[Senate Report 111-331]
[From the U.S. Government Publishing Office]


                                                       Calendar No. 617
111th Congress                                                   Report
                                 SENATE
 2d Session                                                     111-331

======================================================================



 
            GRID RELIABILITY AND INFRASTRUCTURE DEFENSE ACT

                                _______
                                

               September 27, 2010.--Ordered to be printed

                                _______
                                

   Mr. Bingaman, from the Committee on Energy and Natural Resources, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 5026]

    The Committee on Energy and Natural Resources, to which was 
referred the Act (H.R. 5026) to protect the bulk-power system 
and electric infrastructure critical to the defense of the 
United States against cybersecurity and other threats and 
vulnerabilities, having considered the same, reports favorably 
thereon with an amendment and recommends that the Act, as 
amended, do pass.
    The amendment is as follows:
    Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. CRITICAL ELECTRIC INFRASTRUCTURE.

    Part II of the Federal Power Act (16 U.S.C. 824 et seq.) is amended 
by adding at the end the following:

``SEC. 224. CRITICAL ELECTRIC INFRASTRUCTURE.

    ``(a) Definitions.--In this section:
          ``(1) Critical electric infrastructure.--The term `critical 
        electric infrastructure' means systems and assets, whether 
        physical or virtual, used for the generation, transmission., or 
        distribution of electric energy affecting interstate commerce 
        that, as determined by the Commission or the Secretary (as 
        appropriate), are so vital to the United States that the 
        incapacity or destruction of the systems and assets would have 
        a debilitating impact on national security, national economic 
        security, or national public health or safety.
          ``(2) Critical electric infrastructure information.--The term 
        `critical electric infrastructure information' means critical 
        infrastructure information relating to critical electric 
        infrastructure.
          ``(3) Critical infrastructure information.--The term 
        `critical infrastructure information' has the meaning given the 
        term in section 212 of the Critical Infrastructure Information 
        Act of 2002 (6 U.S.C. 131).
          ``(4) Cyber security threat.--The term `cyber security 
        threat' means the imminent danger of an act that disrupts, 
        attempts to disrupt, or poses a significant risk of disrupting 
        the operation of programmable electronic devices or 
        communications networks (including hardware, software, and 
        data) essential to the reliable operation of critical electric 
        infrastructure.
          ``(5) Cyber security vulnerability.--The term `cyber security 
        vulnerability' means a weakness or flaw in the design or 
        operation of any programmable electronic device or 
        communication network that exposes critical electric 
        infrastructure to a cyber security threat.
          ``(6) Secretary.--The term `Secretary' means the Secretary of 
        Energy.
    ``(b) Authority of Commission.--
          ``(1) In general.--The Commission shall issue such rules or 
        orders as are necessary to protect critical electric 
        infrastructure from cyber security vulnerabilities.
          ``(2) Expedited procedures.--The Commission may issue a rule 
        or order without prior notice or hearing if the Commission 
        determines the rule or order must be issued immediately to 
        protect critical electric infrastructure from a cyber security 
        vulnerability.
          ``(3) Consultation.--Before issuing a rule or order under 
        paragraph (2), to the extent practicable, taking into account 
        the nature of the threat and urgency of need for action, the 
        Commission shall consult with the entities described in 
        subsection (e)(1) and with officials at other Federal agencies, 
        as appropriate, regarding implementation of actions that will 
        effectively address the identified cyber security 
        vulnerabilities.
          ``(4) Termination of rules or orders.--A rule or order issued 
        to address a cyber security vulnerability under this subsection 
        shall expire on the effective date of a standard developed and 
        approved pursuant to section 215 to address the cyber security 
        vulnerability.
    ``(c) Emergency Authority of Secretary.--
          ``(1) In general.--If the Secretary determines that immediate 
        action is necessary to protect critical electric infrastructure 
        from a cyber security threat, the Secretary may require, by 
        order, with or without notice, persons subject to the 
        jurisdiction of the Commission under this section to take such 
        actions as the Secretary determines will best avert or mitigate 
        the cyber security threat.
          ``(2) Coordination with canada and mexico.--In exercising the 
        authority granted under this subsection, the Secretary is 
        encouraged to consult and coordinate with the appropriate 
        officials in Canada and Mexico responsible for the protection 
        of cyber security of the interconnected North American 
        electricity grid.
          ``(3) Consultation.--Before exercising the authority granted 
        under this subsection, to the extent practicable, taking into 
        account the nature of the threat and urgency of need for 
        action, the Secretary shall consult with the entities described 
        in subsection (e)(1) and with officials at other Federal 
        agencies, as appropriate, regarding implementation of actions 
        that will effectively address the identified cyber security 
        threat.
          ``(4) Cost recovery.--The Commission shall establish a 
        mechanism that permits public utilities to recover prudently 
        incurred costs required to implement immediate actions ordered 
        by the Secretary under this subsection.
    ``(d) Duration of Expedited or Emergency Rules or Orders.--Any rule 
or order issued by the Commission without prior notice or hearing under 
subsection (b)(2) or any order issued by the Secretary under subsection 
(c) shall remain effective for not more than 90 days unless, during the 
90-day-period, the Commission--
          ``(1) gives interested persons an opportunity to submit 
        written data, views, or arguments (with or without opportunity 
        for oral presentation); and
          ``(2) affirms, amends, or repeals the rule or order.
    ``(e) Jurisdiction.--
          ``(1) In general.--Notwithstanding section 201, this section 
        shall apply to any entity that owns, controls, or operates 
        critical electric infrastructure.
          ``(2) Covered entities.--
                  ``(A) In general.--An entity described in paragraph 
                (1) shall be subject to the jurisdiction of the 
                Commission for purposes of--
                          ``(i) carrying out this section; and
                          ``(ii) applying the enforcement authorities 
                        of this Act with respect to this section.
                  (B) ``Jurisdiction.--This subsection shall not make 
                an electric utility or any other entity subject to the 
                jurisdiction of the Commission for any other purpose.
          ``(3) Alaska and hawaii excluded.--Except as provided in 
        subsection (f), nothing in this section shall apply in the 
        State of Alaska or Hawaii.
    ``(f) Defense Facilities.--Not later than 1 year after the date of 
enactment of this section, the Secretary of Defense shall prepare, in 
consultation with the Secretary, the States of Alaska and Hawaii, the 
Territory of Guam, and the electric utilities that serve national 
defense facilities in those States and Territory, a comprehensive plan 
that identifies the emergency measures or actions that will be taken to 
protect the reliability of the electric power supply of the national 
defense facilities located in those States and Territory in the event 
of an imminent cybersecurity threat.
    ``(g) Protection of Critical Electric Infrastructure Information.--
          ``(1) In general.--Section 214 of the Critical Infrastructure 
        Information Act of 2002 (6 U.S.C. 133) shall apply to critical 
        electric infrastructure information submitted to the Commission 
        or the Secretary under this section to the same extent as that 
        section applies to critical infrastructure information 
        voluntarily submitted to the Department of Homeland Security 
        under that Act (6 U.S.C. 131 et seq.).
          ``(2) Rules prohibiting disclosure.--Notwithstanding section 
        552 of title 5, United States Code, the Secretary and the 
        Commission shall prescribe regulations prohibiting disclosure 
        of information obtained or developed in ensuring cyber security 
        under this section if the Secretary or Commission, as 
        appropriate, decides disclosing the information would be 
        detrimental to the security of critical electric 
        infrastructure.
          ``(3) Procedures for sharing information.--
                  ``(A) In general.--The Secretary and the Commission 
                shall establish procedures on the release of critical 
                infrastructure information to entities subject to this 
                section, to the extent necessary to enable the entities 
                to implement rules or orders of the Commission or the 
                Secretary.
                  ``(B) Requirements.--The procedures shall--
                          ``(i) limit the redissemination of 
                        information described in subparagraph (A) to 
                        ensure that the information is not used for an 
                        unauthorized purpose;
                          ``(ii) ensure the security and 
                        confidentiality of the information;
                          ``(iii) protect the constitutional and 
                        statutory rights of any individuals who are 
                        subjects of the information; and
                          ``(iv) provide data integrity through the 
                        timely removal and destruction of obsolete or 
                        erroneous names and information.''.

                                Purpose

    The purpose of H.R. 5026 is to amend the Federal Power Act 
to protect the bulk-power system and critical electric 
infrastructure against cybersecurity threats and 
vulnerabilities.

