[Congressional Record Volume 160, Number 49 (Thursday, March 27, 2014)]
[Senate]
[Pages S1835-S1837]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                             GRID SECURITY

  Ms. MURKOWSKI. Mr. President, first, I thank my friend from Maine and 
appreciate the conversations we have had in this past week. He has 
taken a journey to the north that most of us only dream about. He is 
engaged in issues I care deeply about as it relates to the Arctic. 
Although I know that was not the discussion my colleague was speaking 
to earlier, I just wanted to note while my friend from Maine was still 
on the floor that I look forward to working on these issues of great 
importance not only to my State but truly to our entire Nation and 
Arctic Nation.
  I come to the floor this evening to speak very briefly about the 
physical security of our Nation's power grid, which is a very important 
subject. Recently, there were stories in the Wall Street Journal about 
an attack on the California Metcalf substation that happened last April 
and has drawn considerable attention. While those stories about that 
attack highlighted potential vulnerabilities, my principal focus will 
be to highlight not only the safeguards that are already in place to 
protect the Nation's bulk power system but also to announce a step that 
I believe is now necessary to prevent the undue release of sensitive 
nonpublic information.
  First and foremost--and I think this is important for people to 
recognize--it is important to remember that during the Metcalf 
incident, the PG&E system did not lose power. In fact, it was an 
incident that many didn't know had taken place until months after 
because there was no loss of power. I think this fact emphasizes the 
grid's resiliency and the importance of building redundancy into the 
bulk power system.
  As usual, the electric industry has learned from and responded to--
appropriately responded--the California incident. At the end of last 
year the Departments of Energy and Homeland Security--along with the 
North American Electric Reliability Corporation, or NERC, along with 
the Federal Regulatory Commission, or FERC, and the FBI began a cross-
country tour of 10 cities in order to brief utility operators and local 
law enforcement on the lessens that were learned from Metcalf. 
Government officials discussed mitigation strategies and meeting 
participants were able to develop some pretty important relationships 
between first responders and the industry.
  In fact, as a result of the mandatory requirements of the 2005 Energy 
Policy Act, the electric industry has invested significant resources to 
address both physical and cyber security threats and vulnerabilities. 
Through partnerships with various Federal agencies, the industry is 
keenly focused on preparation, prevention, response, and recovery.
  For example, NERC holds yearly security conferences and a grid 
exercise which tests and prepares industry on physical and cyber 
security events. Yet former FERC Chairman Jon Wellinghoff was quoted in 
the Wall Street Journal calling the Metcalf incident ``the most 
significant incident of domestic terrorism involving the grid that has 
ever occurred.''
  In my view, comments such as these are certainly sensational. 
Depending on the factual context, they can actually be reckless.
  Although the topic of physical security warrants discussion--
absolutely warrants discussion and debate--we have to be prudent about 
information for the public sphere. Many government leaders are privy to 
confidential and sensitive information that if not treated carefully 
could provide a roadmap to terrorists or other bad actors about our 
vulnerabilities. At a minimum, government officials have a duty to 
safeguard sensitive information that they learn in their official 
capacity.
  A story that appeared in the Wall Street Journal on March 13 was, I 
believe, shocking because it included sensitive information about the 
Nation's energy infrastructure that the newspaper said came from 
documents that were created at FERC. Although the Wall Street Journal 
did not name specific facilities at risk, it did detail the geographic 
regions and the number of facilities that if simultaneously disabled 
could cause serious harm. The March 13 article claimed the potential 
for a national blackout.

[[Page S1836]]

  I want to commend FERC Chair Cheryl LaFleur for her statement 
regarding the publication of this information. I thank Commissioner 
Tony Clark as well for his statement about the matter.
  I think it is fortunate our current FERC Commissioners are an 
independent lot. I understand that the Commission is looking into this 
matter, including the question of how sensitive internal FERC documents 
made their way into a very high-profile news article. I urge FERC to be 
very diligent in this matter and truly leave no stone unturned.
  I have grave questions about the irresponsible release of nonpublic 
information that unduly pinpoints potential vulnerabilities of our 
Nation's grid. If this conduct is not already illegal, I have suggested 
it should be. The source of the leaked information appears to be 
someone with access to highly sensitive, narrowly distributed FERC 
documents. Releasing this sensitive information for publication has put 
the Nation potentially at greater risk and potentially endangered 
lives, including those of the many good people who are faithfully 
working every day to maintain and to protect the grid.
  In order to learn what has happened and to determine how better to 
safeguard critical information as steps are being taken to make the 
grid less vulnerable, my colleague, the chairman of the energy 
committee, Senator Landrieu, and I have written to the inspector 
general of the Department of Energy whose oversight includes FERC.
  It is our understanding that the IG has already begun an inquiry into 
this matter. We have asked him to conclude his inquiry as soon as 
possible. We have also asked for his immediate assurance that if the 
inquiry must ripen into an investigation, that he will--as we have 
every confidence he would--follow the information he learns wherever it 
leads.
  We are eager to receive recommendations to improve the safeguard of 
keeping sensitive information from disclosure. We have also asked the 
IG to look into the obligations of current and former FERC 
Commissioners and employees with respect to nonpublic information. I 
would certainly hope the inspector general's inquiry leads to the 
identification of the person or persons who provided this sensitive, 
nonpublic information to the media, but even if it does not, even if we 
learn the leak of this information could have been accomplished without 
the violation of any disclosure restrictions, we will consider 
introducing legislation to make sure that in the future the disclosure 
of nonpublic information about our energy infrastructure that puts our 
Nation at risk is a violation of Federal law. We must remember that the 
possibility of a physical attack that disables key parts of the grid 
has always been a risk. Again, in this instance, though, with the 
Metcalf instance, our system worked and no power was lost. Therefore, I 
urge a measured approach when evaluating our next steps in response to 
Metcalf. Erecting barriers at every transmission substation and 
surveillance of every inch of transmission is not feasible. I am 
concerned these types of measures will potentially cost billions of 
dollars with little impact. There must also be a balance between the 
measures related to physical security and the costs that would likely 
be passed through to consumers.

