[Senate Hearing 112-529]
[From the U.S. Government Publishing Office]
S. Hrg. 112-529
ELECTRIC GRID SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
TO
EXAMINE THE STATUS OF ACTION TAKEN TO ENSURE THAT THE ELECTRIC GRID IS
PROTECTED FROM CYBER ATTACKS
__________
JULY 17, 2012
Printed for the use of the
Committee on Energy and Natural Resources
_____
U.S. GOVERNMENT PRINTING OFFICE
75-809 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND NATURAL RESOURCES
JEFF BINGAMAN, New Mexico, Chairman
RON WYDEN, Oregon LISA MURKOWSKI, Alaska
TIM JOHNSON, South Dakota JOHN BARRASSO, Wyoming
MARY L. LANDRIEU, Louisiana JAMES E. RISCH, Idaho
MARIA CANTWELL, Washington MIKE LEE, Utah
BERNARD SANDERS, Vermont RAND PAUL, Kentucky
DEBBIE STABENOW, Michigan DANIEL COATS, Indiana
MARK UDALL, Colorado ROB PORTMAN, Ohio
JEANNE SHAHEEN, New Hampshire JOHN HOEVEN, North Dakota
AL FRANKEN, Minnesota DEAN HELLER, Nevada
JOE MANCHIN, III, West Virginia BOB CORKER, Tennessee
CHRISTOPHER A. COONS, Delaware
Robert M. Simon, Staff Director
Sam E. Fowler, Chief Counsel
McKie Campbell, Republican Staff Director
Karen K. Billups, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS
Page
Bingaman, Hon. Jeff, U.S. Senator From New Mexico................ 1
Cauley, Gerry, President and Chief Executive Officer, North
American Electric Reliability Corporation...................... 25
McClelland, Joseph, Director, Office of Electric Reliability,
Federal Energy Regulatory Commission........................... 4
Murkowski, Hon. Lisa, U.S. Senator From Alaska................... 2
Snitchler, Todd A., Chairman, Public Utilities Commission of Ohio 32
Wilshusen, Gregory C., Director, Information Security Issues,
Government Accountability Office............................... 11
APPENDIX
Responses to additional questions................................ 57
ELECTRIC GRID SECURITY
----------
TUESDAY, JULY 17, 2012
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The committee met, pursuant to notice, at 10 a.m. in room
SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman,
chairman, presiding.
OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW
MEXICO
The Chairman. OK. Why don't we go ahead and get started?
I am advised that Senator Murkowski is on her way, but
urged us to proceed. This morning's hearing is to examine the
status of actions taken by the Federal Energy Regulatory
Commission or FERC, and the North American Electric Reliability
Corporation or NERC, and the States to protect the electric
grid from computer attacks on their facilities and control
systems.
I don't think we need to talk much about the serious nature
of this issue. Last week, we experienced a week-long outage in
much of this region. It was a weather-related outage, but it
demonstrates how important reliable service on the electric
grid is.
We read every day of newly discovered attacks or threats on
computer systems in this country and around the world.
According to the Director of National Intelligence, there's
been a dramatic increase in the frequency of malicious cyber
activity, targeting U.S. computers and networks, including a
more than tripling of the volume of malicious software, since
2009. So, the threat is real, and it is serious.
In 2005, we gave FERC the authority to name an entity to
develop and enforce standards to protect the reliability of the
grid. I believe that there are two things that we can say about
the system that has emerged since then.
First, the current reliability system does have a mandatory
character, so the electric grid is the only critical
infrastructure in this country that has some form of an
enforceable standard for cybersecurity.
Second, the current reliability system that has emerged is
cumbersome and overly complicated. This may be adequate to deal
with reliability concerns like, standards for trimming trees so
that they do not fall on transmission lines, but when it comes
to cyber attacks, I am concerned that the current system is not
adequate.
The process to develop standards started in earnest in 2006
when NERC filed a series of reliability standards with NERC; a
number of them related to cybersecurity and FERC found them
wanting. In a series of filings since then, NERC has corrected
some of the shortcomings that the FERC highlighted.
As recently as April, version 4 of the cyber standards was
approved, with the provision that NERC address the remaining
inadequacies by the end of the first quarter of next year. That
means that we are here today in this committee, 7 years after
we passed the law, and we are still waiting for this process to
produce the full set of adequately protective standards that we
need. That cumbersome process has to address a threat, whose
nature is rapidly changing. The standards that are in place may
not be flexible enough to deal with emerging threats, and we
still do not have an effective system in place to require
action in the face of an imminent cyber attack.
NERC has developed a system of alerts to help the industry
with newly discovered threats. I will have some questions about
that system, how that system is working in practice.
The concerns that have prompted this hearing are ones that
have resulted in bipartisan cybersecurity legislation that we
have reported from this committee, both this Congress and in
the last Congress. In 2010, Senator Murkowski and I agreed on
an expedited approach to cybersecurity standards that was
centered at FERC and that passed the committee unanimously.
That bill was hotlined for passage in the Senate at the end of
the last Congress. It ran into holes from two of our colleagues
and, perhaps, more.
Last year, Senator Murkowski and I reworked the proposal
into one that featured a greater role for NERC, but allowed
FERC to set effective deadlines for action and also gave the
Secretary of Energy emergency cybersecurity authority. Once
again, that bill passed this committee unanimously.
I don't believe that the cyber threat facing the electric
grid has gotten any less serious since last year, when we acted
on a bipartisan basis to pass our legislation out of the
committee.
In the testimony for today's hearing, there are suggestions
that there are additional cyber issues that also need focused
attention, particularly with respect to the implementation of
smart grid technologies. We need to address these
vulnerabilities that are clearly before us. The bill that
passed this committee unanimously would be an excellent place
to start. It did a good job of balancing the need to avail
ourselves of the expertise in industry on these issues, with
the need to act expeditiously. Nothing since then has changed
the need for clear authority to deal with immediate emergencies
and longer-term vulnerabilities.
As we all agreed last year, processes that take years to
bear fruit, may be sufficient for less urgent reliability
issues, but not for the challenges we face in cybersecurity.
So, I look forward to hearing from the witnesses.
Let me defer to Senator Murkowski for any opening
statements she would like to make.
STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR
FROM ALASKA
Senator Murkowski. Thank you, Mr. Chairman. Welcome, to all
the witnesses this morning. I appreciate the hearing today.
Of course, the purpose of this morning's hearing is to take
another--and, perhaps, a closer--look at the ongoing efforts to
protect our Nation's grid from cyber attacks. I do think it is
important that we recognize the tremendous amount of work that
has already gone into safeguarding the grid's reliability.
Back in 2005, Congress directed FERC to select an electric
reliability organization, now known as the NERC, and tasked it
with establishing and enforcing mandatory reliability
standards, including cyber standards.
I think it has been a difficult, time-consuming process,
but I would like to commend NERC for the professional and
balanced way that it has consistently met its responsibilities.
There is no question, Mr. Chairman, as you point out, that
cybersecurity is an absolutely critical issue. It should be
addressed by this Congress. I am certain that every member of
this body is concerned that our Nation may be vulnerable to
cyber attacks that could have severe economic and security
ramifications.
We see stories about this just about every day, on
individuals, on companies, on the Government--these cyber
incursions. It is time for us to take steps to protect
ourselves from a very real and emerging threat.
Last year, as you point out, Mr. Chairman, the Energy
Committee did report out a sector-specific cybersecurity bill.
This action was taken in response to the majority leader's
directive to the various committees with cyber jurisdiction to
produce their own bills. At which point, they would all be
stitched together into a single piece of cybersecurity
legislation.
I think, Mr. Chairman, that the Energy Committee was the
only committee to have actually done just exactly that. But
since that time, now over a year ago, circumstances have
evolved. I think there is near agreement that we need a
comprehensive approach to the cybersecurity problem. Some would
have us believe that only the Department of Homeland Security
and a host of new Federal regulations will protect us from
persistent cyber threats.
But I don't think that heavy-handed static requirements
from yet another Federal regulator will address the very real
threat that we face. I think, instead, that we need a much more
nimble approach to deal with cyber-related threats that are
constantly growing and always changing.
I have joined with a number of other Ranking Member
colleagues to introduce, what we're calling, the Secure IT Act.
This is S. 3342. I think it's a pragmatic approach to this
issue. We focus on 4 areas that, I believe, we can draw
bipartisan support for. That is within the area of information
sharing. We have got FISMA reform, criminal penalties,
additional research.
But what the Secure IT Act does not do, I think, is equally
important. It does not add new layers of bureaucracy and
regulation that will serve little purpose and achieve meager
results. I think it is a pretty straightforward approach to
cybersecurity that can go a long ways in addressing our
problem.
Mr. Chairman, I thank you for convening this hearing. I
look forward to hearing what the witnesses have to say on the
actions that have been taken to date, as well as the ongoing
efforts to secure the grid at both the transmission and the
distribution level.
The Chairman. Thank you very much. I would just point out
that the Majority Leader has advised, I think, everyone who's--
listens to his statements that he hopes we can move to
cybersecurity legislation on the Senate floor between now and
the time we adjourn in August, and so, I think this hearing is
particularly timely for that reason.
Let me introduce our 4 witnesses.
First is, Mr. Joseph McClelland, Director of the Office of
Electric Reliability at the Federal Energy Regulatory
Commission.
Next is, Mr. Gregory C. Wilshusen, who is the Director of
Information and Technology, with the Government Accountability
Office.
Third is, Mr. Gerry Cauley, who is President and Chief
Executive Officer with the North American Electric Reliability
Corporation, NERC. Thank you very much for being here.
Mr. Todd Snitchler, who is the Chairman of the Public
Utility Commission of Ohio. Thank you very much for being here.
Mr. McClelland, why don't you start. If each of you could
take 5 or 6 minutes and give us the main things you think we
need to understand about the issue. We will then have some
questions.
STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC
RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Thank you, Mr. Chairman.
Mr. Chairman, Ranking Member, and members of the committee,
thank you for the privilege to appear before you today to
discuss the security of the electric grid. My name is Joe
McClelland, and I am the Director of the Office of Electric
Reliability at the Federal Energy Regulatory Commission.
I am here today as a Commission staff witness and my
remarks do not necessarily represent the views of the Chairman
or any individual commissioner.
The Commission is committed to protecting the reliability
of the Nation's bulk power system. Nevertheless, limitations in
Federal authority do not fully protect the grid against
physical and cyber threats. My testimony summarizes the
Commission's oversight of the reliability of the electric grid
under section 215 of the Federal Power Act, and the
Commission's implementation of that authority, with respect to
cyber-related reliability issues, primarily through Order 706
In the Energy Policy Act of 2005, Congress entrusted the
Commission with a major new responsibility, to oversee
mandatory enforceable reliability and cybersecurity standards
for the Nation's bulk power system. This authority is in new
section 215 of the Federal Power Act.
Under the new authority, FERC cannot author or modify
reliability standards, but must select an Electric Reliability
Organization, or ERO, to perform this task. The ERO develops
and proposes reliability standards or modifications for the
Commission's review, which it can then either approve or
remand.
If the Commission approves the proposed reliability
standard, it applies to the users, owners, and operators of a
bulk power system and becomes mandatory in the United States.
If the Commission remands a proposed standard, it is sent back
to the ERO for further consideration.
The Commission selected the North American Electric
Reliability Corporation, or NERC, as the ERO. It is important
to note that FERC's jurisdiction and reliability authority is
limited to the ``bulk power system,'' as defined in the FPA,
which excludes Alaska and Hawaii distribution systems, and can
exclude transmission facilities in certain large cities, such
as New York.
In addition to the reliability authority, FERC is also
charged with oversight of the cybersecurity of the bulk power
system. As is the case with non-security issues, FERC's
authority under 215 of our cybersecurity is exercised through
the reliability standards developed by the ERO and approved by
FERC. Pursuant to this duty, FERC approved 8 cybersecurity
standards known as the Critical Infrastructure Protection
standards, or CIP standards, proposed by NERC, while
concurrently directing modifications to them in January 2008.
Three sets of modifications, responding to the Commission's
directives, have been received from the ERO, and the last was
approved earlier this year.
Although the CIP standards are approved, full compliance
with these revised standards will not be mandatory until 2014.
More importantly, in approving the latest revision of the CIP
standards, the Commission recognized that they are an interim
step and raised its concern that the newly revised standards do
not provide enough protection to satisfy the Commission's
January 2008 Order. Thus, the Commission established a deadline
for the end of the first quarter of 2013, for NERC to file
standards in compliance with the outstanding directives in that
Order.
Physical attacks against the power grid can cause equal or
great destruction than cyber attacks. One example of a physical
threat is an electromagnetic pulse, or EMP, event.
In 2001, Congress established a commission to assess the
threat from EMP. In 2004 and, again, in 2008, the Commission
issued its reports. Among the findings in the reports were that
a single EMP attack could seriously degrade or shut down a
large part of the electric power grid. Depending upon the
attack, significant parts of the electric infrastructure could
be, ``Out of service for periods measured in months to a year
or more.''
In addition to man-made attacks, EMP events are also
naturally generated, caused by solar flares and storms,
disrupting the Earth's magnetic field. Such events can be
powerful and can also cause significant and prolonged
disruptions to the power grid.
The standards development system utilized under FPA 215
develops mandatory reliability standards, using an open and
inclusive process, based on consensus. Although it can be an
effective mechanism with dealing with the routine requirements
of the power grid, it is inadequate when addressing threats to
the power grid that endanger national security.
Despite its active role in approving reliability standards,
FERC's current legal authority is insufficient to assure
direct, timely, and mandatory action to protect the grid,
particularly where certain information should not be publicly
disclosed.
Any new legislation should address several key concerns.
First, legislation should allow the Federal Government to take
action before a cyber or physical national security incident
has occurred.
Second, any legislation should ensure appropriate
confidentiality of the sensitive information submitted,
developed, or issued under this authority.
Third, if additional reliability authority is limited to
the bulk power system, as that term is currently defined in the
FPA, it would not authorize Federal action to mitigate cyber or
other national security threats to reliability that involve
certain critical facilities in major population areas.
Finally, it is important that entities be able to recover
costs that they incur to mitigate vulnerabilities and threats.
Thank you for your attention today. I am available to
address any questions that you may have.
[The prepared statement of Mr. McClelland follows:]
Prepared Statement of Joseph McClelland, Director, Office of Electric
Reliability, Federal Energy Regulatory Commission
Mr. Chairman, Ranking Member and Members of the Committee:
Thank you for this opportunity to appear before you to discuss the
security of the electric grid. My name is Joseph McClelland. I am the
Director of the Office of Electric Reliability (OER) of the Federal
Energy Regulatory Commission (FERC or Commission). The Commission's
role with respect to reliability is to help protect and improve the
reliability of the Nation's bulk power system through effective
regulatory oversight as established in the Energy Policy Act of 2005. I
am here today as a Commission staff witness and my remarks do not
necessarily represent the views of the Commission or any individual
Commissioner.
The Commission is committed to protecting the reliability of the
nation's bulk electric system; nevertheless, the Commission's current
authority is not adequate to address cyber or other national security
threats to the reliability of our transmission and power system. These
types of threats pose an increasing risk to our Nation's electric grid,
which undergirds our government and economy and helps ensure the health
and welfare of our citizens.
I will describe how limitations in Federal authority do not fully
protect the grid against physical and cyber threats. My testimony also
summarizes the Commission's oversight of the reliability of the
electric grid under section 215 of the Federal Power Act (FPA) and the
Commission's implementation of that authority with respect to cyber
related reliability issues primarily through Order No. 706.
background
In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted
the Commission with a major new responsibility to oversee mandatory,
enforceable reliability standards for the Nation's bulk power system
(excluding Alaska and Hawaii). This authority is in section 215 of the
Federal Power Act. Section 215 requires the Commission to select an
Electric Reliability Organization (ERO) that is responsible for
proposing, for Commission review and approval, reliability standards or
modifications to existing reliability standards to help protect and
improve the reliability of the Nation's bulk power system. The
Commission has certified the North American Electric Reliability
Corporation (NERC) as the ERO. The reliability standards apply to the
users, owners and operators of the bulk power system and become
mandatory in the United States only after Commission approval. The ERO
also is authorized to impose, after notice and opportunity for a
hearing, penalties for violations of the reliability standards, subject
to Commission review and approval. The ERO may delegate certain
responsibilities to ``Regional Entities,'' subject to Commission
approval.
The Commission may approve proposed reliability standards or
modifications to previously approved standards if it finds them ``just,
reasonable, not unduly discriminatory or preferential, and in the
public interest.'' The Commission itself does not have authority to
modify proposed standards. Rather, if the Commission disapproves a
proposed standard or modification, section 215 requires the Commission
to remand it to the ERO for further consideration. The Commission, upon
its own motion or upon complaint, may direct the ERO to submit a
proposed standard or modification on a specific matter but it does not
have the authority to modify or author a standard and must depend upon
the ERO to do so.