                          Background and Need

    The electric infrastructure of the United States includes 
transmission lines, generation facilities, local distribution 
systems, and communications systems. As of 2009, there were 
365,058 miles of transmission lines (rated 100 kV and above) in 
the United States, with an additional 31,000 miles of planned 
and conceptual additions forecast to be placed in service by 
2019.\1\ The total net summer generating capacity as of 
December 31, 2008, was 1,010,171 megawatts and 2008 annual net 
electric power generation was 4,119 million megawatt-hours.\2\ 
This infrastructure serves over 143 million customers in the 
United States, across several sectors, including residential, 
commercial, and industrial. The components of the electric grid 
are highly interdependent, such that a line outage or system 
condition problems in one region can lead to reliability 
concerns in other regions.
---------------------------------------------------------------------------
    \1\North American Electric Reliability Corporation, 2009 Long-Term 
Reliability Assessment 2009-2018 (October 2009) at 26.
    \2\U.S. Energy Information, Administration Electric Power Annual 
2008 (January 2010) DOE/EIA-0348 (2008)
---------------------------------------------------------------------------
    On August 8, 2005, the Energy Policy Act of 2005 (EPAct) 
was enacted into law. Title XII of EPAct added a new section 
215 to the Federal Power Act. Under section 215, the Federal 
Energy Regulatory Commission (FERC) is charged with overseeing 
mandatory, enforceable reliability standards for the bulk power 
system. Section 215 also required FERC to select an Electric 
Reliability Organization (ERO) that is responsible for 
proposing reliability standards that are designed to protect 
and enhance the reliability of the bulk-power system and apply 
to users, owners, and operators of that system. The ERO is also 
authorized to impose penalties for violations of the 
reliability standards, subject to FERC review and approval. 
More than 1,800 different entities own or operate components of 
the bulk-power system that are subject to approved reliability 
standards.
    In 2006, the FERC designated the North American Electric 
Reliability Corporation (NERC) as the ERO. In its capacity as 
the ERO, NERC is responsible for developing proposed 
reliability standards. The process of developing reliability 
standards relies on an inclusive and public process that 
permits extensive opportunity for industry comment. This 
process is intended to develop consensus on the need for, and 
the substance of, proposed standards. The standards development 
process includes the following key steps: nomination and public 
posting; industry review of comments; redrafting as necessary; 
formal balloting; and approval by NERC's board of trustees. 
Proposed standards are submitted to FERC for review and final 
approval. However, FERC cannot prescribe standards under 
section 215, but it has authority to direct NERC to develop 
standards or to modify existing standards.
    The scope of the reliability standards is limited by 
section 215's definition of the bulk-power system, which 
specifically excludes ``facilities used in the local 
distribution of electric energy.'' Accordingly, these standards 
do not apply to lower-voltage distribution facilities that 
serve critical electric infrastructure, such as certain defense 
facilities and other end-users of electricity. For example, 
this excludes virtually all of grid facilities in some large 
cities (e.g., New York), which precludes FERC action to 
mitigate cyber or other national security threats to 
reliability that involve such facilities in major population 
areas. In addition, the provisions of section 215 do not apply 
to Alaska or Hawaii, where a number of important defense 
facilities are located.
    Standards relating to electric infrastructure cyber 
security represent one category of reliability standards. In 
August 2006, NERC submitted eight proposed cyber security 
standards, known as the Critical Infrastructure Protection 
(CIP) standards to FERC for approval under section 215. As 
defined by NERC for purposes of the CIP standards, critical 
infrastructure includes facilities, systems, and equipment 
which, if destroyed, degraded, or otherwise rendered 
unavailable, would affect the reliability or operability of the 
electric system. NERC and its members worked for approximately 
three years to develop these standards before they were 
submitted to FERC for approval. In January 2008, FERC approved 
the CIP reliability standards while concurrently directing NERC 
to develop significant modifications addressing specific 
concerns. NERC addressed some of the FERC directives in 
subsequent versions of the cybersecurity standards. These 
revisions are effective April 1, 2010 and October 1, 2010, 
respectively. Notably, some entities were required to be fully 
compliant with all the CIP requirements as of July 1, 2010.
    In addition to proposing new standards to FERC, NERC also 
reviews and modifies existing reliability standards. For 
example, further revisions to cyber security standards have 
been proposed based on unsatisfactory results from industry 
surveys of critical asset identification. In a December 2008 
self-certification study, NERC reported that only 29% of 
generation owners and operators reported identifying at least 
one critical asset; approximately 63% of transmission owners 
identified critical assets. NERC expressed its concern with 
these results but an April 2010 survey does not indicate 
improvement in coverage.
    Public reports relating to cyber vulnerabilities of and 
threats to the electric grid have increased in recent years and 
have been the subject of several hearings in the 110th and 
111th Congresses. Such threats may arise across the vast array 
of communicating devices on the grid, requiring rapid and often 
confidential responses. In 2007, in an experiment (dubbed 
``Aurora''), researchers from DOE and the Idaho National 
Laboratory demonstrated that an attacker could hack into the 
control system of an electric generator or other rotating 
equipment connected to the grid, causing severe physical damage 
to the equipment. The experiment raised the possibility that 
large, coordinated attacks could damage the nation's electric 
infrastructure, resulting in billions of dollars in damage that 
could take months to repair.
    Electric grid vulnerabilities also present risks to U.S. 
defense assets. Much of the energy infrastructure upon which 
the Department of Defense depends is commercially owned. An 
October 2009 report by the Government Accountability Office 
concluded that of the Department of Defense's 34 most critical 
global assets, 31 rely on commercially operated electricity 
grids for their primary source of electricity.\3\
---------------------------------------------------------------------------
    \3\U.S. Government Accountability Office, Defense Critical 
Infrastructure: Actions Needed to Improve the Identification and 
Management of Electrical Power Risks and Vulnerabilities to DOD 
Critical Assets (Oct. 2009) (GAO-10-147).
---------------------------------------------------------------------------
    The NERC process of developing and approving standards is 
necessary but not sufficient to protect the system against 
specific and imminent threats, particularly in emergency 
situations. The standards development process is designed to 
rely on industry expertise with respect to specific problems 
with long histories and defined data. It is also structured so 
as to permit opportunities for industry and public comment. 
FERC can direct NERC to develop a reliability standard to 
address a particular matter, including cyber security threats 
or vulnerabilities, either via the regular process or under an 
expedited schedule. However, many cyber security events require 
quick responses and significant changes that are not 
necessarily based on operating experience. In circumstances 
involving a cyber security threat to reliability, there may be 
a need to act decisively in hours or days, rather than weeks, 
months, or years. Existing NERC processes for adoption of 
reliability standards do not offer a timely means of responding 
to imminent cyber security threats and vulnerabilities.

                          Legislative History

    Representative Markey introduced H.R. 5026 on April 14, 
2010. The House Committee on Energy and Commerce ordered it 
favorably reported with an amendment in the nature of a 
substitute on April 15, 2010. H. Rept. 111-493. The House of 
Representatives passed H.R. 5026 by voice vote on June 9, 2010.
    At its business meeting on August 5, 2010, the Committee on 
Energy and Natural Resources ordered H.R. 5026 favorably 
reported with an amendment in the nature of a substitute. The 
committee amendment consisted of the text of section 301 of S. 
1462, the American Clean Energy Leadership Act of 2009, which 
was considered by the Committee at a business meeting on May 
19, 2009, and ordered reported as part of S. 1462 on June 17, 
2009. The Committee held a hearing on a draft of the 
legislation on May 7, 2009. S. Hrg. 111-29.

                        Committee Recommendation

    The Committee on Energy and Natural Resources, in open 
business session on August 5, 2010, by voice vote of a quorum 
present, recommends that the Senate pass H.R. 5026, if amended 
as described herein.

