center to rapidly issue \nbullets and alerts informing industry of specific \nvulnerabilities and threats, as well as best practices that can \nbe used to defend against them.\n    As a final example, OEIS assists with the planning and \nexecution of tabletop exercises, and participates in joint \nsecurity programs with other government agencies.\n    Last month, OEIS assisted the National Guard units \nparticipating utilities in the New England states to conduct \nCyber Yankee, a simulated cyber attack on system networks. This \nred-teaming exercise helped the New England utilities and \nNational Guard units to prepare for these threats, including \npracticing government assistance to the utilities as part of \nthe defense and recovery efforts. Exercises such as these are \ncritical to maintaining readiness and ensuring our ability to \nrespond to cybersecurity attacks.\n    In conclusion, cybersecurity threats pose a serious risk \nbeing to the bulk power system and its supporting \ninfrastructures that serve our Nation. These are complex, \npersistent, and fast-evolving issues, and they won't be solved \neasily, and they will require a great deal of coordination and \ncommunication. Therefore, the Commission has adopted this two-\npronged approach to best address the important security \nmatters. Thank you for your attention and the opportunity to \ntestify today. And I look forward to your questions.\n    Mr. Lynch. Thank you. I will now recognize myself for five \nminutes for questions. Our adversaries are targeting all facets \nof the American life with frequent and increasingly \nsophisticated cyber attacks. In just the past few months, cyber \nattacks have frozen a major oil pipeline, shut down the world's \nbiggest meat producer, and compromised one of the largest email \nservers in the world.\n    In a June 6 interview, Secretary of Energy Jennifer \nGranholm said, and I will quote her, ``There are thousands of \ncyber attacks in all aspects of the energy sector.'' And she \nadded, ``It's happening all the time.'' Secretary Granholm also \nacknowledged that our adversaries, foreign nations, and \ncriminal groups have the cyber capabilities to shut down the \nU.S. electric grid. We know that this threat exists because our \nadversaries have demonstrated it already.\n    In 2015, Russian intelligence agents used a sophisticated \ncyber attack to cripple industrial control systems of the \nUkrainian electrical grid, shutting off power to hundreds of \nthousands of people in the dead of winter. In that case, \nthankfully, power was restored to most consumers in a matter of \nhours.\n    However, the message was clear, Russia is willing and able \nto target its adversary's electrical infrastructure. But it's \nnot just Russia that we need to worry about--China, Iran, North \nKorea, and numerous sophisticated cyber criminal groups all \nview the U.S. electric grid as a priority target.\n    So, Mr. Goldstein, how would you describe the current risk \nof a major cyber incident on the electrical grid in the near \nfuture? Give me sort of a landscape assessment of where you \nthink we are right now, to the best of your ability?\n    Mr. Goldstein. Certainly, Mr. Chairman. I think your \ndescription of the threat environment is apt. I think we have \nan environment today where there are many organizations \nthroughout this country and across sectors of critical \ninfrastructure that have not universally deployed these sort of \nstrong security controls and managed no insecurity weaknesses \nthat we know that our adversaries have the technical ability to \nexploit. This puts us in a position where the possibility of a \nhighly damaging cybersecurity intrusion affecting a national \ncritical function, such as the provision of power to the \nAmerican people, is certainly a possibility.\n    Mr. Lynch. Let me ask you, just on that point and this is \nfor the entire panel. I doubt very much that we have a single \npoint of failure, but as we saw with the Colonial Pipeline, you \nhave got some infrastructure that--some pieces of \ninfrastructure that are so critical to--in that case, it was \nthe East Coast. But is this an assessment that there are \nseveral points of vulnerability, or geographically speaking?\n    And when you say certain entities are not using proper \ncyber hygiene, let's say, is that something that, as Mr. \nMcClelland has pointed out, is that a standard that's \nrecommended, or is it something that is actually required?\n    Mr. Goldstein. Certainly. So, I will defer to my colleagues \nat DOE and at FERC respectively for an assessment on points of \nfailure in the grid, as well as on the mechanisms that could be \nutilized through FERC authorities. What I would note is that, \nyou know, if all organizations do not urgently focus on \nunderstanding not only the vulnerabilities in their network \nthat exists today, but also on the tactics, techniques, and \nprocedures that we are seeing adversaries, whether nation-\nstates or criminal gangs utilize, and don't urgently invest in \nputting in place controls that meet what we see our adversaries \ndoing, then we are at urgent risk of a cybersecurity intrusion \nthat could result in degradation of a national critical \nfunction, of which there are many, but certainly the energy \nsector is one.\n    This is why it is so urgent for all organizations to put \ncybersecurity investment at the top of their list recognizing \nthat, you know, investments must be weighed against other \nconsiderations. But at CISA, we are urgently focused on making \nsure that all entities across critical infrastructure are \nfocused on putting in place these strong controls and \nmitigating those known vulnerabilities that we know could be \nexploited to cause significant harm.\n    Mr. Lynch. I am sorry. Mr. Kumar, Mr. McClelland, could you \ntake a whack at that question well.\n    Mr. Kumar. Absolutely, sir. Thank you for the question. I \nthink that's a really important question, because I truly do \nbelieve that the cyber challenge is a national security \nchallenge that we are facing on a daily basis as you mentioned. \nIt becomes even more complex when you think of the electricity \nsector that has over 3,000 electric utilities across the United \nStates, and how it's all connected. This becomes even more \ncomplex and challenging. And, so, we need to be addressing this \nthrough three different ways. The Department is looking at it \nfrom three different tracks: One, what are those policies that \nwe need to look at? Are those policies in coordination with our \ncolleagues at FERC?\n    Two, what are tools and technologies that we can put on the \ngrid that can detect these threats before they result in \nimpacts? We need to continue investing in a lot of that R&D.\n    But then, the last one is when it does happen, just like \nwith Colonial, how do we respond? Respond swiftly and have the \nbackups necessary to immediately recover from a response. We \nare thinking about it from all three perspectives, and we need \nto continue to do more.\n    So, we at the Department are certainly working with FERC in \nterms of really understanding the bulk power system. So, how do \nwe help the regulators at the Federal level understand the \nthreat so that our standards are risk-based? So, as we see the \nthreat evolve, so does the standard. We're doing the same thing \nwith the states. So, the jurisdiction of regulatory standards \nthrough the distribution systems are in the hands of states.\n    And, so, our approach at the Department is to work with the \npublic utility commissions and the public service commissions \nat the state level to ensure that they, No. 1, understand the \nthreat. As my colleague, Joe, mentioned what we're trying to do \nis help them understand the threat at both the unclassified and \nclassified level to inform how they work with their utilities \nat the state level.\n    The second thing is often the state, or the states, don't \nhave the resources to actually make these informed decisions in \nterms of how much a cybersecurity investment is appropriate. \nSo, what we have been doing is developing tools. So, the tool \nthat I just mentioned, C2M2, Cybersecurity Capability Maturity \nModel. The utility is used to decide on investments in \ncybersecurity. We are providing a similar version of that tool \nto the states to use to gauge the cybersecurity of the \nutilities within their state. And, so, we need to do this \nthree-pronged approach to continue pushing cybersecurity \nforward, sir.\n    Mr. Lynch. Great. Mr. McClelland.\n    Mr. McClelland. I refer to a couple of quick quotes on the \nannual threat assessment. This was issued on April 9 of 2021. \n``We continue to assess that China can launch cyber attacks \nthat, at a minimum, can cause localized temporary disruption to \ncritical infrastructure within the United States.''\n    Regarding Russia, Russia continues to target critical \ninfrastructure, including underground, underwater cables, and \nindustrial control systems in the United States, and in its \nallied countries. As compromising such infrastructure improves, \nand, in some cases, can demonstrate its ability to damage \ninfrastructure during a crisis.\n    And then, last, I just refer you to the task force on cyber \ndeterrence. This was in 2017. And this is just a precursor to \nyour answer. So first, major powers, Russia and China, have a \nsignificant and growing ability to hold U.S. critical \ninfrastructure at risk via cyber attack. This emerging \nsituation threatens to place the United States in an untenable \nposition. Although progress is being made to reduce the \npervasive cyber vulnerabilities of U.S. critical \ninfrastructure, the unfortunate reality is at least for the \nnext decade, the offense of cyber capabilities of the most \ncapable adversaries are likely to far exceed the United States' \nability to defend key critical infrastructures.