Limitations of Section 215 and the Term ``Bulk Power System''
Currently, the Commission's jurisdiction and reliability authority
is limited to the ``bulk power system,'' as defined in the FPA, and
therefore excludes Alaska and Hawaii, including any federal
installations located therein. The current interpretation of ``bulk
power system'' also excludes some transmission and all local
distribution facilities, including virtually all of the grid facilities
in certain large cities such as New York, thus precluding Commission
action to mitigate cyber or other national security threats to
reliability that involve such facilities and major population areas.
The Commission directed NERC to revise its interpretation of the bulk
power system to eliminate inconsistencies across regions, eliminate the
ambiguity created by the current discretion in NERC's definition of
bulk electric system, provide a backstop review to ensure that any
variations do not compromise reliability, and ensure that facilities
that could significantly affect reliability are subject to mandatory
rules. NERC has recently filed a revised definition of the term bulk
power system, and the Commission has solicited comments on its proposal
to accept NERC's revised definition. However, it is important to note
that section 215 of the FPA excludes local distribution facilities from
the Commission's reliability jurisdiction, so any revised bulk electric
system definition developed by NERC will still not apply to local
distribution facilities.
Critical Infrastructure Protection Reliability Standards
An important part of the Commission's current responsibility to
oversee the development of reliability standards for the bulk power
system involves cyber related reliability issues. In August 2006, NERC
submitted eight proposed cyber standards, known as the Critical
Infrastructure Protection (CIP) standards, to the Commission for
approval under section 215. Critical infrastructure, as defined by NERC
for purposes of the CIP standards, includes facilities, systems, and
equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the ``Bulk
Electric System.'' Under NERC's implementation plan for the CIP
standards, full compliance became mandatory on July 1, 2010.
On January 18, 2008, the Commission issued Order No. 706, the Final
Rule approving the CIP reliability standards while concurrently
directing NERC to develop significant modifications addressing specific
concerns. The Commission set a deadline of July 1, 2009 for NERC to
resolve certain issues in the CIP reliability standards, including
deletion of the ``reasonable business judgment'' and ``acceptance of
risk'' language in each of the standards. NERC concluded that this
deadline would create a very compressed schedule for its stakeholder
process. Therefore, it divided all of the changes directed by the
Commission into phases, based on their complexity. NERC opted to
resolve the simplest changes in the first phase, while putting off more
complex changes for later versions.
NERC filed the first phase of the modifications to the CIP
Reliability Standards (Version 2) on May 22, 2009. In this phase, NERC
removed from the standards the terms ``reasonable business judgment''
and ``acceptance of risk,'' added a requirement for a ``single senior
manager'' responsible for CIP compliance, and made certain other
administrative and clarifying changes. In a September 30, 2009 order,
the Commission approved the Version 2 CIP standards and directed NERC
to develop additional modifications to certain of them. Pursuant to the
Commission's September 30, 2009 order, NERC submitted Version 3 of the
CIP standards which revised Version 2 as directed. The Version 3 CIP
standards became effective on October 1, 2010. This first phase of the
modifications directed by the Commission in Order No. 706, which
encompassed both Version 2 and Version 3, did not modify the critical
asset identification process, a central concern in Order No. 706.
On February 10, 2011, NERC initiated the second phase of the Order
No. 706 directed modification, filing a petition seeking approval of
Version 4 of the CIP standards. Version 4 includes new proposed
criteria to identify ``critical assets'' for purposes of the CIP
reliability standards. On April 19, 2012, the Commission issued Order
No. 761, approving the Version 4 CIP standards, which introduced
``bright line'' criteria for the identification of Critical Assets. The
version 4 CIP standards do not go into effect until April 1, 2014. The
currently effective CIP reliability standards allow utilities
significant discretion to determine which of their facilities are
``critical assets and the associated critical cyber assets,'' and
therefore are subject to the requirements of the standards. It is
important to note that although ``critical assets'' are used to
identify subsequent ``critical cyber assets,'' only the subset of
``critical cyber assets''--which are self-determined by the affected
entities--are subject to the CIP standards. As the Commission stated in
Order No. 706, the identification of critical assets is the cornerstone
of the CIP standards. If that identification is not done well, the CIP
standards will be ineffective at maintaining the reliability of the
bulk power system.
In the order approving NERC's Version 4 standards, the Commission
recognized that Version 4 is an interim step and stated its concern
that Version 4 does not provide enough protection to satisfy Order No.
706. Thus, the Commission established a deadline of end of first
quarter of 2013 for NERC to file standards in compliance with the
outstanding directives in Order No. 706.
The remaining CIP standards revisions to respond to the
Commission's directives issued in Order No. 706 are still under
development by NERC. It is important to note that the majority of the
Order No. 706 directed modifications to the CIP standards have yet to
be addressed by NERC. Until they are addressed, there are significant
gaps in protection.
the nerc process
As an initial matter, it is important to recognize how mandatory
reliability standards are established. Under section 215, reliability
standards must be developed by the ERO through an open, inclusive, and
public process. The Commission can direct NERC to develop a reliability
standard to address a particular reliability matter. However, the NERC
process typically requires years to develop standards for the
Commission's review. In fact, the CIP standards approved by the
Commission in January 2008 took approximately three years to develop.
NERC's procedures for developing standards allow extensive
opportunity for stakeholder comment, are open, and are generally based
on the procedures of the American National Standards Institute. The
NERC process is intended to develop consensus on both the need for, and
the substance of, the proposed standard. Although inclusive, the
process is relatively slow, open and unpredictable in its
responsiveness to the Commission's directives. This process requires
public disclosure regarding the reason for the proposed standard, the
manner in which the standard will address the issues, and any
subsequent comments and resulting modifications in the standards as the
affected stakeholders review the material and provide comments. NERC-
approved standards are then submitted to the Commission for its review.
The procedures used by NERC are appropriate for developing and
approving routine reliability standards. The process allows extensive
opportunities for industry and public comment. The public nature of the
reliability standards development process can be a strength of the
process. However, it can be an impediment when measures or actions need
to be taken to address threats to national security quickly,
effectively and in a manner that protects against the disclosure of
security-sensitive information. The current procedures used under
section 215 for the development and approval of reliability standards
do not provide an effective and timely means of addressing urgent cyber
or other national security risks to the bulk power system, particularly
in emergency situations. Certain circumstances, such as those involving
national security, may require immediate action, while the reliability
standard procedures take too long to implement efficient and timely
corrective steps. On September 3, 2010, FERC approved a new reliability
standards process manual filed by NERC. While this manual includes a
process for developing a standard related to a confidential issue, the
new process is untested and it is unclear how the process would be
implemented.
FERC rules governing review and establishment of reliability
standards allow the agency to direct the ERO to develop and propose
reliability standards under an expedited schedule. For example, FERC
could order the ERO to submit a reliability standard to address a
reliability vulnerability within 60 days. Also, NERC's rules of
procedure include a provision for approval of ``urgent action''
standards that can be completed within 60 days and which may be further
expedited by a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk power system
reliability or national security. However, it is not clear NERC could
meet this schedule in practice. Moreover, faced with a national
security threat to reliability, there may be a need to act decisively
in hours or days, rather than weeks, months or years. That would not be
feasible even under the urgent action process. In the meantime, the
bulk power system would be left vulnerable to a known national security
threat. Moreover, existing procedures, including the urgent action
procedure, could widely publicize both the vulnerability and the
proposed solutions, thus increasing the risk of hostile actions before
the appropriate solutions are implemented.
In addition, a reliability standard submitted to the Commission by
NERC may not be sufficient to address the identified vulnerability or
threat. Since FERC may not directly modify a proposed reliability
standard under section 215 and must either approve or remand it, FERC
would have the choice of approving an inadequate standard and directing
changes, which reinitiates a process that can take years, or rejecting
the standard altogether. Under either approach, the bulk power system
would remain vulnerable for a prolonged period.
This concern was highlighted in the Department of Energy Inspector
General's January 2011 audit report on FERC's ``Monitoring of Power
Grid Cyber Security.'' The audit report identified concerns regarding
the adequacy of the CIP standards and the implementation and schedule
for the CIP standards, and concluded that these problems exist, in
part, because the Commission's authority to ensure adequate reliability
of the bulk electric system is limited. This report emphasizes the need
for additional authority to ensure adequate cyber security over the
bulk electric system.
Finally, the open and inclusive process required for standards
development is not consistent with the need to protect security-
sensitive information. For instance, a formal request for a new
standard would normally detail the need for the standard as well as the
proposed mitigation to address the issue, and the NERC-approved version
of the standard would be filed with the Commission for review. This
public information could help potential adversaries in planning
attacks.
physical security and other threats to reliability
The existing reliability standards do not extend to physical
threats to the grid, but physical threats can cause equal or greater
destruction than cyber attacks and the Federal government should have
no less ability to act to protect against such potential damage. One
example of a physical threat is an electromagnetic pulse (EMP) event.
EMP events can be generated from either naturally occurring or man-made
causes. In the case of the former, solar magnetic disturbances
periodically disrupt the earth's magnetic field which in turn, can
generate large induced ground currents. This effect, also termed the
``E3'' component of an EMP, can simultaneously damage or destroy bulk
power system transformers over a large geographic area. Regarding man-
made events, EMP can also be generated by weapons. Equipment and plans
are readily available that have the capability to generate high-energy
bursts, termed ``E1'', that can damage or destroy electronics such as
those found in control and communication systems on the power grid.
These devices can be portable and effective, facilitating simultaneous
coordinated attacks, and can be reused, allowing use against multiple
targets. The most comprehensive man-made EMP threat is from a high-
altitude nuclear explosion. It would affect an area defined by the
``line-of-sight'' from the point of detonation. The higher the
detonation the larger the area affected, and the more powerful the
explosion the stronger the EMP emitted. The first component of the
resulting pulse E1 occurs within a fraction of a second and can destroy
control and communication electronics. The second component is termed
``E2'' and is similar to lightning, which is well-known and mitigated
by industry. Toward the end of an EMP event, a third element, E3,
occurs. This causes the same effect as solar magnetic disturbances. It
can damage or destroy power transformers connected to long transmission
lines. It is important to note that effective mitigation against solar
magnetic disturbances and non-nuclear EMP weaponry provides effective
mitigation against a high-altitude nuclear explosion.
In 2001, Congress established a commission to assess the threat
from EMP, with particular attention to be paid to the nature and
magnitude of high-altitude EMP threats to the United States;
vulnerabilities of U.S. military and civilian infrastructure to such
attack; capabilities to recover from an attack; and the feasibility and
cost of protecting military and civilian infrastructure, including
energy infrastructure. In 2004, the EMP commission issued a report
describing the nature of EMP attacks, vulnerabilities to EMP attacks,
and strategies to respond to an attack.\1\ A second report was produced
in 2008 that further investigated vulnerabilities of the Nation's
infrastructure to EMP.\2\ Both electrical equipment and control systems
can be damaged by EMP.
---------------------------------------------------------------------------
\1\ Graham, Dr. William R. et al., Report of the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP)
Attack (2004).
\2\ Dr. John S. Foster, Jr. et al., Report of the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP)
Attack (2008).
---------------------------------------------------------------------------
An EMP may also be a naturally-occurring event caused by solar
flares and storms disrupting the Earth's magnetic field. In 1859, a
major solar storm occurred, causing auroral displays and significant
shifts of the Earth's magnetic fields. As a result, telegraphs were
rendered useless and several telegraph stations burned down. The
impacts of that storm were muted because semiconductor technology did
not exist at the time. Were the storm to happen today, according to an
article in Scientific American, it could ``severely damage satellites,
disable radio communications, and cause continent-wide electrical
black-outs that would require weeks or longer to recover from.''\3\
Although storms of this magnitude occur rarely, storms and flares of
lesser intensity occur more frequently. Storms of about half the
intensity of the 1859 storm occur every 50 years or so according to the
authors of the Scientific American article, and the last such storm
occurred in November 1960, leading to world-wide geomagnetic
disturbances and radio outages. The power grid is particularly
vulnerable to solar storms, as transformers are electrically grounded
to the Earth and susceptible to damage from geomagnetically induced
currents. The damage or destruction of numerous transformers across the
country would result in reduced grid functionality and even prolonged
power outages.
---------------------------------------------------------------------------
\3\ Odenwald, Sten F. and Green, James L., Bracing the Satellite
Infrastructure for a Solar Superstorm, Scientific American Magazine
(Jul. 28, 2008).
---------------------------------------------------------------------------
In March 2010, Oak Ridge National Laboratory (Oak Ridge) and their
subcontractor Metatech released a study that explored the vulnerability
of the electric grid to EMP-related events. This study was a joint
effort contracted by FERC staff, the Department of Energy and the
Department of Homeland Security and expanded on the information
developed in other initiatives, including the EMP commission reports.
The series of reports provided detailed technical background and
outlined which sections of the power grid are most vulnerable, what
equipment would be affected, and what damage could result. Protection
concepts for each threat and additional methods for remediation were
also included along with suggestions for mitigation. The results of the
study support the general conclusion that EMP events pose substantial
risk to equipment and operation of the Nation's power grid and under
extreme conditions could result in major long term electrical outages.
In fact, solar magnetic disturbances are inevitable with only the
timing and magnitude subject to variability. The study assessed the
1921 solar storm, which has been termed a 1-in-100 year event, and
applied it to today's power grid. The study concluded that such a storm
could damage or destroy up to 300 bulk power system transformers
interrupting service to 130 million people for a period of years.
On April 30, 2012, the Commission held a technical conference to
discuss issues related to reliability of the bulk power system as
affected by geomagnetic disturbances. The conference explored the risks
and impacts from geomagnetically induced currents to transformers and
other equipment on the bulk power system, as well as options for
addressing or mitigating the risks and impacts. The Commission is
considering the comments filed after that conference.
The existing reliability standards do not address EMP
vulnerabilities. Protecting the electric generation, transmission and
distribution systems from severe damage due to an EMP-related event
would involve vulnerability assessments at every level of electric
infrastructure.
the need for legislation
In my view, section 215 of the Federal Power Act provides an
adequate statutory foundation for the ERO to develop most reliability
standards for the bulk power system. However, the nature of a national
security threat by entities intent on attacking the U.S. through
vulnerabilities in its electric grid stands in stark contrast to other
major reliability vulnerabilities that have caused regional blackouts
and reliability failures in the past, such as vegetation management and
protective relay maintenance practices. Widespread disruption of
electric service can quickly undermine the U.S. government, its
military, and the economy, as well as endanger the health and safety of
millions of citizens. Given the national security dimension to this
threat, there may be a need to act quickly to protect the grid, to act
in a manner where action is mandatory rather than voluntary, and to
protect certain information from public disclosure.
The Commission's current legal authority is inadequate for such
action. This is true of both cyber and physical threats to the bulk
power system that pose national security concerns. Section 215 of the
FPA excludes all facilities in Alaska and Hawaii and all local
distribution facilities from the Commission's reliability jurisdiction,
which may leave significant facilities vulnerable to the threat of a
cyber or physical attack. In addition, although the NERC standards
development process as envisioned in section 215 can be fine for
routine reliability matters, it is too slow, too open and too
unpredictable to ensure its responsiveness in the cases where national
security is endangered. This process is inadequate when measures or
actions need to be taken to address threats to national security
quickly, effectively and in a manner that protects against the
disclosure of security-sensitive information.
These shortcomings can be solved through a comprehensive,
government-wide approach to cyber security issues or through a sector-
specific approach. If a government-wide course is pursued, care should
be taken to ensure that the two approaches complement each other,
preserving FERC's ability to regulate electric reliability effectively.
Any new legislation should address several key concerns. First, to
prevent a significant risk of disruption to the grid, legislation
should allow the federal government to take action before a cyber or
physical national security incident has occurred. In particular, the
federal government should be able to require mitigation even before or
while NERC and its stakeholders develop a standard, when circumstances
require urgent action. Second, any legislation should ensure
appropriate confidentiality of sensitive information submitted,
developed or issued under this authority. Without such confidentiality,
the grid may be more vulnerable to attack. Third, if additional
reliability authority is limited to the bulk power system, as that term
is currently defined in the FPA, it would not authorize Federal action
to mitigate cyber or other national security threats to reliability
that involve certain critical facilities and major population areas.
Fourth, it is important that entities be able to recover costs they
incur to mitigate vulnerabilities and threats.
conclusion
The Commission's current authority is not adequate to address cyber
or other national security threats to the reliability of our
transmission and power system. These types of threats pose an
increasing risk to our Nation's electric grid, which undergirds our
government and economy and helps ensure the health and welfare of our
citizens. Thank you again for the opportunity to testify today. I would
be happy to answer any questions you may have.
The Chairman. Thank you very much.
Mr. Wilshusen, go right ahead.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION AND
TECHNOLOGY, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Mr. Chairman, Ranking Member Murkowski,
members of the committee. Thank you for the opportunity to
testify at today's hearing on actions to secure the electricity
grid.