                      Section-by-Section Analysis

    Section 1 amends Part II of the Federal Power Act (16 
U.S.C. 824 et seq.) by adding a new section 224 to give the 
Secretary of Energy and the Federal Energy Regulatory 
Commission (the Commission) additional authority to protect 
critical electrical infrastructure against cyber security 
threats and vulnerabilities.
    Section 224(a) defines key terms in the new section.
    Paragraph (1) defines the term ``critical electric 
infrastructure'' to mean systems and assets (whether physical 
or virtual) used for the generation, transmission, or 
distribution of electric energy affecting interstate commerce 
(whether or not transmitted in interstate commerce) that are so 
vital to the United States that the incapacity or destruction 
of the systems and assets would have a debilitating impact on 
national security, national economic security, or national 
public health or safety. It is modeled on the definition of the 
term ``critical infrastructure'' in the Critical 
Infrastructures Protection Act of 2001, section 1016 of the USA 
PATRIOT Act (42 U.S.C. 5195c(e)).
    Paragraph (2) defines the term ``critical electric 
infrastructure information'' to mean critical information 
relating to critical electric infrastructure.
    Paragraph (3) defines the term ``critical infrastructure 
information'' by reference to the definition of the term in 
section 212 of the Critical Infrastructure Information Act of 
2002 (6 U.S.C. 131).
    Paragraph (4) defines the term ``cyber security threat'' to 
mean the imminent danger of an act that disrupts, attempts to 
disrupt, or poses a significant risk of disrupting the 
operation of programmable electronic devices or communications 
networks essential to the reliable operation of critical 
electric infrastructure. Section 224(a) does not separately 
define or qualify the term ``act,'' which bears its ordinary 
dictionary definition of ``a thing done,'' and thus may include 
acts of God resulting from uncontrollable forces of nature, 
such as a geomagnetic storm.
    Paragraph (5) defines the term ``cyber security 
vulnerability'' to mean a weakness or flaw in the design or 
operation of any programmable electronic device or 
communication network that exposes critical electric 
infrastructure to a cyber security threat.
    Paragraph (6) defines the term ``Secretary'' to mean the 
Secretary of Energy.
    Section 224(b)(1) directs the Commission to issue rules or 
orders as necessary to protect critical electric infrastructure 
from cyber security vulnerabilities. Paragraph (2) permits the 
Commission to issue the rules or orders, without prior notice 
or hearing, if it determines that the rule or order must be 
issued immediately to protect against a cyber security 
vulnerability. Paragraph (3) directs the Commission, to the 
extent practicable, to consult with officials at other Federal 
agencies, and with entities subject to the jurisdiction of the 
Commission. Paragraph (4) provides that rules or orders issued 
under subsection (b) shall expire on the effective date of a 
standard developed and approved pursuant to section 215 of the 
Federal Power Act to address the vulnerability.
    Section 224(c) authorizes the Secretary of Energy to 
require, if immediate action is necessary to protect against a 
cyber security threat, entities subject to the jurisdiction of 
the Commission to take actions to protect against the threat. 
Paragraph (2) encourages the Secretary to consult and 
coordinate with appropriate officials in Canada and Mexico. 
Paragraph (3) requires the Secretary, to the extent 
practicable, to consult with officials at other Federal 
agencies, and with entities subject to the jurisdiction of the 
Commission under this section prior to exercising the authority 
under this subsection. Paragraph (4) requires the Commission to 
establish a mechanism that permits recovery of prudently 
incurred costs required to comply with orders of the Secretary 
under this subsection.
    Section 224(d) provides that orders or rules issued without 
prior notice or hearing under section 224 shall remain in 
effect for not more than 90 days unless the Commission gives 
interested persons an opportunity to submit written data, views 
or arguments and affirms, amends or repeals the rule or order.
    Section 224(e) provides that any entity that owns, 
controls, or operates critical electric infrastructure shall be 
subject to the jurisdiction of the Commission for purposes of 
carrying out section 224, or applying enforcement authorities 
of the Federal Power Act with respect to section 224, but 
subsection (e) does not subject an electric utility or other 
entity to the jurisdiction of the Commission for any other 
purpose. Except as provided in subsection (f), the States of 
Alaska and Hawaii are exempted from provisions of section 224.
    Section 224(f) provides for a plan to protect the electric 
power supply of the national defense facilities in the States 
of Alaska and Hawaii, and in the Territory of Guam.
    Section 224(g)(1) provides that section 214 of the Critical 
Infrastructure Information Act of 2002 (6 U.S.C. 133) shall 
apply to information submitted to the Commission or the 
Secretary either voluntarily or involuntarily under this 
section to the same extent as that section applies to 
information voluntarily submitted to the Department of Homeland 
Security under that Act (6 U.S.C. 131 et seq.). Paragraph (2) 
directs the Secretary and the Commission to issue regulations 
prohibiting disclosure of information that would be detrimental 
to the security of critical electric infrastructure. Paragraph 
(3) directs the Secretary and the Commission to establish 
procedures on the release of critical infrastructure 
information to entities subject to this section, to the extent 
necessary to enable the entities to implement rules or orders 
of the Commission or Secretary. The procedures shall limit 
dissemination of information, ensure security and 
confidentiality of information, protect constitutional and 
statutory rights, and provide data integrity through timely 
removal and destruction of obsolete or erroneous names and 
information.

                   Cost and Budgetary Considerations

    The following estimate of costs of this measure has been 
provided by the Congressional Budget Office:

H.R. 5026--An act to amend the Federal Power Act to protect the bulk-
        power system and electric infrastructure critical to the 
        defense of the United States against cybersecurity and other 
        threats and vulnerabilities

    H.R. 5026 would amend existing law regarding the regulation 
of facilities that transmit electric power. Under existing law, 
most of the standards governing the reliability of the electric 
power system are issued by the Electric Reliability 
Organization (ERO), subject to approval and enforcement by the 
Federal Energy Regulatory Commission (FERC). This act would 
direct FERC to issue standards regarding the security of 
computer networks used to facilitate electric power 
transmission (known as cybersecurity), which would remain in 
effect until the ERO adopts regulations for such matters. The 
bill also would direct the Department of Defense (DoD) to 
conduct a study of grid security in certain states and 
territories and establish procedures for responding to 
emergencies and protecting information related to 
cybersecurity.
    Enacting this legislation would affect direct spending by 
the federal power agencies that would be subject to the new 
regulations and standards; therefore, pay-as-you-go procedures 
apply. Based on information from the Tennessee Valley Authority 
and Bonneville Power Administration, CBO estimates that any 
effects of the legislation on net direct spending would be 
negligible because the new standards would be similar to those 
currently followed by federal agencies as a result of other 
statutory directives. The act also would affect spending at 
FERC and DoD, which is controlled by annual appropriation acts. 
Assuming appropriation of the necessary amounts, CBO estimates 
that DoD's analyses of grid security would cost about $1 
million. Any increase in FERC's administrative costs would have 
no net budgetary impact because the agency recovers 100 percent 
of its costs through user fees. CBO estimates that enacting 
this bill would not affect revenues.
    H.R. 5026 would impose an intergovernmental and private-
sector mandate as defined in the Unfunded Mandates Reform Act 
(UMRA). The act would authorize FERC to issue rules and 
standards to protect the electric power system from cyber 
threats. Public and private entities that generate, transmit, 
or distribute electricity could be affected by those rules or 
standards. The costs of the mandate could be significant but 
would depend on future regulations. Consequently, CBO cannot 
determine whether the costs of the mandate would exceed the 
annual threshold for private-sector mandates ($141 million in 
2010, adjusted annually for inflation). Because public entities 
own and operate a small fraction of the nation's electric power 
infrastructure, CBO expects that the costs of the mandate would 
fall below the annual threshold established in UMRA for 
intergovernmental mandates ($70 million in 2010, adjusted 
annually for inflation).
    CBO has not reviewed provisions of the act that would 
provide FERC and the Secretary of Energy with expedited or 
emergency authority to protect the electric transmission grid 
from threats to those computer networks for intergovernmental 
or private-sector mandates. Section 4 of the Unfunded Mandates 
Reform Act excludes from the application of that act any 
legislative provisions that are necessary for national 
security. CBO has determined that those provisions fall within 
that exclusion.
    On May 19, 2010, CBO transmitted a cost estimate for H.R. 
5026, the Grid Reliability and Infrastructure Defense Act, as 
ordered reported by the House Committee on Energy and Commerce 
on April 15, 2010. The Senate version of this legislation would 
authorize fewer programs and regulatory measures than the House 
bill, resulting in a smaller cost than CBO estimated for the 
House bill.
    The CBO staff contacts for this estimate are Kathleen Gramp 
(for federal costs), Ryan Miller (for the intergovernmental 
impact), and Amy Petz (for the private-sector impact). The 
estimate was approved by Theresa Gullo, Deputy Assistant 
Director for Budget Analysis.