\n    So, back to my statement, my opening statement, FERC uses a \ndualfold approach. If you imagine two geometric shapes, a \npyramid, foundationally, that's where we put the cybersecurity \nstandards. These standards are developed in the open, and \nthey're deliberative, and they're iterative. Our adversaries \nare capable of reading the standards and adapting those \nstandards, even before they are put into place, which is spoken \nto by our intelligence community assessments.\n    However, at the apex of the pyramid, that's where the \nnation-state threats lie. It's a matter of information sharing \nbetween the agencies and between the industry to make certain \nthat they can address these threats. And those threats really--\nsorry. I am sorry. I see the time.\n    Mr. Lynch. Yes, thank you. The chair now recognizes the \nRanking Member Mr. Grothman for five minutes for questions.\n    Mr. Grothman. Thank you. Kind of what you said there, Mr. \nMcClelland, is kind of a little bit scary. So, you feel today \nthat our grid is vulnerable, and most people probably think it \nis, but you think it's significantly vulnerable to cyber \nattack?\n    Mr. McClelland. I would say that the worldwide threat \nassessment from DNI--the current threat assessment certain of \nour adversaries have the capability to target and disrupt these \nservices.\n    Mr. Grothman. OK. I think our cyber posture is three parts: \nit's defense, it's response, and reaction. If there were a \nsuccessful attack on a significant part of the United States, \ndo we have a fallback position? Or how we quickly do you think \nwe could get back our grid?\n    Mr. McClelland. I think that depends on the attack. You \nknow, was infrastructure simply interrupted? Were their \nservices interrupted? For instance, was it a denial of service \nattack? Or were the adversaries able to gain access to the \nnetworks, and, particularly, the operational technology \nnetworks, and at that point, damage or destroy equipment that's \nnecessary to operate the power grid?\n    Mr. Grothman. That's kind of the question. If they damage \nequipment, do we have fallback position here? Would we have to \nbuild something new? I mean, what would happen if part of the \ngrid you picked in that part of the United States is destroyed \nor disabled, how long would you be able to--before be able to \nget the grid up and going again?\n    Mr. McClelland. Well, the industry does operate to an N-\nminus-1 contingency, which means it can suffer the single \nlargest contingency on the grid and continue operations. So, it \ncan continue to provide power if it loses the single largest \ncontingency. If there are multiple contingencies, those can \nresult in prolonged outages. And those outages depend on the \nextent of damage to the equipment and the availability of that \nequipment.\n    Mr. Grothman. OK. So, you feel one attack, we always have a \nbackup, and more than that, we could have big trouble?\n    Mr. McClelland. I am sorry. Would you repeat?\n    Mr. Grothman. Do you feel we have enough to handle one \nattack without being a disaster, but if we have more than one, \nwe have huge trouble? Is that accurate?\n    Mr. McClelland. If it's beyond the N-minus-1 contingency, \nthen the power grid service can be interrupted. That is \ncorrect.\n    Mr. Grothman. Mr. Goldstein, do you agree with that, or do \nyou want to comment on the same question?\n    Mr. Goldstein. Sir, I will defer to my colleagues at the \nAmerican DOE for their assessment. I will be resilient of the \ngrid itself.\n    Mr. Grothman. OK. Mr. Kumar.\n    Mr. Kumar. Thank you for the question, sir. So, there's \nboth the benefit and a concern when you have 3,000 electric \nutilities in the United States. The concern is certainly the \ncomplex nature of how it is all connected, and how we need to \nensure that the cybersecurity posture across the board is \nraised up. But that complexity is also--it's a resiliency. \nBecause of the different types of networks that are set up \nacross the different utilities, what you can also have is some \nsort of resiliency built in because it's not going to be able \nto go--traverse from one utility to the next as easily.\n    With that said, to answer your question more specifically, \nyou know, the concern that I have is more focused around supply \nchain threats. It is much like we saw with SolarWinds, where it \ntook one supplier that was across 16,000 organizations. That's \nthe threat that I am concerned about, and that's where I am \nfocused on is what are those critical components, critical \nmanufacturers and suppliers that are across the energy sector? \nAnd if they are impacted, then they can actually be the attack \nvector into these utilities. So, that's where a lot of my \nconcern is right now in terms of addressing the supply chain \nthreat, sir.\n    Mr. Grothman. Do you feel we have enough defense right now \nto prevent that or no?\n    Mr. Kumar. In terms of--the perspective we have is, \ncurrently the assessment that my colleague from FERC mentioned \nis we think that there is the capability to have a temporary \nand localized disruption to energy supply per the DNI's \nassessment. But in terms of the resiliency, I do think the \nsector does have resiliency built in, N minus one criteria that \nJoe mentioned is really important.\n    But in terms what we do right now is we practice the \nresponse. So, if this were to happen, how do we get either a \nspare transfer in, or another piece of equipment quickly in? \nSo, that's something that we are constantly doing with the \nsector in terms of preparing for that type of incident.\n    Mr. Grothman. I understand you might not be able to speak \nto this, but I want it on the record. It's important we don't \nlet malign actors get away with these actions, especially if \nthey are affiliated with nation-states like Russia or China. If \nsomething happened like you were describing, how quickly do you \nthink we would be able to--say, one utility had huge problems, \nhow quickly do you think we would be able to get the grid in \nthat area or that factory up and running again?\n    Mr. Kumar. Sir, thank you for that question. It's a complex \nproblem. It really depends on the type of attack vector. Is it \na piece of software that's critically used? Is it a piece of \nhardware? And that's going to factor into how we respond as a \ngovernment to really respond to this type of incident. \nUnfortunately, there isn't a great answer until you start to \nsee it.\n    Now, with the SolarWinds type of incident, what we're \nfocusing on is working with the GEs, the ABBs, the large \nindustrial control system manufacturers, to ensure that there \nis backups and redundancy built into these systems so that we \ncan go to a backup plan. And so, that is an area that we have \nbeen working with the sector on, and the concept is called \nspare tire. Can we go to a manual mode if we can't rely on our \ndigital systems?\n    Mr. Grothman. It seems to me that private companies, if \nthere were not threat of attack, would not invest as much as \nthey have to if there was an attack, right? If seems the \nquestion is for good of society as all, we need a fallback \nposition. Do you think there's some role for government there \nor not?\n    Mr. Kumar. Sir, I appreciate the question. I feel like \ngovernment does have a role in terms of really working with the \nsector to bolster the defenses. This is why we launched the \nIndustrial Control Systems Initiative because we really need to \nstart looking at cyber adversaries in those critical systems, \nand then be able to correlate that information from our end. We \nwant to correlate it with our colleagues at CISA from a cross-\nsector perspective, and then we want to correlate it with our \nintelligence community, so we can get a feedback loop back to \nthe sector. And we need to continue pushing on this and \nincentivizing cybersecurity across the board.\n    Mr. Grothman. I would like to thank the chair for his \ngenerosity.\n    Mr. Lynch. Absolutely. The gentleman yields back. The chair \nrecognizes the gentleman from Vermont, Mr. Welch, for five \nminutes.\n    Mr. Welch. Thank you. Thank you, Mr. Chairman. I want to \nthank the witnesses, too. The National Institute of Standards \nand Technology cybersecurity framework includes guidance and \nbest practices that are, of course, widely regarded as \nfoundational elements.\n    Mr. McClelland, why do the North American Electric \nReliability Corporation Standards not fully integrate the NIST \ncybersecurity framework?\n    Mr. McClelland. Thank you for the question. In August 2019, \nGAO submitted a report to Congress comparing the NERC CIP \nstandards to the NIST framework. In that report, GAO concluded \nthat the CIP standards did not cover some of the NIST framework \nrequirements. In response to that report, FERC staff began an \ninvestigation to benchmark the NERC CIP standards against the \nGAO framework.