As you know, the electric power industry, which is composed
of electricity generation, transmission, distribution, and
system operations, is increasingly incorporating information
technology systems and networks into its existing
infrastructure, as it modernizes the electricity grid.
The use of IT can provide many benefits, such as greater
efficiency and reliability, and lower costs to consumers.
However, this increased reliance on computer systems and
networks also introduces cyber-based risk to the grid if the
systems and networks are not properly protected.
For nearly a decade, GAO has identified the protection of
systems supporting our Nation's critical infrastructure, which
includes the electricity grid, as a Government-wide, high risk
area.
Today, I will discuss the cyber threats to the electricity
grid and several of the actions taken and challenges remaining
to secure the grid. But, first, if I may, Mr. Chairman, I would
like to recognize several members of my team who were
instrumental in developing this statement and also conducting
the work on which it is based.
With me today is Anjalique Lawrence, seated behind me. Back
at the office: Mike Gilmore, Lee McCracken, David Trimble, Jon
Ludwigson, and Paige Gilbreath, all played significant roles
and made significant contributions.
Mr. Chairman, the threats to systems supporting the
electricity grid are evolving and growing. They include both
unintentional and intentional threats, and may come in the form
of equipment failures, as well as targeted and untargeted
attacks from our adversaries.
The interconnectivity between industrial control systems,
computer networks, and the Internet can amplify the impact of
these threats and expose the grid to known and unknown
cybersecurity vulnerabilities, potentially affecting the
operations of critical infrastructures, the security of
sensitive information, and the flow of commerce. Several
reported incidents illustrate the potentially serious impact of
these threats.
To address such concerns, State and Federal authorities
play key roles in overseeing grid reliability, which involves
the security of the grid. State regulators generally oversee
the reliability of local distribution system; whereas, NERC has
developed and enforced mandatory standards intended to ensure
the reliability of the bulk power system, which includes
certain generation facilities and the high voltage electricity
transmission network.
FERC has approved and, thus, made mandatory, 8 critical
infrastructure standards developed by NERC to help ensure the
secure electronic exchange of information and to prevent
unauthorized physical and logical access to critical cyber
assets.
In addition, NIST has identified guidelines on how to
securely implement smart grid systems and identified an initial
set of interoperability and cybersecurity standards for the
smart grid. However, FERC has not yet adopted these standards,
citing a lack of consensus for them.
GAO has previously reported on a number of key challenges
to securing the modernized electricity grid; for example,
aspects of current regulatory environment may complicate
matters. Specifically, jurisdictional issues and the
difficulties associated with responding to continually evolving
cyber threats were a key regulatory challenge to ensuring the
cybersecurity of the grid.
We also reported other challenges affecting industry
efforts to secure the smart grid. Specifically, the electricity
industry had not consistently built security features for
certain smart grid devices, established an effective mechanism
for sharing cybersecurity information, and created a set of
metrics for evaluating the effectiveness of cybersecurity
controls.
GAO has made several recommendations to FERC aimed at
addressing these challenges and the Commission has agreed with
these recommendations.
In summary, Mr. Chairman, the evolving and growing threat
from cyber-based attacks highlights the importance of securing
the electricity industry's systems and networks. A successful
attack could result in wide-spread power outages, significant
monetary losses, and extensive property damage.
More needs to be done to meet the challenges facing the
industry and enhancing security. In particular, Federal
regulators and other stakeholders will need to work closely
together with the private sector, to address cybersecurity
challenges, as the generation, transmission, and distribution
of electricity come to rely more on emerging and sophisticated
technologies.
Mr. Chairman, Ranking Member, this completes my statement.
I would be happy to answer any questions.
[The prepared statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen, Director, Information and
Technology, Government Accountability Office
why gao did this study
The electric power industry is increasingly incorporating
information technology (IT) systems and networks into its existing
infrastructure (e.g., electricity networks, including power lines and
customer meters). This use of IT can provide many benefits, such as
greater efficiency and lower costs to consumers. However, this
increased reliance on IT systems and networks also exposes the grid to
cybersecurity vulnerabilities, which can be exploited by attackers.
Moreover, GAO has identified protecting systems supporting our nation's
critical infrastructure (which includes the electricity grid) as a
governmentwide high-risk area.
GAO was asked to testify on the status of actions to protect the
electricity grid from cyber attacks. Accordingly, this statement
discusses (1) cyber threats facing cyber-reliant critical
infrastructures, which include the electricity grid, and (2) actions
taken and challenges remaining to secure the grid against cyber
attacks. In preparing this statement, GAO relied on previously
published work in this area and reviewed reports from other federal
agencies, media reports, and other publicly available sources.
what gao recommends
In a prior report, GAO has made recommendations related to
electricity grid modernization efforts, including developing an
approach to monitor compliance with voluntary standards. These
recommendations have not yet been implemented.
what gao found
The threats to systems supporting critical infrastructures are
evolving and growing. In testimony, the Director of National
Intelligence noted a dramatic increase in cyber activity targeting U.S.
computers and systems, including a more than tripling of the volume of
malicious software. Varying types of threats from numerous sources can
adversely affect computers, software, networks, organizations, entire
industries, and the Internet itself. These include both unintentional
and intentional threats, and may come in the form of targeted or
untargeted attacks from criminal groups, hackers, disgruntled
employees, nations, or terrorists. The interconnectivity between
information systems, the Internet, and other infrastructures can
amplify the impact of these threats, potentially affecting the
operations of critical infrastructures, the security of sensitive
information, and the flow of commerce. Moreover, the electricity grid's
reliance on IT systems and networks exposes it to potential and known
cybersecurity vulnerabilities, which could be exploited by attackers.
The potential impact of such attacks has been illustrated by a number
of recently reported incidents and can include fraudulent activities,
damage to electricity control systems, power outages, and failures in
safety equipment.
To address such concerns, multiple entities have taken steps to
help secure the electricity grid, including the North American Electric
Reliability Corporation, the National Institute of Standards and
Technology (NIST), the Federal Energy Regulatory Commission, and the
Departments of Homeland Security and Energy. These include, in
particular, establishing mandatory and voluntary cybersecurity
standards and guidance for use by entities in the electricity industry.
For example, the North American Electric Reliability Corporation and
the Federal Energy Regulatory Commission, which have responsibility for
regulation and oversight of part of the industry, have developed and
approved mandatory cybersecurity standards and additional guidance. In
addition, NIST has identified cybersecurity standards that support
smart grid interoperability and has issued a cybersecurity guideline.
The Departments of Homeland Security and Energy have also played roles
in disseminating guidance on security practices and providing other
assistance.
As GAO previously reported, there were a number of ongoing
challenges to securing electricity systems and networks. These include:
A lack of a coordinated approach to monitor industry
compliance with voluntary standards.
Aspects of the current regulatory environment made it
difficult to ensure the cybersecurity of smart grid systems.
A focus by utilities on regulatory compliance instead of
comprehensive security.
A lack of security features consistently built into smart
grid systems.
The electricity industry did not have an effective mechanism
for sharing information on cybersecurity and other issues.
The electricity industry did not have metrics for evaluating
cybersecurity.
Chairman Bingaman, Ranking Member Murkowski, and Members of the
Committee:
Thank you for the opportunity to testify at today's hearing on the
status of actions to protect the electricity grid from cyber attacks.
As you know, the electric power industry is increasingly
incorporating information technology (IT) systems and networks into its
existing infrastructure (e.g., electricity networks including power
lines and customer meters). This use of IT can provide many benefits,
such as greater efficiency and lower costs to consumers. Along with
these anticipated benefits, however, cybersecurity and industry experts
have expressed concern that, if not implemented securely, modernized
electricity grid systems will be vulnerable to attacks that could
result in widespread loss of electrical services essential to
maintaining our national economy and security.
In addition, since 2003 we have identified protecting systems
supporting our nation's critical infrastructure (which includes the
electricity grid) as a governmentwide high-risk area, and we continue
to do so in the most recent update to our high-risk list.\1\
---------------------------------------------------------------------------
\1\ GAO's biennial high-risk list identifies government programs
that have greater vulnerability to fraud, waste, abuse, and
mismanagement or need transformation to address economy, efficiency, or
effectiveness challenges. We have designated federal information
security as a governmentwide high-risk area since 1997; in 2003, we
expanded this high-risk area to include protecting systems supporting
our nation's critical infrastructure--referred to as cyber-critical
infrastructure protection, or cyber CIP. See, most recently, GAO, High-
Risk Series: An Update, GAO-11-278 (Washington, D.C.: February 2011).
---------------------------------------------------------------------------
In my testimony today, I will describe (1) cyber threats facing
cyber-reliant critical infrastructures,\2\ which include the
electricity grid, and (2) actions taken and challenges remaining to
secure the grid against cyber attacks. In preparing this statement in
July 2012, we relied on our previous work in this area, including
studies examining efforts to secure the electricity grid and associated
challenges and cybersecurity guidance.\3\ (Please see the related GAO
products in appendix I.) The products upon which this statement is
based contain detailed overviews of the scope of our reviews and the
methodology we used. We also reviewed documents from the Federal Energy
Regulatory Commission, the North American Electric Reliability
Corporation, the Department of Energy, including its Office of the
Inspector General, and the Department of Homeland Security Industrial
Control Systems Cyber Emergency Response Team, as well as publicly
available reports on cyber incidents. The work on which this statement
is based was performed in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
audits to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions. We believe that the
evidence obtained provided a reasonable basis for our findings and
conclusions based on our audit objectives.
---------------------------------------------------------------------------
\2\ Federal policy established 18 critical infrastructure sectors.
These include, for example, banking and finance, communications, public
health, and energy. The energy sector includes subsectors for oil and
gas and for electricity.
\3\ GAO, Critical Infrastructure Protection: Cybersecurity Guidance
Is Available, but More Can Be Done to Promote Its Use, GAO-12-92
(Washington, D.C.: Dec. 9, 2011), and Electricity Grid Modernization:
Progress Being Made on Cybersecurity Guidelines, but Key Challenges
Remain to be Addressed, GAO-11-117 (Washington, D.C.: Jan. 12, 2011).
---------------------------------------------------------------------------
background
The electricity industry, as shown in figure 1, is composed of four
distinct functions: generation, transmission, distribution, and system
operations. Once electricity is generated--whether by burning fossil
fuels; through nuclear fission; or by harnessing wind, solar,
geothermal, or hydro energy--it is generally sent through high-voltage,
high-capacity transmission lines to local electricity distributors.
Once there, electricity is transformed into a lower voltage and sent
through local distribution lines for consumption by industrial plants,
businesses, and residential consumers. Because electric energy is
generated and consumed almost instantaneously, the operation of an
electric power system requires that a system operator constantly
balance the generation and consumption of power.
Utilities own and operate electricity assets, which may include
generation plants, transmission lines, distribution lines, and
substations--structures often seen in residential and commercial areas
that contain technical equipment such as switches and transformers to
ensure smooth, safe flow of current and regulate voltage. Utilities may
be owned by investors, municipalities, and individuals (as in
cooperative utilities). System operators--sometimes affiliated with a
particular utility or sometimes independent and responsible for
multiple utility areas--manage the electricity flows. These system
operators manage and control the generation, transmission, and
distribution of electric power using control systems--IT-and network-
based systems that monitor and control sensitive processes and physical
functions, including opening and closing circuit breakers.\4\ As we
have previously reported, the effective functioning of the electricity
industry is highly dependent on these control systems.\5\ However, for
many years, aspects of the electricity network lacked (1) adequate
technologies--such as sensors--to allow system operators to monitor how
much electricity was flowing on distribution lines, (2) communications
networks to further integrate parts of the electricity grid with
control centers, and (3) computerized control devices to automate
system management and recovery.
---------------------------------------------------------------------------
\4\ Circuit breakers are devices used to open or close electric
circuits. If a transmission or distribution line is in trouble, a
circuit breaker can disconnect it from the rest of the system.
\5\ GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, D.C.: Sept. 10, 2007).
---------------------------------------------------------------------------
modernization of the electricity infrastructure
As the electricity industry has matured and technology has
advanced, utilities have begun taking steps to update the electricity
grid--the transmission and distribution systems--by integrating new
technologies and additional IT systems and networks. Though utilities
have regularly taken such steps in the past, industry and government
stakeholders have begun to articulate a broader, more integrated vision
for transforming the electricity grid into one that is more reliable
and efficient; facilitates alternative forms of generation, including
renewable energy; and gives consumers real-time information about
fluctuating energy costs.
This vision--the smart grid--would increase the use of IT systems
and networks and two-way communication to automate actions that system
operators formerly had to make manually. Electricity grid modernization
is an ongoing process, and initiatives have commonly involved
installing advanced metering infrastructure (smart meters) on homes and
commercial buildings that enable two-way communication between the
utility and customer. Other initiatives include adding ``smart''
components to provide the system operator with more detailed data on
the conditions of the transmission and distribution systems and better
tools to observe the overall condition of the grid (referred to as
``wide-area situational awareness''). These include advanced, smart
switches on the distribution system that communicate with each other to
reroute electricity around a troubled line and high-resolution, time-
synchronized monitors--called phasor measurement units--on the
transmission system.
The use of smart grid systems may have a number of benefits,
including improved reliability from fewer and shorter outages, downward
pressure on electricity rates resulting from the ability to shift peak
demand, an improved ability to shift to alternative sources of energy,
and an improved ability to detect and respond to potential attacks on
the grid.
regulation of the electricity industry
Both the federal government and state governments have authority
for overseeing the electricity industry. For example, the Federal
Energy Regulatory Commission (FERC) regulates rates for wholesale
electricity sales and transmission of electricity in interstate
commerce. This includes approving whether to allow utilities to recover
the costs of investments they make to the transmission system, such as
smart grid investments. Meanwhile, local distribution and retail sales
of electricity are generally subject to regulation by state public
utility commissions.
State and federal authorities also play key roles in overseeing the
reliability of the electric grid. State regulators generally have
authority to oversee the reliability of the local distribution system.
The North American Electric Reliability Corporation (NERC) is the
federally designated U.S. Electric Reliability Organization, and is
overseen by FERC. NERC has responsibility for conducting reliability
assessments and developing and enforcing mandatory standards to ensure
the reliability of the bulk power system--i.e., facilities and control
systems necessary for operating the transmission network and certain
generation facilities needed for reliability. NERC develops reliability
standards collaboratively through a deliberative process involving
utilities and others in the industry, which are then sent to FERC for
approval. These standards include critical infrastructure protection
standards for protecting electric utility-critical and cyber-critical
assets. FERC has responsibility for reviewing and approving the
reliability standards or directing NERC to modify them.
In addition, the Energy Independence and Security Act of 2007\6\
established federal policy to support the modernization of the
electricity grid and required actions by a number of federal agencies,
including the National Institute of Standards and Technology (NIST),
FERC, and the Department of Energy. With regard to cybersecurity, the
act required NIST and FERC to take the following actions:
---------------------------------------------------------------------------
\6\ Pub. L. No. 110-140 (Dec. 19, 2007).
NISTwas to coordinate development of a framework that
includes protocols and model standards for information
management to achieve interoperability of smart grid devices
and systems. As part of its efforts to accomplish this, NIST
planned to identify cybersecurity standards for these systems
and also identified the need to develop guidelines for
organizations such as electric companies on how to securely
implement smart grid systems. In January 2011,\7\ we reported
that NIST had identified 11 standards involving cybersecurity
that support smart grid interoperability and had issued a first
version of a cybersecurity guideline.\8\
---------------------------------------------------------------------------
\7\ GAO-11-117.
\8\ NIST Special Publication 1108, NIST Framework and Roadmap for
Smart Grid Interoperability Standards, Release 1.0, January 2010 and
NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security,
August 2010.
---------------------------------------------------------------------------
FERC was to adopt standards resulting from NIST's efforts
that it deemed necessary to ensure smart grid functionality and
interoperability. However, according to FERC officials, the
statute did not provide specific additional authority to allow
FERC to require utilities or manufacturers of smart grid
technologies to follow these standards. As a result, any
standards identified and developed through the NIST-led process
are voluntary unless regulators use other authorities to
indirectly compel utilities and manufacturers to follow them.
the electricity grid is potentially vulnerable to an evolving array of
cyber-based threats
Threats to systems supporting critical infrastructure--which
includes the electricity industry and its transmission and distribution
systems--are evolving and growing. In February 2011, the Director of
National Intelligence testified that, in the past year, there had been
a dramatic increase in malicious cyber activity targeting U.S.
computers and networks, including a more than tripling of the volume of
malicious software since 2009.\9\ Different types of cyber threats from
numerous sources may adversely affect computers, software, networks,
organizations, entire industries, or the Internet. Cyber threats can be
unintentional or intentional. Unintentional threats can be caused by
software upgrades or maintenance procedures that inadvertently disrupt
systems. Intentional threats include both targeted and untargeted
attacks from a variety of sources, including criminal groups, hackers,
disgruntled employees, foreign nations engaged in espionage and
information warfare, and terrorists. Table 1 shows common sources of
cyber threats.