                      Regulatory Impact Statement

    In compliance with paragraph 11(b) of Rule XXVI of the 
Standing Rules of the Senate, the Committee makes the following 
evaluation of the regulatory impact which would be incurred in 
carrying out H.R. 5026, as proposed to be amended.
    H.R. 5026, as proposed to be amended, would authorize the 
Federal Energy Regulatory Commission to issue rules and orders 
necessary to protect critical electric infrastructure from 
cyber security vulnerabilities, and the Secretary of Energy to 
issue emergency orders to avert or mitigate cyber security 
threats.
    (A) Number of business regulated. H.R. 5026, as proposed to 
be amended, would apply to ``any entity that owns, controls, or 
operates critical electric infrastructure, which the bill 
defines, in pertinent part, to include ``systems and assets . . 
. used for the generation, transmission, or distribution of 
electric energy affecting interstate commerce that . . . are so 
vital to the United States that the incapacity or destruction 
of the systems and assets would have a debilitating impact on 
national security, national economic security, or national 
public health or safety.'' The Committee believes that, if the 
Commission determines that a rule or order is necessary, it 
could affect a large part of the nation's 3,273 electric 
utilities (including 210 investor-owned utilities, 2,009 
publicly-owned utilities, 883 consumer owned rural electric 
cooperatives, and nine Federal electric utilities) and possibly 
some of the nation's 1,738 nonutility power producers.
    (B) Economic impact. The economic impact of a rule or order 
could be significant, but would depend on the rule or order. 
The Committee notes that the Congressional Budget Office, in 
its report on S. 1462, stated that it expects the cost of any 
rule or order issued under section 301 of S. 1462 (which is 
identical to H.R. 5026, as proposed to be amended) to be below 
the thresholds established under the Unfunded Mandates Reform 
Act ($69 million in 2009). In any event, the Committee expects 
any economic burden occasioned by the requirements to be offset 
by the potential damage to the electric grid and the disruption 
to the national economy that will be avoided by such emergency 
measures.
    (C) Personal privacy. No personal information would be 
collected in administering the program. Therefore, there would 
be no impact on personal privacy.
    (D) Paperwork requirements. Although the Commission or the 
Secretary may require the submission of some critical electric 
infrastructure information, the Committee does not expect the 
amount of information collected to impose substantial 
additional paperwork or recordkeeping burdens, in either time 
or financial cost, on private industry or individuals.

                   Congressionally Directed Spending

    H.R. 5026, as ordered reported, does not contain any 
congressionally directed spending items, limited tax benefits, 
or limited tariff benefits as defined in rule XLIV of the 
Standing Rules of the Senate.

                        Executive Communications

    The testimony of the witnesses representing the Department 
of Energy and the Federal Energy Regulatory Commission at the 
Committee's May 7, 2009, hearing on draft cyber security 
legislation follows.

Statement of Patricia Hoffman, Acting Assistant Secretary, Electricity 
         Delivery and Energy Reliability, Department of Energy

    Mr. Chairman and members of the Committee, thank you for 
this opportunity to testify before you on the cyber security 
issues facing the electric industry and on emergency 
authorities to protect critical electric infrastructure. All of 
us here today share a common concern that vulnerabilities exist 
within the electric system and that the government and the 
private sector must do everything we can to address it. This is 
particularly true for smart grid systems, which by their very 
nature involve the use of information technologies in areas and 
applications on the electric system where they have not been 
used before. With the funding provided for smart grid 
activities in the American Recovery and Reinvestment Act of 
2009, the Department will be expanding our partnership with 
industry to advance the smart grid while maintaining security 
of smart grid devices and systems.
    A smart grid uses information technology to improve the 
reliability, availability, and efficiency of the electric 
system. With smart grid, information technologies are being 
applied to electric grid applications including devices at the 
consumer level through the transmission level to make our 
electric system more responsive and more flexible.
    To be clear, the smart grid is both a means to enhancing 
grid security as well as a potential vulnerability.
    Enhanced grid functionality enables multiple devices to 
interact with one another via a communications network. These 
interactions make it easier and more cost effective, in 
principal, for a variety of clean energy alternatives to be 
integrated with electric system planning and operations, as 
well as for improvements in the speed and efficacy of grid 
operations to boost electric reliability and the overall 
security and resiliency of the grid. The communications 
network, and the potential for it to enhance grid operational 
efficiency and bring new clean energy into the system, is one 
of the distinguishing features of the smart grid compared to 
the existing system.
    For example, Wide Area Measurement Systems (WAMS) 
technology is based on obtaining high-resolution power system 
measurements (e.g., voltage) from sensors that are dispersed 
over wide areas of the grid. The data is synchronized with 
timing signals from Global Positioning System (GPS) satellites. 
The real-time information available from WAMS allows operators 
to detect and mitigate a disturbance before it can spread and 
enables greater utilization of the grid by operating it closer 
to its limits while maintaining reliability. When Hurricane 
Gustav came ashore in Louisiana in September 2008, an 
electrical island was formed in an area of Entergy's service 
territory. Entergy used the phasor measurement system to detect 
this island, and the phasor measurement units (PMU) in the 
island to balance generation and load for some 33 hours before 
surrounding power was restored.
    The Department understands that the smart grid will be more 
complex than today's grid, with exponentially more access 
points, both virtual and physical through smart grid devices 
and without proper controls in place these factors could result 
in increasing the electric sector's vulnerabilities.
    Department of Energy Activities:
    The mission of the Office of Electricity Delivery and 
Energy Reliability is to lead national efforts to modernize the 
electric grid, to enhance the security and reliability of the 
energy infrastructure, and to facilitate recovery from 
disruptions to the energy supply. To accomplish this mission, 
the Office focuses on long-term system requirements through our 
research investments in the electricity delivery system and 
near-term energy vulnerability assessments/disaster recovery. 
Our efforts to enhance the cyber security of the energy 
infrastructure have produced results in five areas. We have:

          --Identified cyber vulnerabilities in energy control 
        systems and worked with vendors to develop hardened 
        systems that mitigate the risks
          --Developed more secure communications methods 
        between energy control systems and field devices
          --Developed tools and methods to help utilities 
        assess their security posture
          --Developed a modeling and simulation capability to 
        estimate the effects of cyber attacks on the power grid
          --Provided extensive cyber security training for 
        energy owners and operators to help them prevent, 
        detect, and mitigate cyber penetration.

    In 2005, the Department (in collaboration with the 
Department of Homeland Security and Natural Resources-Canada) 
worked directly with asset owners and operators in the oil, 
gas, and electricity sectors to develop the Roadmap to Secure 
Control Systems in the Energy Sector--a detailed, prioritized 
plan for cyber security improvements over the next 10 years, 
including best practices, new technology, and risk assessment. 
The Roadmap vision states that in 10 years, controls systems 
for critical applications will be designed, installed, 
operated, and maintained to survive an intentional cyber 
assault with no loss of critical function. Industry 
representatives defined goals, milestones, and priorities to 
guide the industry toward this vision.
    As a result, the Department was one of the first research 
organizations to align its cyber security research activities 
with the Roadmap goals and vision. The Institute for 
Information Infrastructure Protection (I3P) is working to 
develop several technologies that address Roadmap goals 
including security metrics and trusted devices. The Trusted 
Cyber Infrastructure for the Power Grid (TCIP) (a collaboration 
of universities led by the University of Illinois at Champaign-
Urbana working with energy sector asset-owners and operators 
and vendors with funding from NSF, DOE, and DHS) is also 
conducting extensive cyber security research that aligns with 
the Roadmap goals. In addition, there are over 50 other public 
and private organizations working on projects that directly 
address the challenges identified in the Roadmap.
    Efforts at the national labs are also producing results 
that industry can use today to enhance the security of their 
control systems. For example, Sandia National Laboratories 
developed the Advanced Network Toolkit for Assessments and 
Remote Mapping, or ANTFARM. This tool aids energy utility 
owners in mapping critical cyber assets and access points to 
allow easy visualization of their control system networks--a 
critical step in meeting the North American Electric 
Reliability Corporation's Critical Infrastructure Protection 
(NERC CIP) standards. Released in August 2008. The toolkit is 
open source and available online for free.
    Through the Department's National Supervisory Control and 
Data Acquisition (SCADA) Test Bed program, we have assessed 90% 
of the current market offering of SCADA and energy management 
systems (EMS) in the electric sector, and 80% of the current 
market offering in the oil and gas sector. Twenty test bed and 
on-site field assessments of control systems from vendors 
including ABB, Areva, GE, OSI, Siemens, Telvent, and others, 
have led them to develop 11 hardened control system designs 
with thirty-one of these systems now deployed in the 
marketplace. Vendors also have released several software 
patches to better secure legacy systems. The National SCADA 
Test Bed (NSTB) is a state-of-the-art national resource 
designed to aid government and industry in securing their 
control systems through vulnerability assessments, focused 
research and development (R&D) efforts, and outreach. Over the 
years the Department has expanded its investments in the NSTB 
and today it includes the resources and capabilities of five 
national laboratories (Idaho National Engineering Laboratory, 
Sandia National Laboratory, Pacific Northwest National 
Laboratory, Oak Ridge National Laboratory, and Argonne National 
Laboratory) as well as many cost-shared projects with the 
private sector.
    The national labs also educate end-users on cyber security 
best practices and implementing methods to better manage 
control systems risk. For example, the Idaho National 
Laboratory has released on an annual basis a ``Common 
Vulnerabilities'' report. Using results from assessments 
performed from 2003 to 2007, the November 2008 document 
represents a steadily growing understanding of control system 
security issues and methods for mitigating current and emerging 
vulnerabilities. This effort is expanding to new technologies, 
such as substation automation and Smart Grid, as the program 
seeks a continuing understanding of the systems being planned 
for and deployed in the energy sector critical infrastructure.
    The Department, through a work-for-others agreement with 
the Idaho National Laboratory, is also working with a major 
vendor of smart meters to conduct a cyber security assessment 
of their device. The primary motivation for this work was 
driven by the utilities--end-users of the product.
    The Department has also funded several research and 
development projects with the private sector. The Bandolier 
project, led by Digital Bond, is developing security audit 
files, which are incorporated into a utility's existing network 
scanners and used to audit the control system's security 
settings against an optimal security configuration. Given that 
large control systems can have over 1000 security settings, 
Bandolier can help a utility enhance its security posture while 
saving time and money at the same time. Audit files are now 
available for Siemens, Telvent, and ABB. Digital Bond has made 
its product available for a nominal subscriber fee on its 
website.
    The Hallmark project, led by Schweitzer Engineering 
Laboratories (SEL), is another DOE-supported research and 
development project. SEL is working to commercialize the Secure 
SCADA Communications Protocol originally developed by Pacific 
Northwest National Laboratory. The technology will enable 
utilities to secure critical data communications links between 
remote substations and control centers and is scheduled to be 
launched in the next few months.
    To track progress on implementation the Department designed 
a unique online collaborative tool--the interactive energy 
Roadmap (ieRoadmap)--which can be found online at 
www.controlsystemsroadmap.net. Public- and private-sector 
researchers self-populate the online database with project 
information and map their efforts to specific challenges and 
priorities identified in the Roadmap. The website has become a 
vital resource for news, information sharing, and 
collaboration.
    Looking ahead, the Department also participates in multi-
agency information-sharing forums such as the Networking and 
Information Technology Research and Development (NITRD) 
program, which is the primary mechanism for government to 
coordinate unclassified networking and information technology 
research and development investments. Thirteen Federal agencies 
are formal members (including DOE) of the NITRD Program.
    Also in the long-term, the Department seeks to alter the 
very nature of cyber security. During the past two years, the 
Department's Office of Science has brought together a growing 
community of cyber security professionals and researchers from 
the laboratories, private industry, academia, and other 
government agencies to assess the state of cyber security in 
general and within the Department specifically. These experts 
concluded that the current approach to addressing cyber 
security problems is reactive and the Department should develop 
a long-term strategy that goes beyond stopping traditional 
threats to rendering both traditional and new threats harmless.
    In December 2008, the Department released the findings of 
this group in ``A Scientific Approach R&D Approach to Cyber 
Security,'' which outlines a set of opportunities to introduce 
anticipation and evasion capabilities to platforms and 
networks, data systems to actively contribute to their control 
and protection, and platform architectures that operate with 
integrity despite the presence of untrusted components. This 
approach could not only provide new, game-changing capabilities 
to the Department, but could also be directly applied to other 
agencies, industry, and society.