\n    It's important to note right at the onset that the two \nbodies don't necessarily compare equally. And just a few \nexamples, the NERC CIP standards focus, specifically, on \noperational technologies necessary to ensure operations to the \nbulk power system, where the NIST framework focuses on both IT \ninformation technology and OT operational technology. The NERC \nCIP standards do not necessarily reflect best practices. \nThey're foundational standards, and they're foundational \npractices, but----\n    Mr. Welch. What do we have to do in order to get to a place \nwhere we have some confidence that we'll be able to resist \nthese attacks?\n    Mr. McClelland. So FERC, after the analysis, FERC did issue \nnotice of inquiry. It was in June 2020.\n    Mr. Welch. Right.\n    Mr. McClelland. It, specifically, identified categories of \nfunction to the industry for open comment, asking whether or \nnot the NERC CIP standards could improve in comparison to the \nNIST framework.\n    Mr. Welch. So, what do you think? Do you believe the gaps \nin the current reliability standards do present a risk to the \nbulk electrical system?\n    Mr. McClelland. The comments were received. I just need to \nfinish that quickly.\n    Mr. Welch. I'm sorry.\n    Mr. McClelland. So, in September, we received comments. Now \nit's the subject of an ongoing proceeding. So, I can't speak \nany further about it. But I can tell you that the matter is \nunder active consideration by the Commission, having received \ncomments from any interested party and comparing the NERC CIP \nstandards to the NIST framework.\n    Mr. Welch. The bottom line, though, is that we really got \nto get some resolution on that in order to have a higher degree \nof confidence that we can resist the cyber attack, right?\n    Mr. McClelland. Again, I just cannot comment on an ongoing \nproceeding. I couldn't give any perspective on that proceeding. \nI am sorry, sir.\n    Mr. Welch. All right. Let me ask this: On the NERC \nreliability standard, as I understand it, they're only \nmandatory for bulk power systems of over 1,500 megawatts of \npower. And there's some possibility that there could be a \nnumber of attacks that are on separate systems, but the \naggregate can well be over 1,500 megawatts. And we don't have \nthe information about how we would resist that attack. Does \nFERC now have any information? And has the agency assessed the \nimpact of a cyber attack on geographically dispersed power \nsystems?\n    Mr. McClelland. Yes, FERC is--that's another matter that is \nunder active consideration at FERC. Again, it's the content of \nan internal deliberation, so I can't speak to it. But it is an \nimportant aspect, and FERC has identified that as such.\n    Mr. Welch. So, where do we need to be to improve our \nconfidence about our capacity to protect the grid? I mean, we \ngot to get to the bottom of these questions, right?\n    Mr. McClelland. Right. And these are subjects of active \nproceedings at FERC.\n    Mr. Welch. All right. Well, thank you very much, gentleman.\n    Mr. McClelland. Thank you.\n    Mr. Welch. I yield back.\n    Mr. Lynch. I'm just--I'm a little bit frustrated that we \ncan't get at these answers because we have a proceeding \nelsewhere. What's the nature of your--the privilege that you're \nclaiming here?\n    Mr. McClelland. As an active proceeding, one that's under \ndeliberation, as a staff member, I cannot comment on the merits \nand the timing of that active proceeding. And this isn't----\n    Mr. Lynch. I don't think he was asking you about a certain \nproceeding. He was asking you about how to protect the power \ngrid for the country.\n    Mr. McClelland. It was in comparison, for instance, to the \nNERC--I am sorry, Mr. Chairman. Mr. Chairman, it was in \ncomparing the NERC CIP standards to the NIST framework. And \nthis is an active proceeding at the Commission. It's under \ndeliberation.\n    Mr. Lynch. So, if we went into classified session, would \nyou be able to discuss it then?\n    Mr. McClelland. I could not, Mr. Chairman. Because the \ncontent and timing of a deliberation at FERC cannot be \ndisclosed.\n    Mr. Lynch. OK. We're going to have to have you back then. \nThe chair recognizes the gentleman--I apologize to the \ngentleman that it was not fruitful.\n    Mr. Welch. No, you better stated my puzzlement, and I \nappreciate that.\n    Mr. Lynch. Oh. Absolutely. The chair now recognizes the \ngentleman from Arizona, Mr. Gosar, for five minutes.\n    Mr. Gosar. Thank you, Mr. Chairman. As you are aware, the \nadministration released 100-day plan in April to address \ncybersecurity shortcomings within our electric grid. The plan \ntapped the Department of Energy as the lead for its \nimplementation rather than the Cybersecurity and Infrastructure \nSecurity Agency, or CISA. Some experts like Damon Small, \ntechnical director for security consulting at NCC Group North \nAmerica, has pointed out that while the current plan takes a \ngeneration and transmission of bulk power into consideration, \nit fails to consider distribution. Original equipment \nmanufacturers, or OEMs that supply industrial control systems, \nshould be a part of that conversation as well.\n    Joe M. Weiss, a noted control systems cybersecurity expert, \nargues that the real danger to the grid does not lie in the \nnetworks, but rather in the industrial controllers and the \nhardware, like the transformers and turbines. And that the \nelectric grid is vulnerable to electronic triggers buried in \nbulk, power equipment that is predominantly sourced from China.\n    Contributing to this danger, engineers who manage the \nindustrial control systems used to be responsible for their \ncybersecurity, but now has surrendered that function to \ncomputer engineers, why it is argued that these systems are \nvulnerable for being disrupted by bad actors without the normal \nIT alerts being founded.\n    The Chinese Government is installing a back door and a \nlarge transformer destined for our substation in Colorado. And \na SolarWind attack is proof of the supply chain attacks that \nwere not detected by IT network monitoring our threat \nintelligence. This needs to be our focus.\n    Mr. Kumar, what percentage of the U.S. energy grid includes \ncomponents manufactured overseas?\n    Mr. Kumar. Sir, thank you for the question. And \nunderstanding the supply chain of our critical energy systems \nis very important to us. To that end, the President issued an \nexecutive order really focused on America supply chains. And \none of the key components of that is looking at those critical \ncomponents, like transformers, as you rightfully noted, that \nare so critical to the reliability of our electric grid, and \nwhere are we manufacturing a lot of those components? And one \nof the key things that we have seen with large power \ntransformers, as--sir, you certainly recognize, as we don't \nmanufacture the large power transformers in the United States \nanymore. And that is a huge gap that we have as a country.\n    And so that is something that we're certainly going to be \nlooking at in terms of where we are producing a lot of these \ncritical, critical components on the U.S.--in the U.S. energy \nsector as part of some of that report.\n    Mr. Gosar. So, to answer my question, zero are made here in \nthe United States? They're in foreign countries, right?\n    Mr. Kumar. So, when you talk about large power \ntransformers, today, large power transformers are built abroad. \nYou are absolutely right.\n    Mr. Gosar. Thank you. So, was it necessary for the Biden \nadministration to suspend President Trump's EO restricting the \nprocurement of foreign electric equipment? Couldn't Secretary \nGranholm have been reviewed the executive order without \nsuspending it? Mr. Kumar?\n    Mr. Kumar. Thank you for that question, sir. Again, the \nsupply chain security is of the most is a critical component of \nour energy sector, as I mentioned during my----\n    Mr. Gosar. I understand, but isn't it--well, it wouldn't be \nplausible, much better off that the Secretary didn't suspend \nPresident Trump's initiative, because it would have helped us \nalong this pathway?\n    Mr. Kumar. Sir, what we found was we got feedback from the \nprivate sector that they were looking for additional \nclarification. So, one of the things that we have done is we \nwant to take a more holistic approach.\n    One of the other things that we took into account was we \nhad SolarWinds happen last year. SolarWinds really changed how \nwe're thinking about supply chain threats across the board. \nAnd, so, what we wanted to do was have consistent policy that \nactually helped move the ball forward. And, so, this pause in \nthat policy allowed us to seek input from the private sector, \ninteragency, and others to really develop a stronger policy \nrelated to supply chain security. So, that's where we're \nfocused. And we just received input through our RFI process. \nAnd we're in the process of reviewing all of the RFIs so that \nwe can come back with a stronger approach. And I would be happy \nto followup with you on that, sir.\n    Mr. Gosar. Yes, so, I guess my point in time here is, is \nthat no we're suspending a lot of the necessary supply chains \nhere in this country that can be manufactured, whether it be \nelectronic pieces, whether it be the rare earths and copper \nmanufacturing process pieces for these transformers and in \nthese big aspects.\n    So, I mean, it seems like we're in a negative transfer \nabyss. That is, we're chasing our tail around and around and \naround. We don't have the supply chains. We don't have the \ncritical elements to build them. We don't have the \nmanufacturing to build them. This is a complex issue. And time \nis of the essence. And it doesn't seem like we're going to be \ngetting anywhere quick unless we fast-track this. Is that your \nunderstanding?