---------------------------------------------------------------------------
\9\ Director of National Intelligence, Statement for the Record on
the Worldwide Threat Assessment of the U.S. Intelligence Community,
statement before the Senate Select Committee on Intelligence (Feb. 16,
2011).
TABLE 1: SOURCES OF CYBERSECURITY THREATS
------------------------------------------------------------------------
Threat source Description
------------------------------------------------------------------------
Bot-network operators Bot-net operators use a
network, or bot-net, of
compromised, remotely
controlled systems to
coordinate attacks and to
distribute phishing schemes,
spam, and malware attacks.
The services of these
networks are sometimes made
available on underground
markets (e.g., purchasing a
denial-of-service attack or
services to relay spam or
phishing attacks).
------------------------------------------------------------------------
Criminal groups Criminal groups seek to
attack systems for monetary
gain. Specifically,
organized criminal groups
use spam, phishing, and
spyware/malware to commit
identity theft, online
fraud, and computer
extortion. International
corporate spies and criminal
organizations also pose a
threat to the United States
through their ability to
conduct industrial espionage
and large-scale monetary
theft and to hire or develop
hacker talent.
------------------------------------------------------------------------
Hackers Hackers break into networks
for the thrill of the
challenge, bragging rights
in the hacker community,
revenge, stalking, monetary
gain, and political
activism, among other
reasons. While gaining
unauthorized access once
required a fair amount of
skill or computer knowledge,
hackers can now download
attack scripts and protocols
from the Internet and launch
them against victim sites.
Thus, while attack tools
have become more
sophisticated, they have
also become easier to use.
According to the Central
Intelligence Agency, the
large majority of hackers do
not have the requisite
expertise to threaten
difficult targets such as
critical U.S. networks.
Nevertheless, the worldwide
population of hackers poses
a relatively high threat of
an isolated or brief
disruption causing serious
damage.
------------------------------------------------------------------------
Insiders The disgruntled organization
insider is a principal
source of computer crime.
Insiders may not need a
great deal of knowledge
about computer intrusions
because their knowledge of a
target system often allows
them to gain unrestricted
access to cause damage to
the system or to steal
system data. The insider
threat includes contractors
hired by the organization,
as well as careless or
poorly trained employees who
may inadvertently introduce
malware into systems.
------------------------------------------------------------------------
Nations Nations use cyber tools as
part of their information-
gathering and espionage
activities. In addition,
several nations are
aggressively working to
develop information warfare
doctrine, programs, and
capabilities. Such
capabilities enable a single
entity to have a significant
and serious impact by
disrupting the supply,
communications, and economic
infrastructures that support
military power--impacts that
could affect the daily lives
of citizens across the
country. In his January 2012
testimony, the Director of
National Intelligence stated
that, among state actors,
China and Russia are of
particular concern.
------------------------------------------------------------------------
Phishers Individuals or small groups
execute phishing schemes in
an attempt to steal
identities or information
for monetary gain. Phishers
may also use spam and
spyware or malware to
accomplish their objectives.
------------------------------------------------------------------------
Spammers Individuals or organizations
distribute unsolicited e-
mail with hidden or false
information in order to sell
products, conduct phishing
schemes, distribute spyware
or malware, or attack
organizations (e.g., a
denial of service).
------------------------------------------------------------------------
Spyware or malware authors Individuals or organizations
with malicious intent carry
out attacks against users by
producing and distributing
spyware and malware. Several
destructive computer viruses
and worms have harmed files
and hard drives, including
the Melissa Macro Virus, the
Explore.Zip worm, the CIH
(Chernobyl) Virus, Nimda,
Code Red, Slammer, and
Blaster.
------------------------------------------------------------------------
Terrorists Terrorists seek to destroy,
incapacitate, or exploit
critical infrastructures in
order to threaten national
security, cause mass
casualties, weaken the
economy, and damage public
morale and confidence.
Terrorists may use phishing
schemes or spyware/malware
in order to generate funds
or gather sensitive
information.
------------------------------------------------------------------------
Source: GAO analysis based on data from the Director of National
Intelligence, Department of Justice, Central Intelligence Agency, and
the Software Engineering Institute's CERT� Coordination Center.
These sources of cyber threats make use of various techniques, or
exploits that may adversely affect computers, software, a network, an
organization's operation, an industry, or the Internet itself. Table 2
shows common types of cyber exploits.
TABLE 2: TYPES OF CYBER EXPLOITS
------------------------------------------------------------------------
Type of exploit Description
------------------------------------------------------------------------
Cross-site scripting An attack that uses third-
party web resources to run
script within the victim's
web browser or scriptable
application. This occurs
when a browser visits a
malicious website or clicks
a malicious link. The most
dangerous consequences occur
when this method is used to
exploit additional
vulnerabilities that may
permit an attacker to steal
cookies (data exchanged
between a web server and a
browser), log key strokes,
capture screen shots,
discover and collect network
information, and remotely
access and control the
victim's machine.
------------------------------------------------------------------------
Denial-of-service An attack that prevents or
impairs the authorized use
of networks, systems, or
applications by exhausting
resources.
------------------------------------------------------------------------
Distributed denial-of-service A variant of the denial-of-
service attack that uses
numerous hosts to perform
the attack.
------------------------------------------------------------------------
Logic bombs A piece of programming code
intentionally inserted into
a software system that will
cause a malicious function
to occur when one or more
specified conditions are
met.
------------------------------------------------------------------------
Phishing A digital form of social
engineering that uses
authentic-looking, but fake,
e-mails to request
information from users or
direct them to a fake
website that requests
information.
------------------------------------------------------------------------
Passive wiretapping The monitoring or recording
of data, such as passwords
transmitted in clear text,
while they are being
transmitted over a
communications link. This is
done without altering or
affecting the data.
------------------------------------------------------------------------
Structured Query Language (SQL) injection An attack that involves the
alteration of a database
search in a web-based
application, which can be
used to obtain unauthorized
access to sensitive
information in a database.
------------------------------------------------------------------------
Trojan horse A computer program that
appears to have a useful
function, but also has a
hidden and potentially
malicious function that
evades security mechanisms
by, for example,
masquerading as a useful
program that a user would
likely execute.
------------------------------------------------------------------------
Virus A computer program that can
copy itself and infect a
computer without the
permission or knowledge of
the user. A virus might
corrupt or delete data on a
computer, use e-mail
programs to spread itself to
other computers, or even
erase everything on a hard
disk. Unlike a computer
worm, a virus requires human
involvement (usually
unwitting) to propagate.
------------------------------------------------------------------------
War driving The method of driving through
cities and neighborhoods
with a wireless-equipped
computer--sometimes with a
powerful antenna--searching
for unsecured wireless
networks.
------------------------------------------------------------------------
Worm A self-replicating, self-
propagating, self-contained
program that uses network
mechanisms to spread itself.
Unlike computer viruses,
worms do not require human
involvement to propagate.
------------------------------------------------------------------------
Zero-day exploit An exploit that takes
advantage of a security
vulnerability previously
unknown to the general
public. In many cases, the
exploit code is written by
the same person who
discovered the
vulnerability. By writing an
exploit for the previously
unknown vulnerability, the
attacker creates a potent
threat since the compressed
timeframe between public
discoveries of both makes it
difficult to defend against
------------------------------------------------------------------------
Source: GAO analysis of data from the National Institute of Standards
and Technology, United States Computer Emergency Readiness Team, and
industry reports.
electricity grid faces cybersecurity vulnerabilities
The potential impact of these threats is amplified by the
connectivity between information systems, the Internet, and other
infrastructures, creating opportunities for attackers to disrupt
critical services, including electrical power. In addition, the
increased reliance on IT systems and networks also exposes the electric
grid to potential and known cybersecurity vulnerabilities. These
vulnerabilities include
an increased number of entry points and paths that can be
exploited by potential adversaries and other unauthorized
users;
the introduction of new, unknown vulnerabilities due to an
increased use of new system and network technologies;
wider access to systems and networks due to increased
connectivity; and
an increased amount of customer information being collected
and transmitted, providing incentives for adversaries to attack
these systems and potentially putting private information at
risk of unauthorized disclosure and use.
In May 2008, we reported that the corporate network of the
Tennessee Valley Authority--the nation's largest public power company,
which generates and distributes power in an area of about 80,000 square
miles in the southeastern United States--contained security weaknesses
that could lead to the disruption of control systems networks and
devices connected to that network.\10\ We made 19 recommendations to
improve the implementation of information security program activities
for the control systems governing the Tennessee Valley Authority's
critical infrastructures and 73 recommendations to address specific
weaknesses in security controls. The Tennessee Valley Authority
concurred with the recommendations and has taken steps to implement
them.
---------------------------------------------------------------------------
\10\ GAO, Information Security: TVA Needs to Address Weaknesses in
Control Systems and Networks, GAO-08-526 (Washington, D.C.: May 21,
2008).
---------------------------------------------------------------------------
We and others have also reported that smart grid and related
systems have known cyber vulnerabilities. For example, cybersecurity
experts have demonstrated that certain smart meters can be successfully
attacked, possibly resulting in disruption to the electricity grid. In
addition, we have reported that control systems used in industrial
settings such as electricity generation have vulnerabilities that could
result in serious damages and disruption if exploited.\11\ Further, in
2007, the Department of Homeland Security, in cooperation with the
Department of Energy, ran a test that demonstrated that a vulnerability
commonly referred to as ``Aurora'' had the potential to allow
unauthorized users to remotely control, misuse, and cause damage to a
small commercial electric generator. Moreover, in 2008, the Central
Intelligence Agency reported that malicious activities against IT
systems and networks have caused disruption of electric power
capabilities in multiple regions overseas, including a case that
resulted in a multicity power outage.\12\ As government, private
sector, and personal activities continue to move to networked
operations, the threat will continue to grow.
---------------------------------------------------------------------------
\11\ GAO-07-1036.
\12\ The White House, Cyberspace Policy Review: Assuring a Trusted
and Resilient Information and Communications Infrastructure
(Washington, D.C.: May 29, 2009).
---------------------------------------------------------------------------
reported incidents illustrate the potential impact of cyber threats
Cyber incidents continue to affect the electricity industry. For
example, the Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team recently noted that the number of
reported cyber incidents affecting control systems of companies in the
electricity sector increased from 3 in 2009 to 25 in 2011. In addition,
we and others have reported\13\ that cyber incidents can affect the
operations of energy facilities, as the following examples illustrate:
---------------------------------------------------------------------------
\13\ GAO-07-1036 and GAO-12-92.
Smart meter attacks.--In April 2012, it was reported that
sometime in 2009 an electric utility asked the FBI to help it
investigate widespread incidents of power thefts through its
smart meter deployment. The report indicated that the
miscreants hacked into the smart meters to change the power
consumption recording settings using software available on the
Internet.
Phishing attacks directed at energy sector.--The Department
of Homeland Security's Industrial Control Systems Cyber
Emergency Response Team reported that, in 2011, it deployed
incident response teams to an electric bulk provider and an
electric utility that had been victims of broader phishing
attacks. The team found three malware samples and detected
evidence of a sophisticated threat actor.
Stuxnet.--In July 2010, a sophisticated computer attack
known as Stuxnet was discovered. It targeted control systems
used to operate industrial processes in the energy, nuclear,
and other critical sectors. It is designed to exploit a
combination of vulnerabilities to gain access to its target and
modify code to change the process.
Browns Ferry power plant.--In August 2006, two circulation
pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power
plant failed, forcing the unit to be shut down manually. The
failure of the pumps was traced to excessive traffic on the
control system network, possibly caused by the failure of
another control system device.
Northeast power blackout.--In August 2003, failure of the
alarm processor in the control system of FirstEnergy, an Ohio-
based electric utility, prevented control room operators from
having adequate situational awareness of critical operational
changes to the electrical grid. When several key transmission
lines in northern Ohio tripped due to contact with trees, they
initiated a cascading failure of 508 generating units at 265
power plants across eight states and a Canadian province.
Davis-Besse power plant.--The Nuclear Regulatory Commission
confirmed that in January 2003, the Microsoft SQL Server worm
known as Slammer infected a private computer network at the
idled Davis-Besse nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for nearly 5 hours. In
addition, the plant's process computer failed, and it took
about 6 hours for it to become available again.
actions have been taken to secure the electricity grid, but challenges
remain
Multiple entities have taken steps to help secure the electricity
grid, including NERC, NIST, FERC, and the Departments of Homeland
Security and Energy. NERC has performed several activities that are
intended to secure the grid. It has developed eight critical
infrastructure standards for protecting electric utility-critical and
cyber-critical assets.
The standards established requirements for the following key
cybersecurity-related controls: critical cyber asset identification,
security management controls, personnel and training, electronic
``security perimeters,'' physical security of critical cyber assets,
systems security management, incident reporting and response planning,
and recovery plans for critical cyber assets. In December 2011, we
reported that NERC's eight cyber security standards, along with
supplementary documents, were substantially similar to NIST guidance
applicable to federal agencies.\14\
---------------------------------------------------------------------------
\14\ GAO-12-92.
---------------------------------------------------------------------------
NERC also has published security guidelines for companies to
consider for protecting electric infrastructure systems, although such
guidelines are voluntary and typically not checked for compliance. For
example, NERC's June 2010 Security Guideline for the Electricity
Sector: Identifying Critical Cyber Assets is intended to assist
entities in identifying and developing a list of critical cyber assets
as described in the mandatory standards. NERC also has enforced
compliance with mandatory cybersecurity standards through its
Compliance Monitoring and Enforcement Program, subject to FERC review.
NERC has assessed monetary penalties for violations of its cyber
security standards.
NIST, in implementing its responsibilities under the Energy
Independence and Security Act of 2007 with regard to standards to
achieve interoperability of smart grid systems, planned to identify
cybersecurity standards for these systems. In January 2011, we
reported\15\ that it had identified 11 standards involving
cybersecurity that support smart grid interoperability and had issued a
first version of a cybersecurity guideline.\16\ NIST's cybersecurity
guidelines largely addressed key cybersecurity elements, such as
assessment of cybersecurity risks and identification of security
requirements (i.e., controls); however, its guidelines did not address
an important element essential to securing smart grid systems--the risk
of attacks using both cyber and physical means.\17\ NIST officials said
that they intended to update the guidelines to address this and other
missing elements they identified, but their plan and schedule for doing
so were still in draft form. We recommended that NIST finalize its plan
and schedule for incorporating missing elements, and NIST officials
agreed. We are currently working with officials to determine the status
of their efforts to address these recommendations.
---------------------------------------------------------------------------
\15\ GAO-11-117.
\16\ NIST Special Publication 1108, NIST Framework and Roadmap for
Smart Grid Interoperability Standards, Release 1.0, January 2010 and
NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security,
August 2010.
\17\ GAO-11-117.
---------------------------------------------------------------------------
FERC also has taken several actions to help secure the electricity
grid. For example, it reviewed and approved NERC's eight critical
infrastructure protection standards in 2008. Since then, in its role of
overseeing the development of reliability standards, the commission has
directed NERC to make numerous changes to standards to improve
cybersecurity protections. However, according to the FERC Chairman's
February 2012 letter in response to our report on electricity grid
modernization, many of the outstanding directives have not been
incorporated into the latest versions of the standards. The Chairman
added that the commission would continue to work with NERC to
incorporate the directives. In addition, FERC has authorized NERC to
enforce mandatory reliability standards for the bulk power system,
while retaining its authority to enforce the same standards and assess
penalties for violations. We reported in January 2011 that FERC also
had begun reviewing initial smart grid standards identified as part of
NIST efforts. However, in July 2011, the commission declined to adopt
the initial smart grid standards identified as a part of the NIST
efforts, finding that there was insufficient consensus to do so.
The Department of Homeland Security has been designated by federal
policy as the principal federal agency to lead, integrate, and
coordinate the implementation of efforts to protect cyber-critical
infrastructures and key resources. Under this role, the Department's
National Cyber Security Division's Control Systems Security Program has
issued recommended practices to reduce risks to industrial control
systems within and across all critical infrastructure and key resources
sectors, including the electricity subsector. For example, in April
2011, the program issued the Catalog of Control Systems Security:
Recommendations for Standards Developers, which is intended to provide
a detailed listing of recommended controls from several standards
related to control systems.\18\ The program also manages and operates
the Industrial Control Systems Cyber Emergency Response Team to respond
to and analyze control-systems-related incidents, provide onsite
support for incident response and forensic analysis, provide
situational awareness in the form of actionable intelligence, and share
and coordinate vulnerability information and threat analysis through
information products and alerts. For example, it reported providing on-
site assistance to six companies in the electricity subsector,
including a bulk electric power provider and multiple electric
utilities, during 2009-2011.
---------------------------------------------------------------------------
\18\ DHS, National Cyber Security Division, Control Systems
Security Program, Catalog of Control Systems Security: Recommendations
for Standards Developers (April 2011).