                               smart grid


    The American Recovery and Reinvestment Act of 2009 
appropriated $4.5 billion in funds for electricity delivery and 
energy reliability activities to modernize the electric grid, 
to include demand responsive equipment, enhance security and 
reliability of the energy infrastructure, energy storage, 
facilitate recovery from disruptions, and for implementation of 
programs authorized under Title XIII of the Energy Independence 
and Security Act of 2007 (Smart Grid).
    The Department is working to implement these new program 
activities in a responsible manner and the request for 
proposals for these activities will include requirements that 
each applicant thoroughly and systematically addresses all 
cyber security risks to the system.
    A key application of the smart grid is Advanced Metering 
Infrastructure (AMI). AMI requires two-way communication 
between the utility and the end-user. Over the last 10 months, 
DOE has partnered with the AMI Security (AMI-SEC) Task Force 
organized under the UCA International User's Group. The Task 
Force is comprised of utilities, security domain experts, 
standards body representatives and industry vendors. On March 
10, 2009, the Task Force published the AMI System Security 
Requirements, which provides critical guidance for vendors and 
utilities to help design and procure secure and reliable AMI 
systems. Because of the success of this industry-government 
collaboration, the Department is working with the Task Force to 
expand the activity to develop a suite of security requirements 
for all critical Smart Grid applications.
    The National Institute of Standards and Technology (NIST) 
is responsible for developing the framework for 
interoperability standards development for the smart grid. The 
Federal Energy Regulatory Commission (FERC) has authority for 
issuing standards for rulemaking.
    The Department views the development of interoperability 
standards that include appropriate cyber security protections 
as one of the key milestones toward realizing the goal of 
widespread implementation of smart grid technologies, tools, 
and techniques. DOE-NIST-FERC coordination on these standards 
has been ongoing for more than a year through the Federal Smart 
Grid Task Force, an EISA-mandated group that meets monthly and 
involves agencies from across the Federal government, including 
EPA, USDA, DHS, and DOD.
    Recent progress on two key activities demonstrates the 
efficacy of the coordination effort: (1) Development of the 
Interoperability Standards Roadmap under the leadership of 
NIST, and (2) Development of a policy statement on 
interoperability standards under the leadership of FERC. These 
activities are critical for the Department in the selection of 
meritorious projects under the Smart Grid Investment Grants 
Program and the Smart Grid Regional Demonstration Program as 
the quality of the approaches for addressing interoperability 
and cyber security will be important evaluation criteria.
    With regard to protecting the electric grid from newly 
discovered vulnerabilities, the Department does not have a 
position on the Draft Joint Staff Cybersecurity Text. The 
Department does provide the following technical comment:

          All vulnerabilities must be thoroughly evaluated on a 
        scientific basis to determine the impact and risk to 
        the nation in the event the vulnerability were to be 
        exploited. Any decision to act or issue an order by the 
        government must be based on sound risk management 
        principals and judgment considering the characteristics 
        of the vulnerability, the capabilities of the threat, 
        likelihood of attack, the consequences to the nation 
        should the vulnerability be exploited, and the cost of 
        mitigation.

    This concludes my statement, Mr. Chairman. Thank you for 
the opportunity to speak, and I look forward to answering any 
questions you and your colleagues may have.
                              ----------                              


     Testimony of Joseph McClelland, Director, Office of Electric 
           Reliability, Federal Energy Regulatory Commission

    Mr. Chairman and Members of the Committee:
    Thank you for this opportunity to appear before you to 
discuss the cyber security of the electric grid. My name is 
Joseph McClelland. I am the Director of the Office of Electric 
Reliability (OER) of the Federal Energy Regulatory Commission 
(FERC or Commission). The Commission's role with respect to 
reliability is to help protect and improve the reliability of 
the Nation's bulk-power system through effective regulatory 
oversight as established in the Energy Policy Act of 2005. I am 
here today as a Commission staff witness and my remarks do not 
necessarily represent the views of the Commission or any 
individual Commissioner.
    My testimony summarizes the Commission's oversight of the 
reliability of the electric grid in the area of security, some 
of the Commission's actions to implement section 215 of the 
Federal Power Act, and some of the limitations in the 
Commission's authority. The Commission does not have sufficient 
authority to provide effective protection of the grid against 
cyber attacks or other security threats to reliability. As will 
be explained in more detail later, this is primarily due to 
three factors regarding the development of reliability 
standards under section 215; lack of timeliness, lack of 
ability to protect security-sensitive information, and lack of 
ability to control the content of proposed cybersecurity 
standards. Therefore, legislation is needed and my testimony 
discusses the key elements that should be included in any new 
legislation in this area.