\n    Mr. Kumar. Sir, so in the interim, where we have been \nfocusing all of our efforts is working with manufacturers \ndirectly. So, we just signed partnerships with ABB, Hitachi, \nSchneider, and Schweitzer. And they have come on board with DOE \nto test pieces of their equipment. Because reality is, a lot of \nthis equipment, whether it's hardware or software is sourced \nglobally. And so what we really need to get to is really \nworking with the manufacturers and suppliers to actually \nengineer out a lot of the cybersecurity concerns.\n    So, we actually have had a lot of positive success with \nthose manufacturers to ensure that we can actually test their \nequipment down to the chip level, and down to the firmer level. \nSo, we have had a lot of success on that. And we're going to \ncontinue to do that, and we look forward to participation by \nsome of those other manufacturers to come to the table, whether \nthey're manufacturers of large power transformers, or SCADA \nequipment, or relays. Those critical components, we want to \npartner with them. We want to help them really ensure that they \nknow the pedigree of their software and hardware before this \nequipment ever gets deployed on our electric grid.\n    Mr. Gosar. And one more last question, Mr. Chairman. So, \nwhat other agencies are we working with, or are we siloing \nthis? It seems like this is a very complex issue that \ntranscends in different agencies. So, isn't there a great \nprocess here to work functionally with all the agencies to have \na cohesive, well-planned, thoughtful process?\n    Mr. Kumar. Thank you for raising that. I think it's one of \nthe reasons that the sector risk management agency structure \nworks so well in this country. Because what happens is, if \nwe're focused on something from an energy perspective, we want \nto ensure that our partners at CISA are aware of those \nvulnerabilities and threats, because we want them to be looking \nat them across the board. We want them to be looking at \nchemical industrial control systems and industrial control \nsystems in other sectors. So, we partner very closely with our \ncolleagues at CISA.\n    In fact, last year, actually earlier this year, we released \na really critical vulnerability in relays that was being used \nin a specific manufacturer. And how we released it was in close \ncoordination with our partners at CISA to get the word out \nthere, once we had worked with the manufacturer to find a \npatch.\n    So, you are absolutely right that we need to be working \ncollaboratively, and that's how we do it with CISA. But we're \nalso working with our colleagues at FERC to help inform their \nprocess. And then, of course, we work with the intelligence \ncommunity because we want them to know where are the threats, \nwhere are risks in these groups of proponents so they can help \nus through their own missions to really help us address these \nrisks.\n    Mr. Gosar. Thank you, Mr. Kumar. And I yield back, Mr. \nChairman. Thanks for your indulgence.\n    Mr. Lynch. The gentleman yields back. Just a clarification \non the gentleman's question and your answer. The large \ntransformer manufacturers who are no longer operating within \nthe United States, are they U.S. companies, or are they foreign \ncompanies?\n    Mr. Kumar. Sir, it's a mixed bag in terms of----\n\n    Mr. Lynch. So, we do have U.S. manufacturers that are \nmanufacturing large transformers overseas?\n    Mr. Kumar. So we have, for example, ABB, Hitachi.\n    Mr. Lynch. Yes.\n    Mr. Kumar. They're producing more of the medium voltage \ntransformers in the United States right now. And so there are \nsome manufacturers that are making transformers in the United \nStates, they are just not the large power transformers. And so \none of the things we would like to do is partner with them to \nreally encourage a lot of this domestic manufacturing of those \ntransformers. But there are other transformers that are being \nbuilt by other countries out there as well, and I would be \nhappy to followup with you with the list of those companies.\n    Mr. Lynch. All right. Thank you. Thank you very much.\n    The chair now recognizes the gentlelady from California, \nMs. Speier, for five minutes. Welcome.\n    Ms. Speier. Thank you, Mr. Chairman.\n    Let me ask Mr. Kumar to begin. Since 85 percent of our U.S. \nelectrical grid relies on parts and equipment from overseas, I \nmean, it's prime to be somehow manipulated or compromised as a \nresult. And I know FERC has approved a new supply chain risk \nmanagement reliability, but I don't know if it goes far enough.\n    So, first of all, let me ask you, Mr. Kumar, are you also \nworking with the NSA and their interface with their corporate \nentities outside of the intelligence community?\n    Mr. Kumar. Congresswoman, absolutely. We want to take a \nwhole-of-government approach. These challenges, particularly \nwhen it comes to supply chain challenges, are too great. We \nhave to be leveraging the authorities, the capabilities, and \nthe expertise across the government. And so we're absolutely \nworking on the intelligence side with our colleagues. In the \nbroader intelligence community, NSA is certainly included. But \nalso in terms of protecting critical infrastructure, this is \nwhere we need to be partnering with other agencies, such as \nCISA, who helps us all be connected in these efforts as we look \nat our supply chain.\n    I do want to raise up an issue you mentioned, I think it's \nan important one, and that's looking at a lot of our components \nand particularly just new components that we're putting onto \nthe grid. This is where we think it's of the utmost important \nto employ a philosophy in the United States of security by \ndesign, and the concept is we really need to be looking at the \nnext generation systems.\n    So, to that end, what we have done is we've collaborated \nwith DOE's Office of Energy Efficiency and Renewable Energy as \nwe start to look at wind turbines, solar panels, nuclear \ngeneration, and, of course, fossil energy. How do we ensure \nthat the R&D being done on those systems has cybersecurity \nembedded into it? So, this is a mandate that the Secretary, \nSecretary Granholm, has asked CESER to lead across the board, \nthat cyber is a core component of everything that the \nDepartment does, through the R&D at headquarters but through \nour national laboratories as well.\n    Ms. Speier. Thank you.\n    Mr. Goldstein, can you tell us about the programs that CISA \nhas undertaken to warn critical infrastructure owners and \noperators about risks specific to foreign-produced equipment \nand software?\n    Mr. Goldstein. Certainly. Thank you for that question. As \nmy colleague at DOE noted, CISA really focuses on understanding \nbroad cross-sector risks to the Nation's critical \ninfrastructure in close collaboration with the SRMAs that bring \nunique sectoral expertise for entities within their purview.\n    At CISA, we manage the Information and Communications \nTechnology Supply Chain Risk Management Task Force, which is a \npublic-private body intended to bring together the producers \nand developers of much of the platform technologies that we see \nubiquitously utilized across sectors in order to understand the \nrisks posed by certain technologies and also, most critically, \nto drive best practices to reduce supply chain risk throughout \nthe life cycle.\n    Ms. Speier. So here--excuse me. Here's my question, though. \nYou can have the wherewithal to provide this support and \ninformation to these many operators around the country, but if \nthey either don't know about it or don't avail themselves of \nit, they become that much more vulnerable to foreign attacks. \nSo, what are you doing to somehow lure them into a discussion \nand a training that will provide them that kind of information?\n    And then, second, have you created a list of banned \nforeign-produced equipment and software that is known to pose a \nthreat to the U.S. critical infrastructure cybersecurity?\n    Mr. Goldstein. Certainly. As to the first question, our \nhope is that luring is not required. Our hope is that by \ncommunicating effectively with critical infrastructure across \nthis country through the multiple information sharing groups \nthat CISA administers in coordination with the SRMAs and our \nother partners in government, we are able to share timely and \nactionable information about vulnerable hardware and software \nthat may need to either be mitigated or replaced.\n    And our focus here really is on the vulnerabilities as \nopposed to the foreign providence in the first instance. And by \nsharing information about vulnerable technology assets, that \nthen enables an infrastructure owner-operator to take concrete \nsteps to address a particular risk in their environment.\n    To your second question, ma'am, there is not currently a \nlist maintained by CISA of banned technology assets for \ncritical infrastructure. It does bear noting that Congress \nrecently created the FASC, which is an interagency body \nintended to assess the risk of foreign-produced vulnerable \ndevices in Federal networks and has the authority to issue \nexclusion orders for those assets. That body is active now, and \npresumably an exclusion order issued by the FASC could be taken \nup by sectors across critical infrastructure or by sectoral \nregulators.\n    Ms. Speier. All right. Thank you.