  On March 7, the FERC used the grid reliability framework that 
Congress established in the 2005 Energy Policy Act by directing NERC to 
establish standards addressing physical vulnerabilities to better 
protect our Nation's power grid. NERC has 90 days to develop its 
proposed standards through a collaborative process. The proposed 
standard will then be reviewed independently before it is submitted to 
the FERC.
  Our Energy Policy Act standards are foundational. Constant 
information sharing between government and industry, coupled with 
alerts for rapid response, are also key tools for dealing with the 
changing state of security.
  As policymakers we must include physical security as a key issue in 
our decisions. We must also take measured steps to protect the grid, 
but we shouldn't sensationalize the threat. I commend NERC and FERC for 
starting the standard-setting process, and I urge all of the 
participants to strike this balance between measures related to 
physical security and costs and benefits for electric customers and the 
broader public as a whole.
  Again, I thank the chairman of the energy committee for her 
willingness to join me on this letter which again I feel is very 
important as we begin this review through the inspector general. I know 
the Presiding Officer, as a valued member of the energy committee, is 
very keenly aware of these issues when we talk about our grid 
reliability threats to not only the physical security of our 
infrastructure but most certainly the cyber security threats we face as 
well.
  I appreciate the indulgence of the Chair this evening.
  I ask unanimous consent that the letter I referenced in my remarks be 
printed in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                  U.S. Senate, Committee on Energy


                                        and Natural Resources,

                                   Washington, DC, March 27, 2014.
     Hon. Gregory Friedman,
     Inspector General, Department of Energy, Washington, DC.
       Dear Inspector General Freidman: The Committee on Energy 
     and Natural Resources is responsible for oversight of the 
     Federal Energy Regulatory Commission (the Commission, FERC) 
     and has jurisdiction over the laws the Commission 
     administers, including the Federal Power Act (FPA). In the 
     Energy Policy Act of 2005, Congress amended the FPA, adding 
     section 215, to establish the framework for ensuring that the 
     nation's bulk power system (BPS or electric grid) is 
     reliable.
       Recent reports in The Wall Street Journal (WSJ) about grid 
     security (see attached) were shocking in their detail and 
     appear to have been based upon highly sensitive, narrowly 
     distributed FERC documents that may have pinpointed 
     vulnerabilities of the BPS. In the wrong hands, such 
     documents potentially could provide a roadmap for those who 
     would seek to harm the nation by intentionally causing one or 
     more power blackouts.
       We are writing to respectfully request that the Department 
     of Energy Office of Inspector General (OIG) conduct a full 
     and thorough inquiry regarding the apparent leak to the WSJ 
     of sensitive information regarding physical threats to the 
     electric grid. As part of this effort we ask not only that 
     the OIG review the past, but also provide recommendations 
     regarding how to avoid a repeat of this very unfortunate 
     incident in the future.
       We understand that your office has initiated a preliminary 
     review of this matter on its own initiative and we commend 
     you for doing so. We are also aware that the Federal Energy 
     Regulatory Commission (FERC) is conducting its own 
     investigation. We commend the FERC for this action, as well. 
     However, we note that it can be difficult for agencies to 
     effectively investigate their own actions which is why we are 
     making this request to the OIG.
       The internal FERC documents regarding grid security that 
     appear to have been disclosed to the WSJ, are sufficiently 
     sensitive and potentially harmful to grid security that we 
     believe it would not be prudent to highlight specifically the 
     issues they raise at this time as part of this letter. For 
     the same reason, many of the questions that we request that 
     OIG answer also should not be made public. Consequently, we 
     will provide to OIG on a non-public basis associated 
     questions.
       We do not know if the FERC documents that apparently form 
     the basis of the news reports are credible, but in any case, 
     disclosing and sensationalizing them, as it appears was the 
     work of the person who gave them to the newspaper, is highly 
     irresponsible or worse.
       Even if your inquiry does not lead to the identification of 
     the person who provided this sensitive non-public information 
     to the media (and we hope it will), if you conclude that the 
     unauthorized disclosure of this information could have been 
     accomplished without the violation of any disclosure 
     restrictions, legislation could well be necessary. In that 
     event, we will consider introducing legislation to make sure 
     that the unauthorized disclosure of non-public information 
     about energy infrastructure that puts our nation at risk is a 
     violation of federal law.
       We ask you to conclude your inquiry as soon as possible. We 
     have every confidence that you will follow the information 
     you uncover wherever it leads. Nevertheless, we seek your 
     immediate assurance that if the results of your initial 
     inquiry indicate that applicable Federal law and regulations 
     may have been violated by any current or former Federal 
     employee or official that you would then initiate a formal 
     investigation using all the powers of your office.
       We are eager to receive recommendations concerning the 
     preparation, handling and proper treatment of the sensitive 
     information that forms the basis of the news reports and any 
     related information. We also ask you to examine the legal or 
     regulatory obligations of current and former FERC 
     commissioners and employees with respect to non-public 
     information, especially of the type covered by this letter 
     and the associated non-public attachment.
       Thank you for your consideration. We intend to be fully 
     supportive of your inquiry.

[[Page S1837]]

     Again, we look forward to having the benefit of your findings 
     as soon as possible.
           Sincerely,
                                                    Mary Landrieu,
                                                       Chairwoman.
                                                   Lisa Murkowski,
                                                   Ranking Member.

  I yield the floor.

                          ____________________