                               background


    In the Energy Policy Act of 2005 (EPAct 2005), the Congress 
entrusted the Commission with a major new responsibility to 
oversee mandatory, enforceable reliability standards for the 
Nation's bulk power system (excluding Alaska and Hawaii). This 
authority is in section 215 of the Federal Power Act. Section 
215 requires the Commission to select an Electric Reliability 
Organization (ERO) that is responsible for proposing, for 
Commission review and approval, reliability standards or 
modifications to existing reliability standards to help protect 
and improve the reliability of the Nation's bulk power system. 
The reliability standards apply to the users, owners and 
operators of the bulk power system and become mandatory only 
after Commission approval. The ERO also is authorized to 
impose, after notice and opportunity for a hearing, penalties 
for violations of the reliability standards, subject to 
Commission review and approval. The ERO may delegate certain 
responsibilities to ``Regional Entities,'' subject to 
Commission approval.
    The Commission may approve proposed reliability standards 
or modifications to previously approved standards if it finds 
them ``just, reasonable, not unduly discriminatory or 
preferential, and in the public interest.'' The Commission does 
not have authority to modify proposed standards. Rather, if the 
Commission disapproves a proposed standard or modification, 
section 215 requires the Commission to remand it to the ERO for 
further consideration. The Commission, upon its own motion or 
upon complaint, may direct the ERO to submit a proposed 
standard or modification on a specific matter. The Commission 
however, does not have the authority to modify or author a 
standard but must depend upon the ERO to do so.
    The Commission has implemented section 215 diligently. 
Within 180 days of enactment, the Commission adopted rules 
governing the reliability program. In mid-2006, it approved the 
North American Electric Reliability Corporation (NERC) as the 
ERO. In March 2007, the Commission approved the first set of 
national mandatory and enforceable reliability standards. In 
April 2007, it approved eight regional delegation agreements to 
provide for development of new or modified standards and 
enforcement of approved standards by Regional Entities.
    In exercising its new authority, the Commission has 
interacted extensively with NERC and the industry. The 
Commission also has coordinated with other federal agencies, 
such as the Department of Homeland Security, the Department of 
Energy, the Nuclear Regulatory Commission, and the Department 
of Defense. Also, the Commission has established regular 
communications and meetings with regulators from Canada and 
Mexico regarding reliability, since the North American bulk 
power system is an interconnected continental system subject to 
the varied regulatory regimes of three nations.


          cyber security standards approved under section 215


    An important part of the Commission's responsibility to 
oversee the development of reliability standards involves cyber 
security. Section 215 defines ``reliability standard[s]'' as 
including requirements for the ``reliable operation'' of the 
bulk power system including ``cybersecurity protection.'' 
Section 215 defines reliable operation to mean operating the 
elements of the bulk power system within certain limits so 
instability, uncontrolled separation, or cascading failures 
will not occur ``as a result of a sudden disturbance, including 
a cybersecurity incident.''
    Section 215 also defines a ``cybersecurity incident'' as a 
``malicious act or suspicious event that disrupts, or was an 
attempt to disrupt, the operation of those programmable 
electronic devices and communication networks including 
hardware, software and data that are essential to the reliable 
operation of the bulk power system.''
    In August 2006, NERC submitted eight proposed cyber 
security standards, known as the Critical Infrastructure 
Protection (CIP) standards, to the Commission for approval 
under section 215. Each of these standards contains layers of 
multiple requirements. Critical infrastructure, as defined by 
NERC for purposes of the CIP standards, includes facilities, 
systems, and equipment which, if destroyed, degraded, or 
otherwise rendered unavailable, would affect the reliability or 
operability of the ``Bulk Electric System.'' NERC proposed an 
implementation plan under which certain requirements would be 
``auditably compliant'' beginning by mid-2009, and full 
compliance with the CIP standards would not be mandatory until 
2010.
    On January 18, 2008, after issuing both a staff preliminary 
assessment and notice of proposed rulemaking, the Commission 
issued a Final Rule approving the CIP Reliability Standards and 
concurrently directed NERC to develop significant modifications 
addressing specific concerns, such as the breadth of discretion 
left to utilities by the standards. For example, the standards 
state that utilities ``should interpret and apply the 
reliability standards] using reasonable business judgment.'' 
Similarly, the standards at times require certain steps ``where 
technically feasible,'' but this is defined as not requiring 
the utility ``to replace any equipment in order to achieve 
compliance.'' Also, the standards would allow a utility at 
times not to take certain action if the utility documents its 
``acceptance of risk'' that might be placed on the bulk-power 
system. To address this, the Final Rule directed NERC, among 
other things: (1) to develop modifications to remove the 
``reasonable business judgment'' language and the ``acceptance 
of risk'' exceptions; and, (2) to develop specific conditions 
that a responsible entity must satisfy to invoke the 
``technical feasibility'' exception. NERC and the industry are 
working on proposed modifications to address these two issues. 
However, until such time as the standards are modified by the 
ERO through its stakeholder process, approved by the 
Commission, and implemented by industry, the discretion remains 
and critical facilities will be left unprotected.
    A good example of the discretion implicit in the existing 
cyber security standards involves the utility's ability to 
determine which of its facilities would be subject to them. In 
the Final Rule, the Commission addressed its concerns by 
requiring independent oversight of a utility's decisions by 
industry entities with a ``wide-area view,'' such as 
reliability coordinators or the Regional Entities, subject to 
the review of the Commission. This revision to the standards is 
subject to approval by the affected stakeholders in the 
standards development process and therefore has not yet been 
presented to the Commission. NERC recently conducted a survey 
on this issue which seems to validate the Commission's concern 
and original directives by demonstrating that a significant 
percentage of owners and operators do not believe they own or 
operate critical cyber assets. For example, NERC stated that 
only 29% of generation owners and generation operators reported 
at least one critical asset, though it is unclear from NERC's 
data what portion of the Nation's generation capacity that 29% 
represents, or what portion the designated critical assets 
represent. Thus, it is not clear, even today, what percentage 
of critical assets and their associated critical cyber assets 
has been identified. It is clear, however, that this issue is 
serious and represents a significant gap in cybersecurity 
protection.


current process to address cyber or other national security threats to 
                              reliability


    As an initial matter, it is important to recognize how 
mandatory reliability standards are established under section 
215. Under section 215, reliability standards are developed by 
the ERO through an open, inclusive, and public process. The 
Commission can direct NERC to develop a reliability standard to 
address a particular reliability matter, including cyber 
security threats or vulnerabilities. However, the NERC process 
typically takes years to develop standards for the Commission's 
review. In Fact, the cyber security standards approved by FERC 
took the industry approximately three years to develop.
    NERC's procedures for developing standards allow extensive 
opportunity for industry comment, are open, and are generally 
based on the procedures of the American National Standards 
Institute. The NERC process is intended to develop consensus on 
both the need for the standard and on the substance of the 
proposed standard. Although inclusive, the process is 
relatively slow, cumbersome and unpredictable regarding its 
responsiveness to the Commission's directives.
    Key steps in the NERC process include: nomination of a 
proposed standard using a Standard Authorization Request (SAR); 
public posting of the SAR for comment; review of the comments 
by industry volunteers; drafting or redrafting of the standard 
by a team of industry volunteers; public posting of the draft 
standard; field testing of the draft standard, if appropriate; 
formal balloting of the draft standard, with approval requiring 
a quorum of votes by 75 percent of the ballot pool and 
affirmative votes by two-thirds of the weighted industry sector 
votes; re-balloting, if negative votes are supported by 
specific comments; approval by NERC's board of trustees; and an 
appeals mechanism to resolve any complaints about the standards 
process. NERC-approved standards are then submitted to the 
Commission for its review. This standards development process 
requires public disclosure regarding the reason for the 
proposed standard, the manner in which the standard will 
address the issues at-hand, and any subsequent comments and 
resulting modifications in the standards as the affected 
stakeholders review the material and provide comments.
    Generally, the procedures used by NERC are appropriate for 
developing and approving reliability standards. The process 
allows extensive opportunities for industry and public comment. 
The public nature of the reliability standards development 
process can be a strength of the process as it relates to most 
reliability standards. However, it can be an impediment when 
measures or actions need to be taken to address threats to 
national security quickly, effectively and in a manner that 
protects against the disclosure of security-sensitive 
information.
    The procedures used under section 21 for the development 
and approval of reliability standards do not provide an 
effective and timely means of addressing urgent cyber or other 
national security risks to the bulk power system, particularly 
in emergency situations. Certain circumstances, such as those 
involving national security, may require immediate action. If a 
significant vulnerability in the bulk power system is 
identified, procedures used so far for adoption of reliability 
standards take too long to implement effective corrective 
steps.
    FERC rules governing review and establishment of 
reliability standards allow the agency to direct the ERO to 
develop and propose reliability standards under an expedited 
schedule. For example, FERC could order the ERO to submit a 
reliability standard to address a reliability vulnerability 
within 60 days. Also, NERC's rules of procedure include a 
provision for approval of ``urgent action'' standards that can 
be completed within 60 days and which may be further expedited 
by a written finding by the NERC board of trustees that an 
extraordinary and immediate threat exists to bulk power system 
reliability or national security. However, it is not clear NERC 
could meet this schedule in practice. Moreover, faced with a 
cyber security or other national security threat to 
reliability, there may be a need to act decisively in hours or 
days, rather than weeks, months or years. That would not be 
feasible even under the urgent action process. In the meantime, 
the bulk power system would be left vulnerable to a known 
national security threat. Moreover, existing procedures, 
including the urgent action procedure, would widely publicize 
both the vulnerability and the proposed solutions, thus 
increasing the risk of hostile actions before the appropriate 
solutions are implemented.
    In addition, the proposed standard submitted to the 
Commission may not be sufficient to address the vulnerability 
or threat. As noted above, when a proposed reliability standard 
is submitted to FERC for its review, whether submitted under 
the urgent action provisions or the usual process, the agency 
cannot modify such standard and must either approve or remand 
it. Since the Commission may not modify a proposed reliability 
standard under section 215, it would have the choice of 
approving an inadequate standard and directing changes, which 
reinitiates a process that can take years, or rejecting the 
standard altogether. Under either approach, the bulk power 
system would remain vulnerable for a prolonged period.
    Finally, the open and inclusive process required for 
standards development is not consistent with the need to 
contain security-sensitive information. For instance, a SAR 
would normally detail the need for the standard as well as the 
proposed mitigation to address the issue. Subsequent drafts of 
the standard would consider how effectively it addresses the 
cyber security matters and what objections or revisions are 
proposed by the stakeholders resulting in a final version that 
would be filed with the Commission for review. Potential 
adversaries would have the ability to monitor these 
developments and alter their actions as necessary to preserve 
an effective attack vector.