---------------------------------------------------------------------------
The Department of Energy is the lead federal agency which is
responsible for coordinating critical infrastructure protection efforts
with the public and private stakeholders in the energy sector,
including the electricity subsector. In this regard, we have reported
that officials from the Department's Office of Electricity Delivery and
Energy Reliability stated that the department was involved in efforts
to assist the electricity sector in the development, assessment, and
sharing of cybersecurity standards.\19\ For example, the department was
working with NIST to enable state power producers to use current
cybersecurity guidance. In May 2012, the department released the
Electricity Subsector Cybersecurity Risk Management Process.\20\ The
guideline is intended to ensure that cybersecurity risks for the
electric grid are addressed at the organization, mission or business
process, and information system levels. We have not evaluated this
guide.
---------------------------------------------------------------------------
\19\ GAO-12-92.
\20\ U.S. Department of Energy, Electricity Subsector Cybersecurity
Risk Management Process, DOE/OE-0003 (Washington, D.C.: May 2012).
---------------------------------------------------------------------------
challenges to securing electricity systems and networks
In our January 2011 report, we identified a number of key
challenges that industry and government stakeholders faced in ensuring
the cybersecurity of the systems and networks that support our nation's
electricity grid.\21\ These included the following:
---------------------------------------------------------------------------
\21\ GAO-11-117.
There was a lack of a coordinated approach to monitor
whether industry follows voluntary standards.--As mentioned
above, under the Energy Independence and Security Act of 2007,
FERC is responsible for adopting cybersecurity and other
standards that it deems necessary to ensure smart grid
functionality and interoperability. However, FERC had not
developed an approach coordinated with other regulators to
monitor, at a high level, the extent to which industry will
follow the voluntary smart grid standards it adopts. There had
been initial efforts by regulators to share views, through, for
example, a collaborative dialogue between FERC and the National
Association of Regulatory Utility Commissioners, which had
discussed the standards-setting process in general terms.
Nevertheless, according to officials from FERC and the National
Association of Regulatory Utility Commissioners, FERC and the
state public utility commissions had not established a joint
approach for monitoring how widely voluntary smart grid
standards are followed in the electricity industry or developed
strategies for addressing any gaps. Moreover, FERC had not
coordinated in such a way with groups representing public power
or cooperative utilities, which are not routinely subject to
FERC's or the states' regulatory jurisdiction for rate setting.
We noted that without a good understanding of whether utilities
and manufacturers are following smart grid standards, it would
be difficult for FERC and other regulators to know whether a
voluntary approach to standards setting is effective or if
changes are needed.\22\
---------------------------------------------------------------------------
\22\ In an order issued on July 19, 2011, FERC reported that it had
found insufficient consensus to institute a rulemaking proceeding to
adopt smart grid interoperability standards identified by NIST as ready
for consideration by regulatory authorities. While FERC dismissed the
rulemaking, it encouraged utilities, smart grid product manufacturers,
regulators, and other smart grid stakeholders to actively participate
in the NIST interoperability framework process to work on the
development of interoperability standards and to refer to that process
for guidance on smart grid standards. Despite this result, we believe
our recommendations to FERC in GAO-11-117, with which FERC concurred,
remain valid and should be acted upon as consensus is reached and
standards adopted.
---------------------------------------------------------------------------
Aspects of the current regulatory environment made it
difficult to ensure the cybersecurity of smart grid systems.--
In particular, jurisdictional issues and the difficulties
associated with responding to continually evolving cyber
threats were a key regulatory challenge to ensuring the
cybersecurity of smart grid systems as they are deployed.
Regarding jurisdiction, experts we spoke with expressed concern
that there was a lack of clarity about the division of
responsibility between federal and state regulators,
particularly regarding cybersecurity. While jurisdictional
responsibility has historically been determined by whether a
technology is located on the transmission or distribution
system, experts raised concerns that smart grid technology may
blur these lines. For example, devices such as smart meters
deployed on parts of the grid traditionally subject to state
jurisdiction could, in the aggregate, have an impact on those
parts of the grid that federal regulators are responsible for--
namely the reliability of the transmission system.
There was also concern about the ability of regulatory bodies to
respond to evolving cybersecurity threats. For example, one
expert questioned the ability of government agencies to adapt
to rapidly evolving threats, while another highlighted the need
for regulations to be capable of responding to the evolving
cybersecurity issues. In addition, our experts expressed
concern with agencies developing regulations in the future that
are overly specific in their requirements, such as those
specifying the use of a particular product or technology.
Consequently, unless steps are taken to mitigate these
challenges, regulations may not be fully effective in
protecting smart grid technology from cybersecurity threats.
Utilities were focusing on regulatory compliance instead of
comprehensive security.--The existing federal and state
regulatory environment creates a culture within the utility
industry of focusing on compliance with cybersecurity
requirements, instead of a culture focused on achieving
comprehensive and effective cybersecurity. Specifically,
experts told us that utilities focus on achieving minimum
regulatory requirements rather than designing a comprehensive
approach to system security. In addition, one expert stated
that security requirements are inherently incomplete, and
having a culture that views the security problem as being
solved once those requirements are met will leave an
organization vulnerable to cyber attack. Consequently, without
a comprehensive approach to security, utilities leave
themselves open to unnecessary risk.
There was a lack of security features built into smart grid
systems. Security features are not consistently built into
smart grid devices.--For example, experts told us that certain
currently available smart meters had not been designed with a
strong security architecture and lacked important security
features, including event logging\23\ and forensics
capabilities that are needed to detect and analyze attacks. In
addition, our experts stated that smart grid home area
networks--used for managing the electricity usage of appliances
and other devices in the home--did not have adequate security
built in, thus increasing their vulnerability to attack.
Without securely designed smart grid systems, utilities may
lack the capability to detect and analyze attacks, increasing
the risk that attacks will succeed and utilities will be unable
to prevent them from recurring.
---------------------------------------------------------------------------
\23\ Event logging is a capability of an IT system to record events
occurring within an organization's systems and networks, including
those related to computer security.
---------------------------------------------------------------------------
The electricity industry did not have an effective mechanism
for sharing information on cybersecurity and other issues.--The
electricity industry lacked an effective mechanism to disclose
information about cybersecurity vulnerabilities, incidents,
threats, lessons learned, and best practices in the industry.
For example, our experts stated that while the electricity
industry has an information sharing center, it did not fully
address these information needs. In addition, President Obama's
May 2009 cyberspace policy review also identified challenges
related to cybersecurity information sharing within the
electric and other critical infrastructure sectors and issued
recommendations to address them.\24\ According to our experts,
information regarding incidents such as both unsuccessful and
successful attacks must be able to be shared in a safe and
secure way to avoid publicly revealing the reported
organization and penalizing entities actively engaged in
corrective action. Such information sharing across the industry
could provide important information regarding the level of
attempted cyber attacks and their methods, which could help
grid operators better defend against them. If the industry
pursued this end, it could draw upon the practices and
approaches of other industries when designing an industry-led
approach to cybersecurity information sharing. Without quality
processes for information sharing, utilities will not have the
information needed to adequately protect their assets against
attackers.
---------------------------------------------------------------------------
\24\ The White House, Cyberspace Policy Review: Assuring a Trusted
and Resilient Information and Communications Infrastructure
(Washington, D.C.: May 29, 2009).
---------------------------------------------------------------------------
The electricity industry did not have metrics for evaluating
cybersecurity.--The electricity industry was also challenged by
a lack of cybersecurity metrics, making it difficult to measure
the extent to which investments in cybersecurity improve the
security of smart grid systems. Experts noted that while such
metrics\25\ are difficult to develop, they could help compare
the effectiveness of competing solutions and determine what mix
of solutions combine to make the most secure system.
Furthermore, our experts said that having metrics would help
utilities develop a business case for cybersecurity by helping
to show the return on a particular investment. Until such
metrics are developed, there is increased risk that utilities
will not invest in security in a cost-effective manner, or have
the information needed to make informed decisions on their
cybersecurity investments.
---------------------------------------------------------------------------
\25\ Metrics can be used for, among other things, measuring the
effectiveness of cybersecurity controls for detecting and blocking
cyber attacks.
To address these challenges, we made recommendations in our January
2011 report. To improve coordination among regulators and help Congress
better assess the effectiveness of the voluntary smart grid standards
process, we recommended that the Chairman of FERC develop an approach
to coordinate with state regulators and with groups that represent
utilities subject to less FERC and state regulation to (1) periodically
evaluate the extent to which utilities and manufacturers are following
voluntary interoperability and cybersecurity standards and (2) develop
strategies for addressing any gaps in compliance with standards that
are identified as a result of this evaluation. We also recommended that
FERC, working with NERC as appropriate, assess whether commission
efforts should address any of the cybersecurity challenges identified
in our report. FERC agreed with these recommendations.
Although FERC agreed with these recommendations, they have not yet
been implemented. According to the FERC Chairman, given the continuing
evolution of standards and the lack of sufficient consensus for
regulatory adoption, commission staff believe that coordinated
monitoring of compliance with standards would be premature at this
time, and that this may change as new standards are developed and
deployed in industry. We believe that it is still important for FERC to
improve coordination among regulators and that consensus is reached on
standards. We will continue to monitor the status of its efforts to
address these recommendations.
In summary, the evolving and growing threat from cyber-based
attacks highlights the importance of securing the electricity
industry's systems and networks. A successful attack could result in
widespread power outages, significant monetary costs, damage to
property, and loss of life. The roles of NERC and FERC remain critical
in approving and disseminating cybersecurity guidance and enforcing
standards, as appropriate. Moreover, more needs to be done to meet
challenges facing the industry in enhancing security, particularly as
the generation, transmission, and distribution of electricity comes to
rely more on emerging and sophisticated technology.
Chairman Bingaman, Ranking Member Murkowski, and Members of the
Committee, this concludes my statement. I would be happy to answer any
questions you may have at this time.
appendix i: related gao products
Cybersecurity: Threats Impacting the Nation. GAO-12-666T.
Washington, D.C.: April 24, 2012.
Cybersecurity: Challenges in Securing the Modernized Electricity
Grid, GAO-12-507T. Washington, D.C.: February 28, 2012.
Critical Infrastructure Protection: Cybersecurity Guidance Is
Available, but More Can Be Done to Promote Its Use. GAO-12-92.
Washington, D.C.: December 9, 2011.
High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February
2011.
Electricity Grid Modernization: Progress Being Made on
Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed.
GAO-11-117. Washington, D.C.: January 12, 2011.
Cybersecurity: Continued Attention Needed to Protect Our Nation's
Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.
Critical Infrastructure Protection: Key Private and Public Cyber
Expectations Need to Be Consistently Addressed. GAO-10-628. Washington,
D.C.: July 15, 2010.
Cyberspace: United States Faces Challenges in Addressing Global
Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2,
2010.
Cybersecurity: Continued Attention Is Needed to Protect Federal
Information Systems from Evolving Threats. GAO-10-834T. Washington,
D.C.: June 16, 2010.
Critical Infrastructure Protection: Update to National
Infrastructure Protection Plan Includes Increased Emphasis on Risk
Management and Resilience. GAO-10-296. Washington, D.C.: March 5, 2010.
Cybersecurity: Progress Made but Challenges Remain in Defining and
Coordinating the Comprehensive National Initiative. GAO-10-338.
Washington, D.C.: March 5, 2010.
Cybersecurity: Continued Efforts Are Needed to Protect Information
Systems from Evolving Threats. GAO-10-230T. Washington, D.C.: November
17, 2009.
Defense Critical Infrastructure: Actions Needed to Improve the
Identification and Management of Electrical Power Risks and
Vulnerabilities to DOD Critical Assets. GAO-10-147. Washington, D.C.:
October 23, 2009.
Critical Infrastructure Protection: Current Cyber Sector-Specific
Planning Approach Needs Reassessment. GAO-09-969. Washington, D.C.:
September 24, 2009.
National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture. GAO-09-432T. Washington, D.C.: March
10, 2009.
Electricity Restructuring: FERC Could Take Additional Steps to
Analyze Regional Transmission Organizations' Benefits and Performance.
GAO-08-987. Washington, D.C.: September 22, 2008.
Information Security: TVA Needs to Address Weaknesses in Control
Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.
Critical Infrastructure Protection: Multiple Efforts to Secure
Control Systems Are Under Way, but Challenges Remain. GAO-07-1036.
Washington, D.C.: September 10, 2007.
Cybercrime: Public and Private Entities Face Challenges in
Addressing Cyber Threats. GAO-07-705. Washington, D.C.: June 22, 2007.
Meeting Energy Demand in the 21st Century: Many Challenges and Key
Questions. GAO-05-414T. Washington, D.C.: March 16, 2005.
The Chairman. Thank you very much.
Mr. Cauley.
STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Cauley. Thank you, and good morning, Chairman Bingaman,
and Ranking Member Murkowski, and members of the committee, and
fellow panelists. My name is Gerry Cauley. I am the President
and CEO of the North American Electric Reliability Corporation.
When we go about our business for reliability and security
of the power grid, we think, first, of the customers and rate
payers and citizens that we serve. When I do that, we think
about 4 principles. First of all, focus on really big important
reliability problems find solutions, and fix them.
Second, we apply principles of using risk-based approaches
to make sure that we are prioritizing effectively and that we
are coming up with cost-effective solutions.
Third, we focus on the learning industry. So, we are
continually adapting and developing reliability solutions and
learning from experience.
Finally, we hold the industry accountable, as well as
ourselves, to produce reliability results.
This approach works really well in conventional risks, such
as storm outages, equipment failures, human factors, errors,
and those kinds of things. I think the approach also works well
in the arena of cyber and physical security.
One of the big differences, however, in security is we are
often challenged by the lack of information, and this is where,
in cyber, the partnership between industry and Government, in
terms of information sharing, to help us understand those risks
and be able to adapt to them, is very important.
So, our strategy for security recognizes that a perfect
defense against the bad guys is not achievable nor necessarily
affordable. So what we have to do is combine defense
strategies, such as through our standards, as well as
resilience, and adapting and enhancing the existing resilience
of the bulk power system.
So, our strategy includes several activities. The first is
in the--having a base set of standards that ensure the
protection of the grid. We promote and are involved in active
information sharing between industry and Government, and among
industry, and among critical infrastructure sectors. We are
focused on training and exercising and testing our ability to
perform well under security challenges. We are continually
assessing the reliability and security of the system, looking
at emerging issues and emerging threats. We are working with
Government agencies to develop solutions for security and also
addressing cross-sector dependencies.
I did previously testify in front of the committee in May
2011, and I would just like to briefly review some of the
changes and some of the activities that we have completed since
that time.
First, in the area of standards--and I appreciate the
Chairman pointing out that the electric power industry and the
nuclear power industries are the only two critical
infrastructures that do have mandatory standards and
enforceable standards that are in place and that are working.
It was mentioned that we--the Commission just recently
approved version 4, which includes a bright-line criteria, in
terms of which facilities are required to be included within
those standards. We are currently working on what I believe
will be a plateau of security for us in version 5, where we are
adopting NIST's risk controls into our standards, and we will
have those completed and filed with the Commission by the end
of the first quarter in 2013.
In addition to the standards, we also have a very rigorous
program on compliance. Since 2008, we have conducted over 500
audits of individual companies, sending teams onsite, finding
various findings and recommendations and things that need to be
corrected. We also have the industry under a very aggressive
program to monitor the remediation of those issues.
A third area is in the area of information sharing and
analysis. This is our way of addressing near-term issues and
risks that emerge continuously. There is a parallel that--if
you look at--Microsoft essentially publishes on the second
Tuesday of each month for patches and vulnerabilities that have
been identified over the previous month. That is essentially an
approach that we need to take in terms of emerging risks and
threats that come in that might be--need to be addressed on a
matter of hours or days.
We use our information sharing process, issue alerts. We
were able to get an agreement signed with Homeland Security to
gain us access to the National Cybersecurity and Communications
Integration Center, the NCCIC, and we have a secure portal up
and running that allows the sharing of information. We have got
over 500 companies that are actively engaging, in terms of
posting and using that information. Our alerts that we're able
to issue go to all 1,900 companies that are affected by the
bulk power system.
Another area where we work actively is in the area of
partnering with Federal partners. We have developed best
practices guidelines, based on NIS practices with Department of
Energy. We also worked on the White House Initiative to develop
a risk management maturity model, and we recently issued 4
reports on resilience, severe cyber attack, and GMD.
So, in conclusion, I think our framework of standards,
information sharing, and partnering with Government is the
approach that will be most successful in cybersecurity.
Thank you.
[The prepared statement of Mr. Cauley follows:]
Prepared Statement of Gerry Cauley, President and Chief Executive
Officer, North American Electric Reliability Corporation
introduction
Good morning Chairman Bingaman, Ranking Member Murkowski, members
of the Committee and fellow panelists. My name is Gerry Cauley and I am
the President and CEO of the North American Electric Reliability
Corporation (NERC). NERC was designated the Electric Reliability
Organization (ERO) by the Federal Energy Regulatory Commission (FERC)
in accordance with Section 215 of the Federal Power Act (FPA), enacted
by the Energy Policy Act of 2005. NERC's reliability standards are
mandatory and enforceable within the US for the bulk power system and
include Critical Infrastructure Protection (CIP) Standards. To date,
these standards (and those promulgated by the Nuclear Regulatory
Commission) are the only mandatory cybersecurity standards in place
across the critical infrastructures of the United States. NERC's
mission is to ensure the reliability of the bulk power system of North
America and promote reliability excellence with accountability for
standards and compliance, risks to reliability and continued
coordination and collaboration with public and private sector partners.