\n    Let me just conclude by urging all of you to recognize that \nwe are the last to respond more often than not. Huawei was \noperational in this country for over 10 years before we finally \ngot the message that they shouldn't be allowed to do so. ZTE is \nyet another example. We are very late in doing what we should \ndo early on, and I just hope that you recognize your \nresponsibility to act swiftly when there is either known or \nsuspected foreign intrusions and/or equipment that poses a \nproblem to us.\n    With that, Mr. Chairman, I yield back.\n    Mr. Lynch. The gentlelady yields back.\n    The chair now recognizes the gentleman from Georgia, Mr. \nJohnson, for five minutes.\n    Mr. Johnson. Thank you, Mr. Chairman, and thank you for \nholding this very important hearing.\n    And if I can pull my questions up here.\n    OK. It was not long ago that a cyber attack on Colonial \nPipeline, a company located not far from my district, disrupted \nthe lives of millions and threatened our economy. This was just \none of the many recent attacks which have raised serious \nconcerns about America's ability to defend its critical \ninfrastructure and economy from cyber threats. But these \nattacks have also presented opportunities to learn and to \nharden our defenses.\n    One lesson is crystal clear: Information sharing between \nthe government and the private sector is absolutely essential \nto defending our Nation against cyber attacks. This is \nabsolutely true for electric utilities, and for this process to \nwork, private utility companies must quickly and fully disclose \nany cyber intrusions on their systems to the Federal \nGovernment.\n    Mr. McClelland, I understand that under current NERC \nreliability standards, electric utilities are required to \nreport certain cyber incidents to the Federal Government. Is \nthat correct?\n    Mr. McClelland. That is correct, Representative.\n    Mr. Johnson. And can you describe for me the types of \nincidents that must be reported and why utilities are not \nrequired to report all incidents?\n    Mr. McClelland. The attacks--as I understand the \nrequirements, the standard, the attacks require the utilities, \nthe applicable utilities to report either successful cyber \nintrusions or cyber incidents that may not have constituted a \ncyber intrusion but they were threats to the utility system.\n    Mr. Johnson. How effective has this requirement proved to \nbe in practice?\n    Mr. McClelland. The requirement is relatively new. I'm not \nfamiliar with the results, but I'd be happy to take that as a \nquestion for the record and provide a followup answer for you.\n    Mr. Johnson. Well, thank you. I appreciate that.\n    And to all of the witnesses, does the government have data \non incidents that go unreported?\n    Mr. Goldstein. Thank you, Congressman. It's a great and \nimportant question, and the answer is we don't have enough \ndata. We know that there are still across sectors a number of \nintrusions today that are not reported to the U.S. Government, \neither to CISA, to an SRMA, or to Federal law enforcement, and \nthis presents a few problems.\n    First, it precludes the government, including CISA, from \noffering assistance to the victim. It limits our ability to \ndevelop actionable information that could be used to protect \nother victims before similar events occur, and it limits our \nability to understand the extent of national risk, for example, \nadversary campaigns that are emerging across sectors of the \neconomy.\n    As you may be aware, CISA recently worked with TSA to \nestablish a security directive requiring reporting of incidents \naffecting certain pipelines to CISA, but even so, this sector-\nby-sector approach may in itself not reach the breadth of \nreporting that the U.S. Government needs to understand national \nrisks.\n    And for that reason, we very much look forward to working \nwith Congress to ensure that there's incident reporting \nlegislation passed into law that would provide the breadth of \nreporting needed to understand and manage these significant \nthreats.\n    Mr. Johnson. Well, Mr. Goldstein what mechanisms does the \ngovernment have to enforce these reporting requirements? How \noften are they used and how effective are they?\n    Mr. Goldstein. I'm very sorry.\n    Mr. Johnson. Do I need to repeat that question?\n    Mr. Goldstein. Yes, sir. If you wouldn't mind, that would \nbe great. I appreciate it.\n    Mr. Johnson. OK. What mechanism does the government have to \nenforce these reporting requirements? And how often are they \nused and how effective are these enforcement requirements, \nenforcement mechanisms?\n    Mr. Goldstein. Got it. Thank you, sir. It's a great \nquestion.\n    So, one challenge today is there is no blanket reporting \nrequirement for businesses or critical infrastructure in this \ncountry. Instead, these reporting requirements are generally \nsectoral and enforced by the unique authorities of a given \nregulator. And so, for example, the enforcement authorities \nthat FERC may be able to levy would be dramatically different \nthan the TSA or the Federal Reserve Board. And so absent a \ncommon reporting regime and a common mechanism of enforcement, \nit is difficult to assess the efficacy and to ensure that the \nbreadth of reporting is coming in to CISA and thereby to our \npartner agencies.\n    Mr. Johnson. Thank you, Mr. Goldstein.\n    From CISA's perspective, are the current NERC reporting \nstandards comprehensive enough or do we need additional \nmandatory reporting requirements for electrical utilities?\n    Mr. Goldstein. So over--as a broad question, there are two \nchallenges with reporting requirements today. The first is, \nbecause they have developed sector by sector, they have \ndivergent requirements, for example, the definition of an \nincident, as well as the timeframe for reporting and the \ncontent of a report. And then, as we've discussed, the fact \nthat they are currently sectoral means that they are incomplete \nand do not cover the breadth of organizations that should be \nreporting to the Federal Government when they have an intrusion \nthat could impact the sort of national critical function that \nwe care so much about.\n    Certainly, the existing NERC standards, as my colleague \nnoted, are fairly new. Our understanding is that they do \nprovide the necessary degree of data and that reporting does \ncome to CISA as defined in the regulation, but, of course, you \nknow, there may be other aspects of the energy grid for which \nadditional reporting would be beneficial to help the U.S. \nGovernment understand the breadth of risks, which is a \ncommonality that we see across sectors.\n    Mr. Johnson. Mr. Goldstein, should electrical utilities be \nobligated to give CISA access to systems to conduct forensic \nanalysis in the wake of an attack?\n    Mr. Goldstein. Thank you, Congressman. Our perspective is \nthat it is critically important for the U.S. Government to have \naccess to information about cybersecurity intrusion subsequent \nto a security incident. This allows us to glean information \nthat we can use to protect others. It also allows us to \nunderstand if the intrusion is correlated to, for example, a \nnation-state campaign that's affecting multiple sectors.\n    One way of enabling that information is by providing CISA \nwith the ability to conduct incident response or threat hunting \nservices for a victim. That is a service that we are ready, \nwilling, and frequently provide. But it is also the case that \nif a victim organization chooses to bring in one of the many \nhighly qualified commercial incident response firms, that is \nperfectly reasonable as well. The key part is that CISA then \ngets information from that incident response that we can use to \ndo our job and protect others.\n    Mr. Johnson. Thank you.\n    Any additional authorities necessary to respond to and \ndeter any cyber attacks?\n    Mr. Goldstein. Thank you, Congressman. So, I think we've \ndiscussed here the main one, which is broader requirements for \nincident reporting for significant cybersecurity incidents \nacross this country. That will go a long way toward helping, \nnot only CISA, but our partners at the SRMAs and Federal law \nenforcement understand the breadth of cybersecurity risks we \nare seeing and take urgent action response.\n    Mr. Johnson. Thank you.\n    Mr. Chairman, I believe my time has expired, and I \nappreciate the additional time.\n    Mr. Lynch. OK. The gentleman yields back.\n    Let me just ask, to followup on the gentleman's question. \nIn my district, we had a couple of incidents where a gas line \ninadvertently released gas into the general community. We had \nthe FBI come in. I didn't have them come in, but they came in \npursuant to the pipeline operator's request.\n    Would the FBI be a--would they have a data base, or would \nthey be a repository of some of these incident reports if they \nare called in to investigate?\n    Mr. Goldstein. So, we work extraordinarily closely with the \nFBI every day. We conduct joint incident response together. We \nnotify victims together. You know, our general rule as a \ngovernment is a call to one is a call to all, and I think that \nactually now works very well in practice. But even the FBI, \neven given their breadth of personnel in the field offices \nacross the country, still has certainly insufficient visibility \ninto cybersecurity intrusions. And so some entities today call \nCISA, some call the FBI, some may call an SRMA.