           nerc's ``aurora'' advisory and subsequent actions


    Currently, the alternative to a mandatory reliability 
standard is for NERC to issue an advisory encouraging utilities 
and others to take voluntary action to guard against cyber or 
other vulnerabilities. That approach provides for quicker 
action, but any such advisory is not mandatory, and should be 
expected to produce inconsistent and potentially ineffective 
responses. That was the Commission's experience with the 
response to an advisory issued in 2007 by NERC regarding an 
identified cyber security threat referred to as the ``Aurora'' 
threat. While NERC can issue an alert, as it did in response to 
the Aurora vulnerability, compliance with these alerts is 
voluntary and subject to the interpretation of the individual 
utilities. Also, an alert can be general in nature and lack 
specificity. For example, as Commission staff has found with 
the Aurora alert, such alerts can cause uncertainty about the 
specific strategies needed to mitigate the identified 
vulnerabilities and the assets to which they apply. Reliance on 
voluntary measures to assure national security is fundamentally 
inconsistent with the conclusion Congress reached during 
enactment of EPAct 2005, that voluntary standards cannot assure 
reliability of the bulk power system.
    Damage from cyber attacks could be enormous. All of the 
electric system is potentially subject to cyber attack, 
including power plants, substations, transmission lines, and 
local distribution lines. A coordinated attack could affect the 
electrical grid to a greater extent than the August 2003 
blackout and cause much more extensive damage. Cyber attacks 
can physically damage the generating facilities and other 
equipment such that restoration of power takes weeks or longer, 
instead of a few hours or days. The harm could extend not only 
to the economy and the health and welfare of our citizens, but 
even to the ability of our military forces to defend us, since 
many military installations rely on the bulk power system for 
their electricity. In fact, a recent Defense Science Board 
report concluded that ``critical missions at military 
installations are vulnerable to loss from commercial power 
outage and inadequate backup power supplies.''\1\ The cost of 
protecting against cyber attacks is difficult to estimate but, 
undoubtedly, is much less than the damages and disruptions that 
could be incurred if we do not protect against them.\2\
---------------------------------------------------------------------------
    \1\Report of the Defense Science Board Task Force on DoD Energy 
Strategy ``More Fight--Less Fuel'', February 2008.
    \2\As an example, the U.S.-Canada Joint Task Force on the August 
2003 Blackout concluded that the outage that affected over 50,000,000 
citizens and was estimated to cost between $4 and $10 billion dollars 
in the United States.
---------------------------------------------------------------------------
    The need for vigilance may increase as new technologies are 
added to the bulk power system. For example, ``smart grid'' 
technology will provide significant benefits in the use of 
electricity. These include the promised ability to manage not 
only energy sources but also energy consumption. However, a 
smarter grid would permit two-way communication between the 
electric system and a much larger number of devices located 
outside of controlled utility environments, which will 
introduce many potential access points. To some degree, this is 
similar to the banking industry allowing its customers to bank 
on line, but only with appropriate security protections in 
place. Security features must be an integral consideration, as 
the Commission stated in a recent proposed policy statement on 
smart grid. As the ``smart grid'' effort moves forward, steps 
will need to be taken to ensure that cyber security protections 
are in place prior to its implementation. The challenge will be 
to focus not only on general approaches but, importantly, on 
the details of specific technologies and the risks they may 
present.


                   key elements of needed legislation


    In my view, section 215 provides an adequate statutory 
foundation for the ERO to develop reliability standards for the 
bulk power system. However, the threat of cyber attacks or 
other intentional malicious acts against the electric grid is 
different. These are national security threats that may be 
posed by foreign nations or others intent on attacking the U.S. 
through its electric grid. The nature of the threat stands in 
stark contrast to other major reliability vulnerabilities that 
have caused regional blackouts and reliability failures in the 
past, such as vegetation management and protective relay 
maintenance practices. Widespread disruption of electric 
service can quickly undermine the U.S. government, its 
military, and the economy, as well as endanger the health and 
safety of millions of citizens. Given the national security 
dimension to this threat, there may be a need to act quickly to 
protect the grid, to act in a manner where action is mandatory 
rather than voluntary, and to protect certain information from 
public disclosure. The Commission's legal authority is 
inadequate for such action. This is true of both cyber and non-
cyber threats that pose national security concerns. In the case 
of such threats to the electric system, the Commission does not 
have sufficient authority to timely protect the reliability of 
the system.
    Any new legislation should address several key concerns. 
First, legislation should allow the Commission to take action 
before a cyber or other national security incident has occurred 
to prevent a significant risk of disruption to the grid due to 
such an incident. In order to protect the grid, it is vital 
that the Commission be authorized to act before an attack. 
Second, any legislation should allow the Commission to maintain 
appropriate confidentiality of any security-sensitive 
information submitted or developed through the exercise of this 
authority. It should also allow the Commission to protect such 
information when the Commission issues orders under any new 
authority. Third, it is important that Congress be aware that 
if additional reliability authority is limited to the ``bulk 
power system,'' as defined in the FPA, it would exclude 
protection against attacks involving Alaska and Hawaii and 
possibly the territories, including any federal installations 
located therein. The current interpretation of ``bulk power 
system'' also would exclude some transmission and all local 
distribution facilities, including virtually all of the grid 
facilities in large cities such as New York., thus precluding 
possible Commission action to mitigate cyber or other national 
security threats to reliability that involve such facilities 
and major population areas. Finally, legislation should address 
not only cyber security threats but also other national 
security threats to reliability.
    The Joint Staff draft bill is one approach that would 
largely rectify the inadequacies in existing federal authority 
to address cyber threats to the electric grid. It gives the 
Commission authority to issue rules or orders that are 
necessary to protect critical electric infrastructure from 
weaknesses or flaws in the design or operation of electric 
devices or networks that expose critical electric 
infrastructure to a cyber security threat. This authority to 
address cyber security vulnerabilities would apply to all 
systems or assets, whether physical or virtual, used for the 
generation, transmission, and distribution of electric energy 
that in the determination of the Commission are so vital to the 
U.S. that the incapacity or destruction of such systems and 
assets would have a debilitating impact on the security, 
national economic security, or national public health or 
safety. Thus, it would allow the Commission to act to protect 
against potential damage to the grid, including the grid 
facilities in New York City, which I referenced earlier.
    As I have noted, a key concern with respect to any cyber 
security legislation is that the Commission must be allowed to 
maintain appropriate confidentiality of any security-sensitive 
information submitted or developed through the exercise of its 
authority. This applies to information submitted to the 
Commission and to orders issued by the Commission, which may 
contain security-sensitive information. While the draft bill 
addresses the protection of critical infrastructure 
information, it could be construed to provide protection only 
for information voluntarily submitted to the Commission or the 
Secretary. Not all information submitted to the Commission or 
the Secretary will be submitted voluntarily, but rather may be 
ordered to be submitted in an agency rule or order. 
Additionally, the Commission or the Secretary may need to 
include sensitive information in the orders they issue and this 
information similarly should be non-public. Therefore, I 
recommend that the language be amended to address these issues.
    I also recommend that the Joint Staff draft be amended to 
address not only cyber security threats but also other national 
security threats to reliability. Intentional physical malicious 
acts (targeting, for example, critical substations and 
generating stations) can cause equal or greater destruction 
than cyber attacks and the Federal government should have no 
less ability to act to protect against such potential damage. 
This additional authority would not displace other means of 
protecting the grid, such as action by federal, state and local 
law enforcement and the National Guard, but the Commission has 
unique expertise regarding the reliability of the grid, the 
consequences of threats to it and the measures necessary to 
safeguard it. If particular circumstances cause both FERC and 
other governmental authorities to require action by utilities, 
FERC will coordinate with other authorities as appropriate.
    Finally, Congress should be aware of the fact that if 
additional reliability authority is limited to the areas within 
the Commission's jurisdiction under section 215 of the FPA, it 
would exclude protection against reliability threats in Alaska 
and Hawaii and possibly the territories, including any federal 
installations located therein.