I testified on this subject before this Committee in May 2011, and I
appreciate the opportunity to update the Committee on NERC's activities
related to cybersecurity. These activities include, but are not limited
to:
1. Receiving FERC approval of NERC's Critical Cyber Asset
Identification standards (CIP-002 version 4);
2. Beginning work on a comprehensive revision to the
cybersecurity standards, leveraging lessons learned from
previous versions;
3. Issuing eight additional alerts related to cybersecurity
concerns;
4. Developing a risk management process guideline to help
utilities better understand their cybersecurity risks, assess
severity, and allocate resources more efficiently to manage
those risks;
5. Completing the first phase of the High-Impact Low-
Frequency Task Force reports identifying recommendations for
owners and operators with respect to addressing severe impact
resilience, cyber attacks, spare equipment, and geomagnetic
disruptions;
6. Facilitating the first-ever Grid Security Exercise
(GridEx) for the Electricity Sub-sector in North America; and
7. Participating in government partnership initiatives,
including the Department of Homeland Security's (DHS) National
Level Exercise series and various cybersecurity forums and
briefings with Canadian government agencies, as well as the
White House-initiated, Department of Energy (DOE)-led
Electricity Sub-sector Cybersecurity Risk Management Maturity
Model, which will support ongoing development and measurement
of cybersecurity capabilities within the sub-sector;
the cybersecurity challenge for the grid
As a result of society's growing dependence on electricity, the
electric grid is one of the Nation's most critical infrastructures. The
bulk power system in North America is one of the largest, most complex,
and most robust systems ever created. As CEO of the organization
charged with ensuring the reliability and security of the North
American grid, I remain deeply concerned about the changing risk
landscape from conventional risks, such as extreme weather and
equipment failures, to new and emerging risks where we are left to
imagine scenarios that might occur and prepare to avoid or mitigate the
consequences. Some of those consequences could be much more severe than
we have previously experienced. I am most concerned about coordinated
physical and cyber attacks intended to disable elements of the power
grid or deny electricity to specific targets, such as government or
business centers, military installations, or other infrastructures.
These threats differ from conventional risks in that they result from
intentional actions by adversaries and are not simply random failures
or acts of nature.
To explore the impacts of this changing risk landscape from the
view of the newer emerging risks, NERC has worked with industry and
government to better understand cybersecurity risks and manage those
risks. Based on all of the work NERC has been involved in to date, it
is clear that the most effective approach against adversaries
exploiting the newer risk landscape is through thoughtful application
of resiliency principles. Resiliency requires proactive readiness for
whatever may come our way and includes robustness; the ability to
minimize consequences in real-time; the ability to restore essential
services; and the ability to adapt and learn.
nerc measures to address cybersecurity threats and vulnerabilities
NERC has incorporated these resiliency elements in our strategic
approach to ensuring reliability of the bulk power system. This
strategic approach includes: 1) developing mandatory and enforceable
standards; 2) ensuring compliance and audit oversight; 3) sharing and
analyzing information and issuing Alerts from the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC); 4) engaging in
private-public partnerships; and 5) conducting outreach, training, and
education activities within and external to the bulk power system. Only
through these critical infrastructure protection components can we
achieve a balanced approach to guard against advanced persistent
threats to grid cybersecurity and mitigate vulnerabilities.
reliability standards
In 2007, FERC designated NERC the ERO in accordance with Section
215 of the Federal Power Act, enacted by the Energy Policy Act of 2005.
Upon FERC's approval, NERC's reliability standards became mandatory
within the US. These mandatory reliability standards include CIP
Standards 001 through 009, which address the security of cyber assets
essential to the reliable operation of the electric grid. To date,
these standards (and those promulgated by the Nuclear Regulatory
Commission) are the only mandatory cybersecurity standards in place
across the critical infrastructures of the US. Subject to FERC
oversight, NERC and its Regional Entity partners enforce these
standards, developed with substantial input from industry and approved
by FERC, to accomplish our mission to ensure the reliability of the
electric grid.
NERC's nine mandatory CIP standards address the following areas:
Standard CIP-001: Covers Sabotage Reporting.
Standard CIP-002: Requires the identification and
documentation of the Critical Cyber Assets associated with the
Critical Assets that support the reliable operation of the Bulk
Electric System.
Standard CIP-003: Requires that Responsible Entities have
minimum security management controls in place to protect
Critical Cyber Assets.
Standard CIP-004: Requires that personnel with access having
authorized cyber or authorized unescorted physical access to
Critical Cyber Assets, including contractors and service
vendors, have an appropriate level of personnel risk
assessment, training, and security awareness.
Standard CIP-005: Requires the identification and protection
of the Electronic Security Perimeter(s) inside which all
Critical Cyber Assets reside, as well as all access points on
the perimeter.
Standard CIP-006: Addresses implementation of a physical
security program for the protection of Critical Cyber Assets.
Standard CIP-007: Requires Responsible Entities to define
methods, processes, and procedures for securing those systems
determined to be Critical Cyber Assets, as well as the other
(non-critical) Cyber Assets within the Electronic Security
Perimeter(s).
Standard CIP-008: Ensures the identification,
classification, response, and reporting of Cyber Security
Incidents related to Critical Cyber Assets.
Standard CIP-009: Ensures that recovery plan(s) are put in
place for Critical Cyber Assets and that these plans follow
established business continuity and disaster recovery
techniques and practices.
In December 2010, NERC approved an enhancement to its Critical
Cyber Asset Identification standard (CIP-002 version 4) that
establishes bright-line criteria for the identification of critical
assets. This enhanced standard was filed with the Federal Energy
Regulatory Commission (FERC) in February 2011, and FERC approved the
standard on April 19, 2012. The implementation of the CIP standards
under the bright-line approach is currently underway.
In addition, industry is currently developing a comprehensive
revision to the cybersecurity Standards. The revision leverages
experience with existing CIP standards to enhance the industry's
protections against cyber threats and vulnerabilities, including
transitioning the classification of critical assets to a ``low-medium-
high'' impact-based system. The revised CIP standards will also provide
greater flexibility in implementing solutions to emerging cyber
threats. The revised CIP standards have been improved to remove
technology-specific requirements by replacing them with a risk-based
approach to implementing appropriate and changing technologies. That
is, rather than specifying how to implement a requirement, the revised
requirements specify the risk-based result that must be achieved, which
enables industry to implement new and emerging technologies to address
the risk.
NERC can use an emergency standards development process if
circumstances warrant. In addition, FERC can order NERC to develop or
modify a reliability standard to address a specific matter.\1\ Finally,
the NERC Board of Trustees can direct NERC to develop and adopt a
standard in response to a FERC directive and timetable if the Board
determines that the regular standards process is not sufficiently
responsive to the Commission.
---------------------------------------------------------------------------
\1\ FERC can order NERC to develop a proposed reliability standard
or a modification to a reliability standard to address a specific
matter (such as a cyber threat or vulnerability) under FPA Section
215(d) (5).
---------------------------------------------------------------------------
Under the emergency standards process, FERC has authorized NERC to
use an expedited standards development process to meet urgent
reliability issues. These special standards can be developed on an
expedited, confidential basis to address imminent or longer-term
national security threats. NERC has practiced using this expedited,
confidential process as part of GridEx.
In addition to developing mandatory reliability standards, NERC
supports the ERO's Regional Entities to improve the consistency of
compliance program results, improve risk-based approaches for auditing
and spot checking, and promote a culture of security and compliance
through education, transparency, and incentives. Specifically, we
conduct audit oversight of the Regional Entities' compliance audit
teams during audits of registered entities, and maintain oversight
throughout the entire audit process (pre-audit, on-site, and post
audit) in accordance with the audit oversight program. During this
process, NERC seeks to capture compliance applications, positive
observations, lessons learned, and recommendations. NERC's audit
oversights are designed to perform a thorough evaluation of the
processes and criteria used by all Regional Entities in their
determination of registered entities' compliance with the NERC
Reliability Standards, including the CIP Standards.
Compliance with the NERC CIP standards is an important threshold
for properly securing the bulk electric system. However, no single
security asset, technique, procedure, or standard--even if strictly
followed--will protect an entity from all potential cyber threats. The
cybersecurity threat environment is constantly changing and our
defenses must keep pace. Security best-practices call for additional
processes, procedures, and technologies beyond those required by the
CIP standards.
the es-isac and nerc alerts
Not all vulnerabilities can or should be addressed through a
reliability standard. In such cases, NERC Alerts are a key element in
critical infrastructure protection. To address cyber challenges not
covered under the CIP Standards, NERC works through its ES-ISAC to
inform the industry and recommend mitigation actions.
The ES-ISAC gathers information from disparate electric industry
participants about security-related events, disturbances, and off-
normal occurrences within the Electricity Sub-sector and shares that
information with key governmental entities. In turn, these governmental
entities provide the ES-ISAC with information regarding risks, threats,
and warnings which the ES-ISAC is then responsible for disseminating
throughout the Electricity Sub-sector. The two functions that the ES-
ISAC supports, information sharing and analytics, are vitally important
to all other critical infrastructures and key resource sectors that
have active ISACs. Effective collaboration and communication is
essential to addressing infrastructure protection and resilience within
each sector, as well as the important interdependencies that exist
among sectors.
NERC staff with appropriate security clearances often work with
cleared personnel from Federal agencies to communicate unclassified
sensitive information to the industry. As defined in NERC's Rules of
Procedure, the ES-ISAC developed the following three levels of Alerts
for formal notice to industry regarding security issues:
Industry Advisory.--Purely informational, intended to alert
registered entities to issues or potential problems. A response
to NERC is not necessary.
Recommendation to Industry.--Recommends specific action be
taken by registered entities. Requires a response from
recipients as defined in the Alert.
Essential Action.--Identifies actions deemed to be
``essential'' to bulk power system reliability and requires
NERC Board of Trustees approval prior to issuance. Like
recommendations, essential actions require recipients to
respond as defined in the Alert.
The risk to the bulk power system determines selection of the
appropriate Alert notification level. Generally, NERC distributes
Alerts broadly to users, owners, and operators of the bulk power system
in North America utilizing its Compliance Registry. Entities registered
with NERC are required to provide and maintain up-to-date compliance
and cyber security contacts. NERC also distributes the Alerts beyond
the users, owners and operators of the bulk power system, to include
other electricity industry participants who need the information.
Alerts may also be targeted to groups of entities based on their NERC-
registered functions (e.g., Balancing Authorities, Transmission
Operators, Generation Owners, etc.).
Alerts are developed with the strong partnership of Federal
technical organizations, including DHS and DOE National Laboratories,
and bulk power system subject matter experts, called the HYDRA team.
NERC has issued 22 CIP-related Alerts since January 2010 (20 Industry
Advisories and two Recommendations to Industry). Those Alerts covered
items such as Aurora, Stuxnet, Night Dragon, and the reporting of
suspicious activity. Responses to Alerts and mitigation efforts are
identified and tracked, with follow-up provided to individual owners
and operators and key stakeholders. In addition, NERC released one
Joint Product CIP Awareness Bulletin in collaboration with DOE, DHS and
the Federal Bureau of Investigation (FBI) titled, ``Remote Access
Attacks: Advanced Attackers Compromise Virtual Private Networks
(VPN).''
The NERC Alert system is working well. It is known by industry,
handles confidential information, and does so in an expedited manner.
The information needed to develop the Alert is managed in a
confidential and expedited manner and does not require a NERC balloting
process. Information sharing through the ES-ISAC is the greatest asset
we have to combat emerging threats to cybersecurity and help ensure the
reliability of the bulk power system. As a result, NERC has been
enhancing the ES-ISAC's capabilities by building out a private, secure
portal to receive voluntary reports from industry members and working
with various organizations (both industry and government) to obtain the
data and mechanisms necessary to conduct these information sharing
activities.
Anything Congress can do to further facilitate information sharing
between the public and private sector would add greatly to these
efforts. Some actions may include: making more clearances available to
industry, identifying alternative methods to communicate classified
information to our Canadian partners, and encouraging increased
information sharing by US Government departments and agencies with
asset-owners.
nerc's public-private partnerships to enhance grid cybersecurity
As mentioned, NERC has developed several strong relationships with
industry and government entities. As chair of the Electricity Sub-
sector Coordinating Council (ESCC), I work with industry CEOs and our
partners within the government, including the Department of Defense,
DOE, and DHS, to identify, discuss, and resolve critical infrastructure
protection policy, process, and resource issues. This type of public-
private partnership is essential to effective cybersecurity protection
by facilitating information sharing about cyber-related vulnerabilities
and threats.
Last year, NERC signed a Cooperative Research and Development
Agreement with DHS that provides ES-ISAC staff with access to DHS'
National Cybersecurity and Communications Integration Center (NCCIC).
Access to the classified NCCIC facilitates a significantly improved bi-
directional sharing of critical infrastructure protection information
between the US government and the Electricity Sub-sector in North
America. NERC has also recently established a protected communications
corridor for the ES-ISAC in part to facilitate this bi-directional
information sharing between the DHS NCCIC and BPS entities.
NERC also provides leadership to three significant DHS-affiliated
public-private partnerships. These groups are:
Partnership for Critical Infrastructure Security, the
senior-most policy coordination group between public and
private sector organizations comprised of the chairs or co-
chairs of all 18 critical infrastructure and key resources
sectors and their Government Coordinating Council counterparts;
Cross-Sector Cyber Security Working Group, which was
established to coordinate cross-sector initiatives that promote
public and private efforts to help ensure secure, safe, and
reliable critical infrastructure services; and
Industrial Control Systems Joint Working Group, which is a
cross-sector industrial control systems working group that
focuses on the areas of education, cross-sector strategic
roadmap development, and coordinated efforts to develop better
vendor focus on security needs for industrial control systems.
NERC also collaborates with the Industrial Control Systems Cyber
Emergency Response Team to share threat, vulnerability, and security
incident information.
As part of NERC's outreach and awareness efforts to engage industry
and government in addressing some of the key cybersecurity challenges
we face, NERC facilitated the first-ever Grid Security Exercise
(GridEx) for the Electricity Sub-sector in North America. This
distributed play exercise, which was held in November 2011, was
designed to validate the readiness of the Electricity Sub-sector to
respond to a cyber incident, strengthen utilities' crisis response
functions, and provide input for internal security program
improvements. Seventy-five industry and government organizations from
the US and Canada participated in GridEx. BPS entities included
generation and transmission owners, reliability coordinators,
independent system operators, and balancing authorities. Key government
agencies, such as DHS, FBI, and DOE, were also heavily involved. GridEx
provided a realistic environment for organizations to assess their
cyber response capabilities. The biennial exercise was viewed across
industry and government as a training success in preparing the BPS for
a disruptive security event. NERC issued a final report in March 2012,
and is applying the GridEx recommendations to further strengthen the
bulk power system's preparedness and response mechanisms.
Given the heightened awareness of security in the Electricity Sub-
sector, NERC hosts an annual Grid Security Conference (GridSecCon) to
discuss emerging threats, industry best practices, and provide cutting
edge training to the industry. NERC will again host this conference in
October 2012, and will bring together cyber and physical security
thought leaders from government and industry to discuss securing
industrial control systems, social engineering attacks, and security
event response management, among other topics.
conclusion
As outlined today, NERC has many tools available, including
critical infrastructure protection standards and processes and the ES-
ISAC, to address imminent and non-imminent threats and vulnerabilities.
We work with multiple government, industry, and consumer partners to
support a coordinated comprehensive effort to address cybersecurity.
We appreciate this opportunity to discuss NERC's activities on
cybersecurity with the committee related to cybersecurity protection of
the grid.
The Chairman. Thank you very much.
Mr. Snitchler, go right ahead.
STATEMENT OF TODD A. SNITCHLER, CHAIRMAN, PUBLIC UTILITIES
COMMISSION OF OHIO
Mr. Snitchler. Good morning. Chairman Bingaman, Ranking
Member Murkowski, and members of the committee, I want to thank
you for the opportunity to appear before you today as we
examine the status of actions taken to ensure that the electric
grid is protected from cyber attacks. My name is Todd
Snitchler, and I am the Chairman of the Public Utilities
Commission of Ohio.
Our State agency is responsible for assuring residential
and business customers access to adequate, safe, and reliable
utility service at fair prices, ensuring the financial
integrity and service reliability of the Ohio utility industry
and, among other things, promoting utility infrastructure
investments, including investments in IT infrastructure. I am
pleased to have the opportunity to discuss cybersecurity issues
for the electric grid; because, often times, we take that grid
for granted.