\n    You know, we need a cohesive approach to this problem as a \ncountry that is going to ensure that we actually understand the \nnature of the threat we are seeing, we understand how our \nadversaries are breaking into networks across critical \ninfrastructure, we are helping to prevent similar attacks \nbefore they occur, and we are understanding the potential \nimpacts of critical functions before they manifest and result \nin service disruptions that could harm the American people.\n    Mr. Lynch. OK. Thank you.\n    The chair now recognizes the distinguished gentleman from \nRhode Island, Mr. Langevin, for five minutes.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    First, I want to thank you for the accommodation allowing \nme to waive on to the committee for the purpose of asking \nquestions at the hearing, and I want to thank you for your \nleadership on cybersecurity. I know how serious you take this \nissue, and we appreciate the leadership of these gentlemen and \nthe work that we have been able to collaborate on together.\n    Likewise, I would like to thank the panel for their \ntestimony this afternoon, the work that you're doing to try to \nprotect the Nation against cyber threats, especially those of \nsignificant consequence.\n    That said, Mr. Kumar, I just wanted to followup on a line \nof questioning. You talked about the different power generation \npiece of equipment, some that are produced here, others, the \nlarger ones, that are produced overseas, if I understood all of \nthat correctly. And given the fact that these are not like \nbatteries that sit on a shelf and you just, you know, pop one \nin and out easily if something becomes disabled, and \nunderstanding the Aurora threat, where for the first time back \nin 2007 saw how a cyber attack through a data intrusion could \ncause physical damage to a turbine, would not it be wise to \nhave a, say, industry strategic national stockpile of \nadditional power generation equipment of a certain number that, \nwere a turbine or series of turbines be destroyed, that we \nwould have the ability to reconstitute quickly as opposed to \nthese things take months to build, ship, and install, and not \nhaving some on hand? Have we done any of that? Are we thinking \nabout it in those terms?\n    Mr. Kumar. Thank you for the question, sir. So, the \nDepartment did do research in this case. We looked at whether a \nstrategic transformer reserve made sense in the country. So, we \nactually did a series of reports, and we worked very closely \nwith our industry partners to really look at what are the \nchallenges when it comes to bringing in these critical pieces \nof equipment, as you rightfully identified. And so what we \nfound through a lot of that reporting was we should be thinking \nabout strategic transformers and the sharing of transformers.\n    And so to that end, since writing some of these reports, \nthe industry itself has set up three different programs in the \nelectricity industry to really share transformers during an \nemergency. It's Grid Assurance, SpareConnect, and the STEP \nprogram. These programs allow one utility to share a \ntransformer with another utility. Grid Assurance goes a step \nfurther. It actually goes beyond just transformers. It's \nlooking at relays and other critical equipment.\n    So, our hope is, as we start to identify these critical \npieces of equipment, particularly ones perhaps that are long \nlead kind of equipment, how do we inform that back to the \nprivate sector so they can continue developing these mechanisms \nto have these types of reserves.\n    The government's role, another portion that we feel like we \nneed to address and help with is these large power transformers \nare 200 to 300 tons, and what we often find is the logistics of \nmoving a transformer at 20 miles an hour, maybe less, across \nfrom one part of the country to the other is a huge challenge \nof moving such a large piece of equipment. So, the focus we've \nhad is working with our colleagues at the Department of \nTransportation, of course the states, to really understand the \nlogistics of moving these large power transformers from point A \nto point B.\n    The other piece that I referenced earlier, sir, is that we \nneed to really look at domestic manufacturing. How do we \nincentivize some of that domestic manufacturing of these \ncritical components in the United States? I know that is a key \nfocus of Secretary Granholm as we start to develop this report \nregarding America's supply chains, and so there's going to be \nmore to come on that.\n    Mr. Langevin. Thank you. I think it's an important issue to \naddress.\n    Director Goldstein, thank you for being here. As you know, \nI'm a big proponent of the Joint Cyber Planning Office \ncurrently being stood up at CISA, and I think the JCPO will be \ncritical for bringing the interagency, including the Department \nof Energy and the private sector, together to coordinate \nplanning and exercises to protect critical infrastructure like \nthe grid.\n    So, Director Goldstein, can you give us a status update on \nJCPO? In addition, how do you view the planning and exercise \nfunction of the office fitting in with other operations and \nanalytics functions carried out by CISA?\n    Mr. Goldstein. Thank you for the question, sir. And as \nalways, thank you for your work on behalf of our national \ncybersecurity mission. We are deeply grateful every day for it.\n    We continue to make progress in implementing critical \nfunction which, as you note, is going to be foundational to our \nability to prioritize, plan for, exercise, and then execute \ncoordinated cyber defense operations with government and the \nprivate sector. We are preparing now for our initial launch of \nthe organization, which will involve multiple private sector \ncompanies as well as our partners across the interagency, and \nwe intend for that work to be really a pilot for what this \neffort will be able to do when it scales forward.\n    The way that I would think about this for broader \nintegration is this will be our effort to, in the first \ninstance, understand what are the most significant risks that \nwe care about managing as a national cybersecurity community, \nwith CISA, of course, at the helm for civilian cyber defense; \nhow do we develop plans jointly with the interagency and with \nindustry to understand how we mitigate the plans----\n    [Audio interruption.]\n    Mr. Lynch. Someone's got a live mic. We ask all members to \nmute.\n    Mr. Goldstein. Thank you, sir. My apologies.\n    Mr. Lynch. Thank you. You may proceed.\n    Mr. Goldstein. Thank you.\n    Once we have our list of prioritized risks, develop joint \nplans with government and the private sector, exercise those \nplans in the same joint manner between industry and the private \nsector, and then when a risk manifests, execute those plans to \nensure that we are taking collective action to mitigate risks \nto entities that could be harmed.\n    So, if we think about layering this in with our existing \nmodel for cyber defense operations, you know, we could envision \na planning sprint focused on certain risks through the energy \nsector, where we would ensure that CISA's asset response \ncapabilities, DOE's expertise as the SRMA, and then our \npartners in industry, but not just industry in the energy \nsector, but cross-sector entities in the private sector, are \nall coming together saying, when the bad day that we've \ndiscussed today occurs, how do we take joint action to ensure \nnot only that we're minimizing the impacts to the energy sector \nbut we are understanding and proactively addressing cross-\nsector impacts; bringing together team members from government \nand the private sector to do this work, both in person and via \nour analytics platform that we are developing for joint \ncollaboration, in coordination with the interagency and our \npartners across industry.\n    So, this really will be the formalization of CISA's \ncritical role in leading civilian cyber defense for the \ncountry, but it's a role that we can't do alone and requires \nthe robust collaboration from day one with the SMRAs, with our \nother partners, including Federal law enforcement and the \nintelligence community, and perhaps most critically, the \nprivate sector who, of course, are going to be the executors of \nso much critical work to mitigating the risk.\n    Mr. Langevin. Thank you very much.\n    Mr. Chairman, I had two additional questions, but I could \nsubmit those for the record.\n    Mr. Lynch. You can fire away, Jim, if you want.\n    Mr. Langevin. OK. Thanks, Mr. Chairman.\n    So, Director Goldstein, last year's NDAA also required us \nto develop a Continuity of the Economy plan. So, this plan will \ngovern how we respond to and recover from a significant \ndisruption to our economy, thinking of in terms of what to \nprioritize first if the bad day happens and what do we need to \nget up and running first to keep our economy on track, you \nknow, one perhaps epitomized by a cyber attack on the power \nsystem.\n    So, our intent in drafting this provision was that CISA, \nincluding the cybersecurity division and the National Risk \nManagement Center, would play a key role in drafting the \nreport. Can you give me an update on where things stand with \nthe Continuity of the Economy plan?\n    Mr. Goldstein. Excellent. So, certainly, we share your \nfocus about the need to robustly consider and plan for \nContinuity of the Economy under all conditions. I think it is \nsymbatic underlining much of what we discussed today. I \nunderstand that the administration is still considering the \nappropriate way to implement that provision in the NDAA, but \ncertainly I recognize the urgency and importance of this kind \nof work and would be glad to get you an update for the record \non progress in making that decision.