                               conclusion


    The Commission's authority is not adequate to address cyber 
or other national security threats to the reliability of our 
transmission and power system. These types of threats pose an 
increasing risk to our Nation's electric grid, which undergirds 
our government and economy and helps ensure the health and 
welfare of our citizens. Congress should address this risk now. 
Thank you again for the opportunity to testify today. I would 
he happy to answer any questions you may have.

                        Changes in Existing Law

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill H.R. 5026, as ordered reported, are shown as follows 
(existing law proposed to be omitted is enclosed in black 
brackets, new matter is printed in italic, existing law in 
which no change is proposed is shown in roman):

                           FEDERAL POWER ACT


           The Act of June 10, 1920, Chapter 285, As Amended

    Be it enacted by the Senate and the House of 
Representatives of the United States of America in Congress 
assembled,

           *       *       *       *       *       *       *


PART II--REGULATION OF ELECTRIC UTILITY COMPANIES ENGAGED IN INTERSTATE 
COMMERCE

           *       *       *       *       *       *       *



SEC. 223. JOINT BOARDS ON ECONOMIC DISPATCH.

           *       *       *       *       *       *       *


    (d) Report to the Congress.--Within 1 year after enactment 
of this section, the Commission shall issue a report and submit 
such report to the Congress regarding the recommendations of 
the joint boards under this section and the Commission may 
consolidate the recommendations of more than one such regional 
joint board, including any consensus recommendations for 
statutory or regulatory reform.

SEC. 224. CRITICAL ELECTRIC INFRASTRUCTURE.

    (a) Definitions.--In this section:
          (1) Critical electric infrastructure.--The term 
        `critical electric infrastructure' means systems and 
        assets, whether physical or virtual, used for the 
        generation, transmission, or distribution of electric 
        energy affecting interstate commerce that, as 
        determined by the Commission or the Secretary (as 
        appropriate), are so vital to the United States that 
        the incapacity or destruction of the systems and assets 
        would have a debilitating impact on national security, 
        national economic security, or national public health 
        or safety.
          (2) Critical electric infrastructure information.--
        The term `critical electric infrastructure information' 
        means critical infrastructure information relating to 
        critical electric infrastructure.
          (3) Critical infrastructure information.--The term 
        `critical infrastructure information' has the meaning 
        given the term in section 212 of the Critical 
        Infrastructure Information Act of 2002 (6 U.S.C. 131).
          (4) Cyber security threat.--The term `cyber security 
        threat' means the imminent danger of an act that 
        disrupts, attempts to disrupt, or poses a significant 
        risk of disrupting the operation of programmable 
        electronic devices or communications networks 
        (including hardware, software, and data) essential to 
        the reliable operation of critical electric 
        infrastructure.
          (5) Cyber security vulnerability.--The term `cyber 
        security vulnerability' means a weakness or flaw in the 
        design or operation of any programmable electronic 
        device or communication network that exposes critical 
        electric infrastructure to a cyber security threat.
          (6) Secretary.--The term `Secretary' means the 
        Secretary of Energy.
    (b) Authority of Commission.--
          (1) In general.--The Commission shall issue such 
        rules or orders as are necessary to protect critical 
        electric infrastructure from cyber security 
        vulnerabilities.
          (2) Expedited procedures.--The Commission may issue a 
        rule or order without prior notice or hearing if the 
        Commission determines the rule or order must be issued 
        immediately to protect critical electric infrastructure 
        from a cyber security vulnerability.
          (3) Consultation.--Before issuing a rule or order 
        under paragraph (2), to the extent practicable, taking 
        into account the nature of the threat and urgency of 
        need for action, the Commission shall consult with the 
        entities described in subsection (e)(1) and with 
        officials at other Federal agencies, as appropriate, 
        regarding implementation of actions that will 
        effectively address the identified cyber security 
        vulnerabilities.
          (4) Termination of rules or orders.--A rule or order 
        issued to address a cyber security vulnerability under 
        this subsection shall expire on the effective date of a 
        standard developed and approved pursuant to section 215 
        to address the cyber security vulnerability.
    (c) Emergency Authority of Secretary.--
          (1) In general.--If the Secretary determines that 
        immediate action is necessary to protect critical 
        electric infrastructure from a cyber security threat, 
        the Secretary may require, by order, with or without 
        notice, persons subject to the jurisdiction of the 
        Commission under this section to take such actions as 
        the Secretary determines will best avert or mitigate 
        the cyber security threat.
          (2) Coordination with Canada and Mexico.--In 
        exercising the authority granted under this subsection, 
        the Secretary is encouraged to consult and coordinate 
        with the appropriate officials in Canada and Mexico 
        responsible for the protection of cyber security of the 
        interconnected North American electricity grid.
          (3) Consultation.--Before exercising the authority 
        granted under this subsection, to the extent 
        practicable, taking into account the nature of the 
        threat and urgency of need for action, the Secretary 
        shall consult with the entities described in subsection 
        (e)(1) and with officials at other Federal agencies, as 
        appropriate, regarding implementation of actions that 
        will effectively address the identified cyber security 
        threat.
          (4) Cost recovery.--The Commission shall establish a 
        mechanism that permits public utilities to recover 
        prudently incurred costs required to implement 
        immediate actions ordered by the Secretary under this 
        subsection.
    (d) Duration of Expedited or Emergency Rules or Orders.--
Any rule or order issued by the Commission without prior notice 
or hearing under subsection (b)(2) or any order issued by the 
Secretary under subsection (c) shall remain effective for not 
more than 90 days unless, during the 90 day-period, the 
Commission--
          (1) gives interested persons an opportunity to submit 
        written data, views, or arguments (with or without 
        opportunity for oral presentation); and
          (2) affirms, amends, or repeals the rule or order.
    (e) Jurisdiction.--
          (1) In general.--Notwithstanding section 201, this 
        section shall apply to any entity that owns, controls, 
        or operates critical electric infrastructure.
          (2) Covered entities.--
                  (A) In general.--An entity described in 
                paragraph (1) shall be subject to the 
                jurisdiction of the Commission for purposes 
                of--
                          (i) carrying out this section; and
                          (ii) applying the enforcement 
                        authorities of this Act with respect to 
                        this section.
                  (B) Jurisdiction.--This subsection shall not 
                make an electric utility or any other entity 
                subject to the jurisdiction of the Commission 
                for any other purpose.
          (3) Alaska and Hawaii excluded.--Except as provided 
        in subsection (f), nothing in this section shall apply 
        in the State of Alaska or Hawaii.
    (f) Defense facilities.--Not later than 1 year after the 
date of enactment of this section, the Secretary of Defense 
shall prepare, in consultation with the Secretary, the States 
of Alaska and Hawaii, the Territory of Guam, and the electric 
utilities that serve national defense facilities in those 
States and Territory, a comprehensive plan that identifies the 
emergency measures or actions that will be taken to protect the 
reliability of the electric power supply of the national 
defense facilities located in those States and Territory in the 
event of an imminent cybersecurity threat.
    (g) Protection of Critical Electric Infrastructure 
Information.--
          (1) In general.--Section 214 of the Critical 
        Infrastructure Information Act of 2002 (6 U.S.C. 133) 
        shall apply to critical electric infrastructure 
        information submitted to the Commission or the 
        Secretary under this section to the same extent as that 
        section applies to critical infrastructure information 
        voluntarily submitted to the Department of Homeland 
        Security under that Act (6 U.S.C. 131 et seq.).
          (2) Rules prohibiting disclosure.--Notwithstanding 
        section 552 of title 5, United States Code, the 
        Secretary and the Commission shall prescribe 
        regulations prohibiting disclosure of information 
        obtained or developed in ensuring cyber security under 
        this section if the Secretary or Commission, as 
        appropriate, decides disclosing the information would 
        be detrimental to the security of critical electric 
        infrastructure.
          (3) Procedures for sharing information.--
                  (A) In general.--The Secretary and the 
                Commission shall establish procedures on the 
                release of critical infrastructure information 
                to entities subject to this section, to the 
                extent necessary to enable the entities to 
                implement rules or orders of the Commission or 
                the Secretary.
                  (B) Requirements.--The procedures shall--
                          (i) limit the redissemination of 
                        information described in subparagraph 
                        (A) to ensure that the information is 
                        not used for an unauthorized purpose;
                          (ii) ensure the security and 
                        confidentiality of the information;
                          (iii) protect the constitutional and 
                        statutory rights of any individuals who 
                        are subjects of the information; and
                          (iv) provide data integrity through 
                        the timely removal and destruction of 
                        obsolete or erroneous names and 
                        information.

           *       *       *       *       *       *       *


                                  