Should Congress decide to pass legislation on
cybersecurity, however, it is my view that we must distinguish
between imminent threats, which require immediate action, and
vulnerabilities, which can be addressed and resolved more
deliberately. Particularly, regarding the electricity grid,
one-size solutions for cybersecurity may not be the most
effective means to mitigate and reduce known vulnerabilities.
Additionally, the desired outcome from such legislation
should be the establishment of a foundation that contemplates 4
basic considerations. First, we need to protect diamonds like
diamonds and apples like apples. That is, we must prioritize
accordingly to ensure that the appropriate level of security is
provided to all areas that require protection.
Second, States and the owners of critical infrastructure
that we regulate cannot protect the infrastructure to the
maximum extent possible, unless the relevant Federal agencies
provide the actionable information necessary to identify and
address the threat or vulnerability. In other words, true
information sharing between those who have the information and
those who need the information to protect their systems.
Third, our utilities can provide a gold-plated, or even a
platinum-plated, system which is ultra-cyber secure. However,
this raises the question of just how much do we want a kilowatt
hour of electricity to cost.
Fourth, preparedness should not focus solely on response
capabilities, but should also ensure that resilience is built
into the infrastructure. Our Nation's utilities--municipal-,
cooperative-, and investor-owned--have done this country proud
in responding to the greatest calamities and catastrophes,
quickly, and capably restoring power after significant storms,
earthquakes, wildfires, or even acts of terrorism.
As a State regulator, my fellow commissioners and I, as
well as our staff, have many responsibilities. Some items of
significance today are resolved and become less significant
down the road, and other items that are less significant today
may become a issue of paramount importance in the near future,
with a major change, for instance, in weather or technology.
This is true for many things, including the provision of
electricity in a safe, reliable, and economic fashion.
Just as utilities cannot protect against all threats,
neither can they eradicate all susceptibilities. We must
recognize there are different parts of these systems that
require different levels of protection. This is why we must
ensure there is adequate protection of the grid, especially its
most valuable parts, while we must not expend undue levels of
resources protecting other less important parts of the system.
Another point of consideration that must be recognized is
that State agencies, like the PUCO, along with owners of that
critical infrastructure, are unable to provide the full measure
of protection necessary to help secure the critical
infrastructure if the relevant agencies are not providing that
actionable information to address imminent threats.
State regulators take the reliability and security of the
bulk power system very seriously. Through strong, Federal,
State, public, and private partnerships, we have consistently
maintained and improved reliability and security of the grid.
Cybersecurity is an emerging area of risk for our utilities
and for State commissions as well. Although, it is unique in
some respects, this is not the first time that our State
utility systems have faced reliability threats. Through a
strong, public-private partnership, we have overcome past
risks. It is my belief that this emerging of information
systems into the electric and other utility sectors will
improve the resilience, reliability, and efficiency.
Cooperation and acceptance of responsibility is a must.
With modern threats becoming apparent to us in the last several
years, we understand that our traditional responsibility to
ensure reliable service must include the need to ensure
security, both physical and cyber.
Over the past several years, State commissions have begun
to probe the cyber preparedness of our utility companies in the
realm of the smart grid. In concept, the smart grid has the
potential to provide many improvements in situational
awareness, prevention, management, and restoration. In spite of
introducing new weaknesses, smart grid fundamentally makes the
electric system more secure.
In each of the areas that I have identified in my
testimony, steps are being taken to manage the risk. The issue
is how much money should be put into this effort when it is
virtually impossible to stop all attacks, but vitally important
to stop some.
Smart grid poses an additional and particularly thorny
policy issue, as well. Through NARUC's collaborative with FERC
on smart grid and other activities, State commissions have
begun to identify key areas to assure the smart grid
investments boast the highest, most sophisticated levels of
security. Commissions, therefore, have had to become more
expert in our understanding of the prudent smart grid and
cybersecurity investments.
In Ohio, for instance, an extensive audit was recently
performed on one of our utilities that complied with the NISTIR
7628, and industry best practices that were to identify
potential areas of improvement were set forth. This effort was
massive and will become a best practices model for other
commissions and utilities in their cybersecurity analyses and
efforts.
My testimony also lists a significant number of activities
that have been undertaken by the Ohio Commission, in our effort
to become more advanced in our understanding of cybersecurity
issues. I also identify several other States, including,
Pennsylvania, Texas, Missouri, and New York, who are also
making active steps to try and increase their understanding, as
well.
A long-standing mission of every State public utility is to
ensure the physical viability of the utility plan under our
supervision. A less traditional responsibility, that of
cybersecurity and information systems standards and
development, is increasingly being thrust into the mix, and
this newer responsibility clearly envelops a broader range of
industries and specific expertise.
I see that I'm out of time, and the rest of my comments are
in our written testimony.
Thank you.
[The prepared statement of Mr. Snitchler follows:]
Prepared Statement of Todd A. Snitchler, Chairman, Public Utilities
Commission of Ohio
Chairman Bingaman, Ranking Member Murkowski, and Members of the
Committee, thank you for this opportunity to appear before you today as
you examine the status of action taken to ensure that the electric grid
is protected from cyber attacks. My name is Todd Snitchler, and I am
the Chairman of the Public Utilities Commission of Ohio (PUCO), the
State agency responsible for:
assuring residential and business consumers access to
adequate, safe, and reliable utility services at fair prices;
ensuring financial integrity and service reliability in the
Ohio utility industry;
promoting utility infrastructure investments (including
investments in IT infrastructure); and,
related items like fostering of competition, safety, and
even mediation responsibilities.
I am pleased to have been given this opportunity to discuss
cybersecurity issues for the electric grid. We take for granted the
reliability of our nation's grid and we are hyper-sensitive when we
lose power because we are not generally accustomed to it--nor should we
be.
Should Congress decide to pass legislation on cybersecurity,
however, it must distinguish between imminent threats, which require
immediate action, and vulnerabilities, which can be addressed and
resolved more deliberately. Particularly regarding the electric grid,
one-size solutions for cybersecurity may not be the most effective
means to mitigate and reduce known vulnerabilities. Additionally, the
desired outcome for such legislation should be the establishment of a
foundation that contemplates at least four basic considerations.
First, let us protect diamonds like diamonds and apples like
apples. That is, we must prioritize accordingly to ensure that the
appropriate level of security is provided to all areas that require
protection.
Second, States and the owners of the critical infrastructure we
regulate cannot protect the infrastructure to the maximum extent
possible unless relevant Federal agencies provide the actionable
information necessary to identify and address the threat and/or
vulnerabilities--in other words true information sharing between those
that have critical information (the Federal agencies) and those that
need such information to protect their systems.
Third, our utilities can provide a ``gold-plated'' or even a
``platinum-plated'' system which is ultra-cyber secure. However, this
raises the question of just how much more do we want a kilowatt hour of
electricity to cost? While we understand that if the lights are not on
it does not matter what the cost of the electricity is, do we really
want the critical infrastructure to be so expensive that due to cost
constraints it is no longer considered critical?
Fourth, preparedness should not focus solely on response
capabilities, but should also ensure that resilience is built into our
infrastructure--our nation's utilities (municipal, cooperative, and
investor-owned) have done this country proud in responding to the
greatest calamities and catastrophes, quickly and capably restoring
power after significant storms, hurricanes, earthquakes, wildfires, and
even acts of terrorism.
As a State regulator, my fellow Commissioners and I, as well as our
Staff, have many responsibilities. Some items of significance today are
resolved and become less significant down the road. Other items that
are less significant today may become of paramount importance in the
near future with a major change in one variable like weather, for
instance. This is true for many things, including the provision of
electricity in a safe, reliable and economic fashion. Focusing on
reliability, there are many factors that impact that aspect--physical
infrastructure in place and operational considerations, such as
generators, wires, substations, transformers, and meters. Also greatly
impacting reliability is equipment failure. Equipment may fail due to
its age, its overuse or underuse, physical vulnerabilities, and as we
are aware, perhaps due to cyber vulnerabilities. Many of these
vulnerabilities have existed and are known, while other weaknesses are
more recently being better understood. Just as the electric utilities
cannot protect against all threats, neither can they eradicate all
susceptibilities. But we must recognize there are different parts of
these systems that require different levels of protection. This is why
we must ensure that there is adequate protection for the electric grid,
especially the most valuable parts, while we must not expend undue
levels of resources in protecting other, less important parts of the
system.
Another important point of consideration that must be recognized is
that State agencies like the PUCO, along with the owners of our
critical infrastructure, are unable to provide the full measures of
protection necessary to help secure our nation's critical
infrastructure if the relevant Federal agencies do not provide
actionable information to address imminent threats. State regulators
take the reliability and security of the bulk-power system very
seriously. Through strong Federal, State, public, and private
partnerships, we have consistently maintained and improved reliability
and security of the grid. As times and technologies have changed, new
risks and vulnerabilities have emerged. The transition to a smarter,
more efficient grid--while full of promise--carries with it unforeseen
concerns and unintended consequences. As Congress considers legislation
in this area, it should build on existing Federal-State coordination
and result in a framework where vulnerabilities to the system are
identified, prioritized, and resolved in a timely fashion.
However, identification of vulnerabilities is only one part of the
main equation; equally, or even more importantly, is a need by the
States and especially by the asset owners to recognize the threats to
the nation's grid. We hear consistently from asset owners who provide
information about their systems to Federal agencies in the spirit of
cooperation, all the while seeking reciprocity, yet they never receive
truly meaningful, actionable, timely information in return. They cannot
protect all of their systems against everything; none of us can. They
have to target their defenses and we have to help them understand the
actionable threats so that they may bolster their defenses where
needed.
As with most sectors of the economy, information systems are
rapidly merging with utility systems, potentially heightening the risks
of service disruption. Cybersecurity is an emerging area of risk for
our utilities and for State Commissions as well; although it is unique
in some respects, this is not the first time our utility systems have
faced new reliability threats. Through a strong public-private
partnership, we have overcome past risks, and it is my belief that this
merging of information systems into the electric and other utility
sectors improves their resilience, reliability and efficiency.
National security roles and responsibilities have been subject to
the purview of Emergency Management Agencies, State Police, and
Departments of Homeland Security. However, the lines defining and
separating roles in critical infrastructure protection between the
Federal government, State agencies, and the private sector owners of
critical infrastructure are necessarily overlapping now. Cooperation
and acceptance of responsibility is a must. With modern threats
becoming apparent to us in the last several years, we understand that
our traditional responsibility to ensure reliable service must include
the need to ensure security--both physical and cyber. Breaches of
security, obviously, can have extremely serious reliability
consequences. From my vantage point, State commissions can identify
certain key areas of concern about cybersecurity. The first concern
focuses on business process systems--email, office computing,
databases, etc.--that are not unique to utilities. In fact, commissions
in recent years have improved their own security, along with everyone
else, as attacks on these systems become more sophisticated and we
become more dependent on them for our operations.
A second vulnerability is more specific to regulated utilities:
control systems. Supervisory Control and Data Acquisition (SCADA)
systems have been and remain an inextricable part of utility
operations, and have served to improve the efficiency and reliability
of our system operations in every system throughout the country. In
recent years, susceptibilities in these SCADA systems have been
repeatedly highlighted.
Over the past several years, State commissions have begun to probe
the cyber-preparedness of our utility companies in the realm of smart
grid. With tens of billions of dollars in investment on the line,
commissions want to know that the investments are not going to
introduce new and unmanageable risks. In concept, the smart grid has
the potential to provide many improvements in situational awareness,
prevention, management, and restoration. In spite of introducing new
weaknesses, smart grid fundamentally makes the electric system more
secure. Still, this technology brings with it new vulnerabilities and
points-of-access to create intentional disruption, which should be
taken extremely seriously. ``Guns-gates-and-guards'' analogs of
password protection and ``security through obscurity'' must be
augmented with a framework of maximum system resilience and next-
generation safeguards that allow the network to be impregnable, even if
devices connected to it are compromised.
In each of these areas, steps are being taken to manage the risk.
The regulated companies that we oversee, through the North American
Electric Reliability Corporation (NERC), are continuously in a process
of developing and updating standards for cybersecurity that we believe
are a good step in the right direction for SCADA and business process
systems. NERC, for example, has adopted a cyber-security standard for
the bulk electric system. NERC's cybersecurity (``CIP'') standards are
extensive and thorough. Over the past five years electric utilities
across the country have requested significant additional staffing and
dollars for CIP standard compliance activities in their transmission
rate case filings at FERC. The CIP standards already in place are
adequate for both physical security and cyber-security. However,
extending the applicability of those standards to lower voltage
facilities raises the question of how much more we are willing to pay
for a marginal increase in cybersecurity. The issue of how much more
money should be put into this effort when it is virtually impossible to
stop some cyber attacks (e.g., hackers getting into the Pentagon's
computer system) needs to be addressed.
Smart grid poses an additional, and particularly thorny, policy
issue as well. Through NARUC's collaborative with FERC on smart grid
and through other activities, State commissions have also begun to
identify key areas to assure that smart grid investments boast the
highest, most sophisticated levels of security. Recent Federal funding
support for smart-grid investments has incentivized the deployment of
hardware in advance of the development of standards for cybersecurity,
among other issues. Commissions may be confronted with expenditures on
cybersecurity for which no specific standard has yet been reached. This
draws commissions into specific areas of review in order to determine
the prudence of expenditures--a review that would be unnecessary if the
expenditure would be made in compliance with recognized standards.
Commissions, therefore, have had to become more expert in their
understanding of prudent smart grid and cybersecurity investments.
Because we are driven by our obligation to assure the reliability of
service for our ratepayers, we must better understand the prudence of
the costs in ensuring reliability (including expenditures for cyber-
security) that goes into their rates. As a result, our agency has
expended significant time and resources to become better educated
regarding cybersecurity. Over the past several years, as the electric
industry aptitude has grown regarding cybersecurity, so too has that
knowledge base grown across State commissions.
In Ohio, for instance, regarding the smart grid discussion above,
an extensive audit was conducted to assess the degree to which Duke
Energy Ohio's Smart Grid system complied with the NISTIR 7628 and
industry best practices and identify potential areas of improvement,
which was a precursor to the action items in the stipulation. An
internal audit was also provided during the audit and included
penetration testing on a number of Smart Grid assets. An extension
stipulation was reached regarding Duke's cybersecurity plan and the
implementation of that plan, including the role of the Commission. This
effort was massive and will become a best practices model for other
commissions and utilities in their cybersecurity analyses and efforts.
We have been very involved in the NIST's and now the Smart Grid
Interoperability Panel's (or SGIP's) Cyber Security Working Group. My
agency has been very active in pursuing cybersecurity training
opportunities with Idaho National Labs, NIST & NIST's ITL Computer
Security Division, the SGIP, EnerNex, NERC's Grid Security Conference,
and others, as well as participating in the development of the initial
NIST-IR 7628, the most recent version being a multi-volume compendium
of Smart Grid Cyber Security Strategy and Requirements. We have
actively participated in the National Association of Regulatory Utility
Commissioners (NARUC) Cybersecurity Boot Camps. Additionally, our Staff
participates in two different sets of regular, twice-monthly conference
calls with our colleagues from across the country. These calls address
critical infrastructure protection issues, cybersecurity issues for
utilities, as well as smart grid development and implementation issues.
Our Staff participates in monthly threat briefings for both the
electric sector as well as the oil and natural gas sector. Also, our
Staff regularly participates in weekly briefings with Ohio Homeland
Security. Through this partnership, our agency has a permanent seat at
the State of Ohio's Strategic Analysis and Information Center (or
SAIC), just as it does in our State of Ohio Emergency Operations
Center. Presently, the State of Ohio has developed a Statewide
Cybersecurity Strategy and our Staff has been actively engaged in both
the development as well as the on-going implementation of that
strategy. Over a year ago, my agency conducted a cybersecurity workshop
for our utilities as well as for our State and Federal partners.
Leading part of that workshop was a representative from the U.S.
Department of Energy's Cybersecurity for Energy Delivery Systems
program. Also participating was Ohio's Homeland Security Advisor, as
well as representatives from the cyber squads from both of the FBI
divisions in Ohio. In addition, the two U.S. Department of Homeland
Security (DHS) Protective Security Advisors stationed in and serving
Ohio addressed not only their physical protective security program, but
also DHS's cybersecurity advisor program and the related cyber
resources and tools available from DHS for asset owners. Our efforts in
strengthening the cybersecurity posture of Ohio's utilities continue.
Ohio also has one of the premier military bases in the country--
Wright-Patterson Air Force Base. Located in the south-western portion
of the state, this base employs a significant number of personnel and
performs mission-critical work for the Department of Defense. My agency
has worked with this base in the past, and will do so in the future, to
ensure that it has what it needs to accomplish its objectives.
While I am not an expert on what other States are doing with regard
to cybersecurity, I am aware of a few examples of activity that State
commissions have engaged in, to ensure that companies are focused on
this issue. In most instances these activities are coordinated with
other State agencies that also have a jurisdictional responsibility for
safety and/or security.