\n    Mr. Langevin. Thank you.\n    I really do hope to see movement from the White House study \non this. Maybe even the actual cyber director can take the \nreigns. And I hope this subcommittee, Mr. Chairman, will keep \non this issue as well.\n    The last question I had, Director Goldstein, we've also \ndiscussed the report required by section 9002 of last year's \nNDAA in Sector Risk Management Agencies, or SRMAs. As you know, \nthe report was due July 1. Though I appreciate Director \nEasterly was only recently confirmed and might need some time \nto review it, our goal, with the clarification of the roles and \nresponsibilities of SRMAs, was to empower them to fulfill their \njobs, while also ensuring CISA gets the support it needs, \nwhether in terms of risk data or incident response \ncoordination.\n    How do you see, Director, the relationship between DOE and \nCISA evolving in light of section 9002 and the forthcoming \nreport?\n    Mr. Goldstein. Absolutely. So, we are urgently working on \nthe report, and we appreciate the patience, as we make sure \nthat we get it right, because, as you know, this is critically \nimportant work that really is foundational for delineation of \nnot just roles but also resources, capabilities across agencies \nin managing this, a significant risk.\n    CISA and DOE have an extraordinarily close relationship. \nYou know, in general, CISA sees ourself--and I should speak to \nthe mission element of CISA, because CISA, of course, is also \nan SRMA for multiple sectors. But the mission delivery portion \nof CISA in cybersecurity that I'm privileged to lead, we see \nourselves as a service provider to sectors to give them \nactionable information, cybersecurity services, incident \nresponse assistance upon request, and understanding cross-\nsector dependencies that could affect the provision of sectoral \nfunctions and, thereby, cause impacts to the American people.\n    DOE, of course, has extraordinary expertise, as we've \noffered today, on understanding both nuance dependencies and \nrelationships within the sector, the nature in which a \ncybersecurity intrusion could impact sector entities, and the \nability uniquely to actually understand productivity that is \nmanifesting in the sector.\n    And so our goal working with our partners in DOE is first \nand foremost to make sure that we are robustly sharing \ninformation so that the cross-sector information that CISA has, \nincluding information, of course, from Federal civilian \nnetworks, we are sharing with our partners at DOE, we are \nsharing with our partners in the energy sector, so that when we \nare seeing a threat manifesting in the Federal Government or a \ndifferent sector, it can be used to protect partners across the \nenergy grid.\n    Additionally, as my colleague, Mr. Kumar, has discussed \ntoday, DOE is engaged in a variety of activities focused on \nunderstanding supply chain risks, resilience issues within the \nenergy sector. That is all work that CISA is executing at a \ncross-sector model to understand risks across the board. And so \nthe more that CISA and DOE can work together on ensuring that \nlessons we are learning from the energy sector can be \ngeneralized broadly and ensuring that we are providing \ncybersecurity services to the energy sector in deep \ncoordination with DOE, the sector will be stronger but, more \nimportantly, we will be stronger as a Nation.\n    Mr. Langevin. Thank you.\n    Mr. Chairman, thank you very much for the generosity and \nthe time, and I yield back.\n    Mr. Lynch. The gentleman yields back.\n    Mr. Kumar, just to clarify on your answer to Mr. Langevin, \nChairman Langevin, he asked you about these very large \ntransformers. As a former ironworker, I've had the opportunity \nto try to move some of those transformers. It is a traffic-\nstopping operation. I appreciate the difficulty. But I think \nthe wider question is about redundancy. And so, we don't have \nto move transformers around in order to get them online.\n    Is there--so rather than looking at it from an inventory \nsituation where we have transformers that can be brought in, \nwhat about redundancy where we have capabilities or the \ncapacity that can be brought online for very, very important \nnational security purposes, especially here in the D.C. area? I \nmean, where do we stand on that in terms of redundancy that \nmight be brought online in the event that one of these large \ngenerating facilities gets taken down?\n    Mr. Kumar. Sir, thank you for that question. It's--really \nthe concept of resiliency and redundancy are really core to how \nwe're thinking about these problems. We first must understand \nthe risk to the sector and then start to build some of that \nresiliency and redundancy into it, so that if you do have a \nsituation, as you mentioned, with a transformer going down, how \ndo we ensure we still have those critical functions, those \ncritical facilities, like military installations that continue \nto serve power to those installations.\n    So, what we're looking at is we're really looking at an \nall-of-the-above strategy. One of the options that we're \nthinking about is what's the role of solar, wind, energy \nstorage, nuclear generation that can be brought in to actually \ncreate a microgrid and actually develop resilience into cities \nand states and, in particular, serve the critical facilities, \nlike military installations.\n    So, we really need to build in that resilience into the \ngrid so that if we do--if we are impacted by an incident, we \ncan have another source of generation to continue having us \ngoing forward. So, that's how we're really thinking about this \nproblem broadly.\n    Mr. Lynch. Thank you.\n    The chair now recognizes the very patient gentlelady from \nFlorida, Ms. Wasserman Schultz, for five minutes.\n    Ms. Wasserman Schultz. Thank you, Mr. Chairman.\n    Mr. Chairman, according to a March 2021 GAO report, \nelectrical distribution systems, the systems responsible for \ndelivering our electricity from transmission lines to consumers \nand businesses across America, quote, faced significant \ncybersecurity risks. And as more and more homes, businesses, \nand smart devices are connected to electrical distribution \nsystems, the exposure and complexity of these systems grows, \nrendering them, quote, increasingly vulnerable to cyber \nattacks.\n    The electricity in many large cities across the United \nStates is provided by a single distribution utility. If a \ndistribution utility servicing a major city like New York or \nMiami were to be the victim of a cyber attack, the consequences \ncould be devastating. In fact, GAO found that--and I quote--\neven if a cyber attack on the grid's distribution system did \nnot impact the bulk power system, such an attack could still \nhave significant national consequences.\n    Yet, despite this, distribution utilities are not subject \nto any Federal cybersecurity regulations. The NERC reliability \nstandards apply only to electrical generation and transmission \nsystems, while distribution systems are regulated at the state \nand local level.\n    Mr. Kumar, given the growing cyber threats to distribution \nsystems, do you think there should be mandatory Federal \ncybersecurity standards for electrical distribution systems?\n    Mr. Kumar. Thank you for the question, Congresswoman. This \nis certainly an increasing and complex threat. As you \nrightfully talked about, we are integrating more and more, \nwhether it's distributed energy resources, we're connected \nmore, and it's all happening at the distribution level. And so \nwhat we are focused on, we, as DOE, do not have the regulatory \nauthority in terms of the distribution system. I would \ncertainly defer to my colleague at FERC regarding regulatory \nauthorities. But where we're focused is the states do have \nregulatory authority over the utilities at the distribution \nlevel.\n    And so where we've been focusing our efforts on really \neducating the state public utility commissions about the \nthreat, No. 1; then, No. 2, providing them with the tools that \nthey can use to then look at the cybersecurity investments of \nthe utilities at the distribution level within their cities, \nstates, and communities.\n    And so that's where we're focusing a lot of our efforts is \nto really help those states who have the ultimate regulatory \nauthority to do more in that space.\n    We also offer a tool called C2M2 that is applied to \ndistribution, transmission, and generation facilities. Any \nutility of any size can use this tool to gauge its \ncybersecurity posture today, and they can actually see where \nthey land in terms of their cybersecurity posture and then make \nthe necessary investments to their cybersecurity using these \ntools that we provide to the states.\n    Ms. Wasserman Schultz. OK. And I would like to hear what \nMr. Goldstein thinks.\n    Mr. Goldstein. So, as a general point--and thank you for \nthat question, ma'am. I do appreciate it.\n    As a general point, efforts that we can take as a country \nto drive adoption of better security controls would lead to \nimprovements to our national security, economic security, \npublic health and safety. There are a number of roads that we \ncan take to that outcome, and I would defer to the sectoral \nexpertise of my colleagues at DOE and FERC to consider which \nincentives are most appropriate for distribution entities. But, \nin general, we know that we need to take steps to catalyze \nurgent investment in better security. Certainly, regulation and \nstandards is one path to that end. There may be other \nincentives that could also enable the same investment.\n    And I would just note one example. You know, there are \ncertainly bills proposed in Congress that would enable broader \ncybersecurity grants that is also an additional method to \ncatalyze more cybersecurity investment and certainly one that \nCISA supports. And so the end state that we seek is better \nsecurity. I think given the nuances of a given sector and even \ngiven entities within a sector, the particular package of \nincentives to reach that goal may differ.\n    Ms. Wasserman Schultz. OK. And continuing in the same risk \ncategory, despite growing cyber risks to electrical \ndistribution systems, GAO also found in its March 2021 report \nthat DOE's current cybersecurity strategy for the electric grid \ndoes not fully address risks to distribution systems. DOE \nofficials have argued that the Department is prioritizing the \nsecurity of the bulk power system, asserting that a cyber \nattack on a distribution system would likely be, quote, less \nsignificant than an attack on the bulk power system.\n    However, GAO also found that DOE has not conducted any up-\nto-date assessment of the impacts of a cyber attack on \ndistribution systems or whether such an attack could affect the \nwider bulk power system.\n    Mr. Kumar, how can DOE be sure that an attack on one or \nmore electrical distribution systems would be relatively \ninsignificant if it has not studied the likelihood and \npotential impacts of such an attack? And will you commit to \nconducting an updated assessment of the potential scale and \nimpacts of an attack on electrical distribution systems and \nreport your findings back to Congress?\n    Mr. Kumar. Congresswoman, I appreciate the question. We are \nabsolutely focused on the distribution system. I've read the \nGAO report, and we are taking actions today to really look at \nthe distribution system.\n    One of the key things that we're doing today is we've \npartnered with our Energy Efficiency and Renewable Office and \nour Office of Electricity to really think about the \ndistribution systems and how do we embed security by design \ninto those next generation systems at the distribution level.\n    We're also working with our state PUCs, as I mentioned, and \nthe goal here is really understand the threats. And what we \nfind is there may be a mismatch in understanding what the \nthreat is so that we can then inform requirements.\n    At a very basic level, you know, we are encouraging things \nlike the NIST cybersecurity framework that Congressman Welch \nhad mentioned. We think that's a great tool to actually look at \nyour cybersecurity posture as a utility, whether you're a \ndistribution utility or a transmission utility.\n    Ms. Wasserman Schultz. Well, I mean, I appreciate your \ncommitment to looking at the GAO report, and once you do that, \nwill you commit to conducting an updated assessment of the \npotential scale and impacts of an attack on electrical \ndistribution systems and report your findings back to Congress?\n    Mr. Kumar. We can do that, ma'am.\n    Ms. Wasserman Schultz. Thank you.\n    And, Mr. Chairman, I guess, if you don't mind, 30 more \nseconds.\n    Mr. Lynch. Of course.\n    Ms. Wasserman Schultz. Thank you.\n    Distribution systems are the systems on which Americans \nrely to bring electricity to their homes and businesses, \nbecause I know that's not terminology I'm familiar with, so \nproviding a definition is pretty important. You know, those are \nthe systems that light our streets and run our trains.\n    In Florida, we actually experienced a close call earlier \nthis year when hackers breached the computer system operating a \nwater treatment plant and boosted chemicals to dangerous \nlevels. And now, luckily, a human operator was able to \nintervene before any damage was done. But this frightening \nattack demonstrates the damage that can be done if a malignant \nactor wants to impact public safety.\n    So, it's critically important for DOE to conduct a \ncybersecurity assessment of our electrical distribution systems \nso we can address any persistent vulnerabilities before they \ncan be exploited and people can be harmed. So, I appreciate the \nopportunity to talk about that at this hearing.\n    I yield back.\n    Mr. Lynch. The gentlelady yields back. Her points are well \ntaken. Thank you.\n    As we close, I would like to recognize the gentleman from \nWisconsin for any concluding remarks.\n    Mr. Grothman. Yes. I'd like to thank you for having this \nhearing. You know, we didn't have a huge turnout here, and it's \nthe type of hearing that I guess is kind of boring, except for \nall of a sudden it was the most important hearing we ever had \nif something disastrous would happen sometime in the next year.\n    Is it OK if I ask Mr. Kumar just one more question?\n    What you said kind of concerned me. It concerns me in a \nwide variety of places the things we don't make in this \ncountry, but I wondered if you'd share with us where the large \ntransformers are made. And if we were subject to a cyber \nattack, is there anything we would need to repair the damage \nthat is not made in this country?\n    Mr. Kumar. Sure. Thank you for that question. I can take \nthat back in terms of where the large power transformers are \nmade and provide that back to you in terms of a QFR, if that \nworks for you, sir.\n    Mr. Grothman. That's fine and wonderful.\n    OK. Again, I'd like to thank you for being here. And I've \noften felt that this sort of thing is such a very important \nissue, and it's never going to be in the paper until some \ndisaster happens and then people say, where was Congress. So, \nthanks for having it and maybe----\n    Mr. Gosar. Glenn? Glenn, would you yield? This is \nCongressman Gosar.\n    Mr. Grothman. Sure.\n    Mr. Gosar. Mr. Chair, one of the things--I know it says \ncybersecurity is the issue today, but what about when a foreign \nactor owns the utility that accesses the grid? I mean, I'm \nthinking about a lot of these solar fields that are operated by \nforeign actors. And what oversight do we have for them? Because \nyou could actually have a systemic shutdown from within the \nowned grid system because of that access. Have we ever \nconsidered any of that, Mr. Chairman?\n    Mr. Lynch. I'd refer that question to our witnesses.\n    Mr. Goldstein. Certainly. Thank you for the question, sir.\n    So, there are certainly processes in place. I would call \nout the Committee on Foreign Investment in the United States, \nor CFIUS, that is intended just for this purpose, to assess the \nnational security risk of foreign investment in critical \ninfrastructure or other assets that could be critical to \nnational security, economic security, et cetera. I certainly \ncannot speak to foreign investment in any particular energy \nentity or utility, but the U.S. Government does have structures \nin place to evaluate this sort of foreign investment and bar \nacquisitions or put conditions thereupon if national security \nrisks are identified.\n    Mr. Gosar. That's if they're identified, right?\n    Mr. Goldstein. I'm sorry, would you remind repeating that?\n    Mr. Gosar. Yes. That's if they're identified. If they run \nunder the radar, I mean--I mean, it depends a lot on the state \noversight, if I'm not mistaken, right?\n    Mr. Goldstein. So, in general, it is certainly the case \nthat risks would need to be identified as a part of the \nassessment process. There are processes in place to assess, to \nidentify foreign acquisitions. There are reporting requirements \nthereof, and there are processes that are administered on an \nongoing basis to assess the risks posed by such acquisitions, \nand, again, preclude acquisitions or put conditions thereupon \nif such risks are deemed dilatory to national security.\n    Mr. Gosar. I will followup with some questions to find out \nthat systematic oversight. Thank you.\n    Thank you, Mr. Chairman. And thanks, Glenn.\n    Mr. Lynch. The gentleman yields back.\n    Mr. Grothman. That said, maybe sometime we can do something \nin the future on this, maybe in a more secure location, but \nthanks again for having the hearing.\n    Mr. Lynch. I thank the gentleman.\n    Before we close, I have a quick housekeeping matter. I'd \nlike to ask unanimous consent to enter into the record a \nwritten statement submitted by the American Public Power \nAssociation and the National Rural Electric Cooperative \nAssociation.\n    So, without objection, so ordered.\n    Mr. Lynch. I think at this point our witnesses have \nsuffered enough. So, in closing, I want to thank our panelists \nfor their remarks. I want to commend my colleagues for their \nparticipation in the important conversation that we have had \nabout the vulnerability of our electrical grid.\n    With that, without objection, all members will have five \nlegislative days within which to submit additional written \nquestions. And I know there are some questions outstanding that \nwe've had commitments during the hearing. But in any event, all \nmembers will have five legislative days within which to submit \nadditional written questions for the witnesses through the \nchair which will be then forwarded again to the witnesses for \ntheir response, and I ask our witnesses to please respond as \npromptly as you are able.\n    And, with that, this hearing is now adjourned.\n    [Whereupon, at 4:53 p.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n"