Since 2005, the Pennsylvania Public Utility Commission has required
all jurisdictional utilities to have a written cyber security plan to
complement their emergency response, business continuity and physical
security protocols, each of which are tested on an ongoing basis. The
Pennsylvania PUC has issued orders on cybersecurity in reaction to
media reports of grid infiltration by international hackers.
Pennsylvania also issued a secretarial letter to its utilities
encouraging them to be active in the NIST Standards development process
by reviewing and commenting on the NIST Framework and the Cyber
Security Coordination Task Group documents and to participate in
various related working groups. Pennsylvania has also incorporated
cyber-security review in its management audits process. Pennsylvania
performs management and efficiency audits at least once every five
years on all electric, gas, and water utilities with over $10 million
of plant in service.
Another State taking action is Missouri. Missouri requires all of
its utilities to have in place reliability plans and has queried its
utilities about steps taken or planned regarding cybersecurity as it
relates to company operations. The Missouri Commission required the
utilities to furnish Staff with a verified statement affirming whether
the company is in compliance with NERC Order No. 706 or what remedial
actions are to be taken and how long it will take the company to become
compliant. The Commission also asked what other organizations, groups,
industry groups or other organizations these companies participate
with, such as local FBI or State agencies, regarding security issues.
In New York, they are sharing the responsibility for critical
infrastructure protection at the Department of Public Service. Since
2003, when it was created, the New York State Public Service Commission
Office of Utility Security has carried out a regular program of
oversight of both physical security and cybersecurity practices and
procedures at the regulated utility companies in the energy,
telecommunications and water sectors. Staff of this office is devoted
full time to this security audit responsibility. Generally, that office
utilizes the existing NERC CIP standards as benchmarks to form its own
judgments about the quality of cybersecurity measures in place at New
York's regulated utilities. Its Staff adheres to a schedule that calls
for visiting each regulated electric utility company four times a year
to audit compliance with some portion of the CIP standards, with the
goal of measuring compliance with all of the standards at each company
over the course of a year.
The Public Utility Commission of Texas has established a
stakeholder working group (comprised of utilities and ERCOT Staff)
designed to work on issues specific to cybersecurity. This effort is
lead by Texas Commission Staff. The group meets regularly to discuss
the cybersecurity assessments performed on Smart Meter Texas, which is
the common portal that provides end-user access to energy usage data
sourced from the AMI that was deployed by the respective utilities.
Each utility is responsible for securing its own AMI and cybersecurity
assessments are required of the utilities by rulemaking once deployment
of AMI and other smart grid technology is approved. Regulations include
requirements for end-to-end assessments, performed independently and
annually of the utility system. These results are kept confidential but
shared with the Staff.
In addition commission staff participates in the discussions at the
ERCOT ISO Critical Infrastructure Protection Working Group (CIPWG), in
which NERC CIP issues are discussed. While this concerns the bulk
electric system, other topics related to cybersecurity that are
broached include: newly discovered vulnerabilities; emerging threats to
critical infrastructure; cybersecurity standards development from
outside NERC; mission assurance for the military; and any cybersecurity
training opportunities, conferences, workshops, or exercises.
A long-standing mission of State public utility commissions is to
ensure the physical viability of the utility plant under their
supervision. A less traditional responsibility, that of cybersecurity
and information systems standards and development, is increasingly
thrust into the mix, yet this newer responsibility clearly envelops a
broader range of industries and specific expertise. Utility regulators
recognize the dependence of sound cybersecurity practices and cyber
reporting on sound construction practices and utility-outage reporting,
and vice versa.
A concern that I wish to leave with you for consideration is that
protocols intended to distinguish between disruptions to critical
infrastructure related to cyber events and those related to physical
events, for example, a distributed-denial-of-service (DDOS) attack as
opposed to a fiber-optic cable failure, have not kept up with the fast-
emerging nature of cyber threats. Such protocols are easier to craft
than to implement. The first evidence of disruption is the disruption
itself, and such events do not often present themselves with the root
cause clearly visible.
In the critical ``golden hours'' after a possible new developing
threat is detected, or immediately following an event, it may not
always be clear what is actually happening or why. For this reason,
close coordination between the utility sector and the cyber sector is
essential to the response. As the State public utility commissions have
traditionally served as the gateway to the utility sector and have
their own independent core of expertise and relationships key to
understanding, in real-time, events affecting that plant, close
coordination among the operators of our cyber networks, the Federal
government, and State homeland security partners, including State
utility commissions, is essential. Resolving cybersecurity issues will
require significant efforts on the parts of all of us, not just one or
two of us. We all are part of the solution. Working with the asset
owners and with our Federal partners, the States have been successful
in the past in enhancing the overall reliability of our nation's
electric grid. Our Federal government possesses significant assets that
can provide States and the critical asset owners with timely and
actionable threat information necessary to better secure these assets.
We are partners in this struggle to maintain and enhance the
reliability of our electric grid and to increase its resiliency, and we
must all work together to achieve our collective goal.
Mr. Chairman and members of the Committee, this concludes my
testimony. We at the Public Utilities Commission of Ohio take the
issues of cybersecurity and reliability very seriously. As such, we
believe a Federal-State, public-private partnership is essential to
meeting these challenges over the long term.
Thank you again for the opportunity to provide testimony here today
and I would be happy to answer any questions that you or members of the
Committee may have.
The Chairman. Thank you. Thank you, all, very much for your
testimony. I will start with a few questions.
Mr. Cauley, let me ask you first, Could you describe what
happens when a vulnerability is discovered, vulnerability to a
cyber attack, for example. If you issue an alert to utilities
about that vulnerability, is there any requirement that they
follow your advice on that alert?
Mr. Cauley. Thank you. We produce the report with
intelligence information from the Government, with cleared
experts. We create a document that we can then issue to
industry, which is unclassified. We have 3 levels that we can
issue. One is an informational heads-up. One is a
recommendation, which we can track the results and performance
of the recommendations. The third is an essential action, if we
feel that it is imperative that the industry implement that.
Then, our board can approve it, and it is a required action,
and the industry is required to report back the results of that
performance.
The one area I pointed out last year in testimony was the--
even though the industry is required to report back and they
are required to implement the action, there is not an
enforcement mechanism for that. I appreciate that in the
discussion of that legislation, there was an inclusion to deal
with that gap.
The Chairman. So, at the current time, if you issue an
alert and you say, ``Take the following action,'' and the
utility does not do so, you have no ability to enforce that?
Mr. Cauley. The industry is required to respond by our
rules and by rules that FERC has approved, so the--we are
limited at this point to a civil action, but not within our
current rules and our current framework.
The Chairman. So, you can take them to court?
Mr. Cauley. We could.
The Chairman. But there is no immediate penalty or
immediate remedy available to you.
Aurora, I guess, is the most famous cyber vulnerability
that has sort of gotten a lot of publicity. It was on CNN for
several days back in 2007. You issued an advisory for that
vulnerability, I believe; is that correct?
Mr. Cauley. That is correct.
The Chairman. Are you able to track how many utilities
still have not complied with the recommendations in that
advisory?
Mr. Cauley. We were able to--one of the first things I
came--did when I came back to NARC as CEO in the beginning of
2010, as I recognized that the information that the industry
had from 2007 was insufficient, unclear, and, essentially, not
actionable--so, we worked to issue another alert in 2010,
which, I think, points out the importance of information
sharing and access to information. So, we were able to put out
a meaningful alert in 2010. We are tracking on a twice-yearly
basis. We are tracking on the completion of mitigation. We have
that information, and we file it with the Commission. It is
sensitive information because of the nature of the
vulnerability, but we do track that and file that with the
Commission.
The Chairman. It seems to me--and you can just respond and
tell me if I am misstating the situation. But it seems to me
that the way the standard-setting process works, standards
should be developed as a general framework for exercising
authority to require mandatory actions in the case of a
vulnerability being discovered. In fact, the way the system is
working is that you are required to issue a new standard, with
all of the accompanying delay, for any new threat that comes
along, or if you don't do that, then you are left only with the
ability to make non-binding recommendations. Now, is that a
fair statement of where things stand?
Mr. Cauley. I think, Mr. Chairman, not every risk or
challenge or vulnerability requires a standard. We get a lot of
things corrected with information and just explaining to the
industry what the issues are. There is a lot of problem-solving
going on every day.
Alerts give us an opportunity to deal with emerging issues
or issues that need a timely response. Whether or not we could
develop--we could develop a standard on Aurora. The difficulty
with that is, it is more of an equipment manufacturing-type
standard, which is more applicable to an IEEE, the Institute of
Electronic and Electrical Engineers, and I understand that they
are committed to looking at that issue as a technical standard
on equipment.
If the Commission felt that there was a vulnerability that
had been out there and had been out there too long, my belief
is that, within the current section 215, the Commission could
issue an order to the ERO to produce that standard, if it was a
priority over other risks that we are dealing with.
The Chairman. Senator Murkowski.
Senator Murkowski. Thank you, Mr. Chairman.
I am going to ask a little bit more about information
sharing. It is something that each of you has addressed.
Clearly, the NERC plays a role here with the Electricity Sector
Information Sharing and Analysis Center, where you share and
analyze the information. You have mentioned some of that. But
it sounds like even from NERC's point of view, you would urge
Congress to do what it can to facilitate further information
sharing.
Mr. Snitchler, you have indicated how important it is that
the Federal agencies provide the actionable information, too,
to help address or identify threats or vulnerabilities. GAO has
also mentioned that.
So, let me start with you, Mr. McClelland. Does the FERC
think that the private sector has the information that it needs
today to take action to address the cybersecurity threats and
vulnerabilities from the information sharing perspective; do
you have in place what you need?
Then, if I could ask each of you to just further address
this, because I think this really goes to the heart of what we
are talking about here today.
Mr. McClelland. Thank you, Senator.
I think, in general, the security practices are well-
documented. I think there are protocols to standards. There are
alerts and advisories that detail specific security protocols
to improve the security posture of the utilities.
But, specifically, no, there are circumstances where there
may be a specific actor that has targeted a particular piece of
equipment or an operating practice. In those cases, it is
important that those individual entities, and the industry at
large, perhaps to a lesser degree if they don't have that
specific equipment, is brought in, counseled, shown the threat,
and then, any particular mitigations that could be applied are
explained to that entity.
Senator Murkowski. So, then, to the rest of you. How do we
do a better job of the information sharing?
Mr. Wilshusen.
Mr. Wilshusen. One is to make sure that there is an
appropriate mechanism in which--in place to actually share
information on a timely, actionable basis.
We did a review a couple of years ago at the Department of
Homeland Security, of its lead role promoting the private-
public partnership in securing our critical infrastructures,
which include the electricity grid. We found that, to a large
extent, the information that DHS provided through its alerts
and threat information was not meeting the expectations of its
private sector partners.
In many cases, the information was not actionable, not
timely. So, one of the means that would have to take place is
to ensure that the information that is being provided is
current, timely, and also anonymized. That has been one of the
problems, is making sure that the information is sufficiently
anonymous, so as not to identify any particular company or
organization, but gets the information out to the individuals
who actually put fingers on keyboards and secure the systems.
Senator Murkowski. Mr. Cauley.
Mr. Cauley. Senator Murkowski, I fully agree with the
suggestion that the most important thing that legislation could
do would be to foster a robust information sharing between
Government and industry.
Today, it is happening, but it is sort of like sipping from
a lawn hose. We just need more. Also, the information sources
are ad hoc across agencies, so we work out individual
relationships with agencies to get information. We have a very
limited access to clearances within the industry, particularly
on the top secret side. The value of that is, only industry
experts can really, fully understand the impacts. Often, our
limited folks that we have that do have clearances are
explaining back to the intelligence folks what might be the
impacts for a particular threat. So, I think getting more
clearances, having a more unified system for sharing of
information would be very beneficial.
Senator Murkowski. Mr. Snitchler.
Mr. Snitchler. Senator, what we hear from the utilities
that we regulate is, often, that there is--they perceive a one-
way information street, and they provide information and don't
feel that they are getting a reasonable amount of information
in return. By that, as already mentioned by other panelists,
some of the specific data that could be helpful to them.
There is also, I think, often times, the fear of disclosure
will result in practices that maybe impact one utility, as
opposed to all of them equally. So, there is a reluctance,
perhaps, to share granular detail that might be helpful.
Again, the anonymized information that was previously
referenced, I think, would be helpful for that, because then it
would ensure that we could have better disclosure of
information in both directions.
The critical component that we hear from utilities, without
exception, is the need for security and that information not to
find its way out into the public realm because of the potential
implications, both to them and to the utility system.
Senator Murkowski. Thank you. Thank you, Mr. Chairman.
The Chairman. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. Mr. Chairman, thank
you for holding this hearing. I think it is extremely timely,
in light of the leader's desire to bring cyber legislation to
the floor. I want to review with the 4 of you, essentially,
where things are, on a couple of key questions.
Now, as Chairman Bingaman noted, there are already rules in
place that include cyber threats to the electric grid, and
that, of course, was launched years ago. Now, this exercise
seems to have produced another division in what I call the
``growing cyber industrial complex.'' For years now, the
Federal Energy Regulatory Commission and the North American
Electric Reliability Corporation, private companies, and lots
of lawyers have shuffled paper back and forth, grants have been
dispensed by the Department of Energy, and this has produced a
product that has left few satisfied.
So, let me start with you, Mr. McClelland, in terms of some
of the concerns that would be helpful to have addressed this
morning. Do you believe that because the standards don't
require a physical separation, between the energy company
networks that run the business operations and the critical
infrastructure--the substations and the transmission--that
despite all of this paper shuffling, this shortcoming is still
a significant factor in making the electric grid vulnerable to
attack?
Mr. McClelland. I will answer that and then maybe add a
little to it, is that one of the CIP standards, CIP 5, requires
an Electronic Security Perimeter around a critical cyber asset.
Only critical cyber assets, which are self-designated by the
entity that is captured by the standard, are covered by the
standards themselves. So, if an entity decides it has critical
cyber assets, then it designates an Electronic Security
Perimeter around those assets. If the business systems are
connected to the critical cyber asset, via the SCADA systems,
or whatever the control systems are, then those business
systems, theoretically, fall within that Electronic Security
Perimeter.
So, if they are interconnected, if they work together, if
they can't be separated, the assumption I would have is that
they would be within--they would both be included within that
ESP and physically protected.
Senator Wyden. But the bottom line is, the networks don't
have to be separate, is that correct?
Mr. McClelland. That is correct.
Senator Wyden. OK. The second question I would like to ask
of you is, that, for purposes of the legislation that is being
considered for the floor of the Senate here before August, some
companies are asking, that for purposes of this bill, they
should be legally protected--legally protected through
indemnification provisions when they report vulnerabilities in
any cyber network.
Now, it is my understanding that, with respect to the 2005
law, there is no such legal protection; is that correct? If so,
is the absence of that kind of legal protection or
indemnification processes--has that caused any problem in your
view?
Mr. McClelland. Under the cyber standards or any of the
reliability standards, one of the considerations under the
violation severity level is whether or not an entity self-
reports its problem. That is taking into consideration, as far
as the enforcement provision, the penalties, how willing they
are to admit that they have a problem, what the mitigation plan
looks like, how timely they could be. So, self-reporting is an
important aspect, as far as mitigation of the enforcement
aspects, even under the existing network or the framework.
Senator Wyden. But the question is, Are there
indemnification procedures now? My understanding is there are
not.
Mr. McClelland. Right.
Senator Wyden. Is the absence of these provisions causing
any problem? The reason I am asking is because this is going to
be a big issue in the discussion, is whether or not there ought
to be these indemnification processes when companies come
forward and report problems. What I would like to know is, if
there are any problems today, as a result of the lack of
reporting requirements. Could you answer that?
Mr. McClelland. I guess I would answer it by saying that,
the self-reporting requirements--you know, the enforcement
provisions under the existing standards are important, and if
it is not a standard that compels action, then it is not
something that you can assure happens.
You know, information exchange, alerts, advisories,
essential actions can be helpful. But, at the end of the day,
if there is no enforcement provision, it--there is no teeth
behind these issues.
Senator Wyden. I will try one more time. Do you think----
[Laughter.]
Senator Wyden. Do you think indemnification procedures are
needed for purposes of this bill that is going to be considered
for the floor before August, yes or no?
Mr. McClelland. I am just not prepared to comment on that.
I'm sorry.
Senator Wyden. OK. Thank you, Mr. Chairman.
The Chairman. Senator Franken.
Senator Franken. Yes, Mr. McClelland, do you think--no, I'm
not good at that----
[Laughter.]
Senator Franken. But this question is for you, and for
anyone who wants to pick up on it. Deploying a smart grid is
crucial for integrating distributed and renewable energy
resources, but a 2011 GAO report noted that, while FERC has
authority to adopt smart grid standards, it does not have any
specific enforcement authority to implement these.
What are your recommendations for ensuring that standards
are properly developed and enforced? Is this issue adequately
addressed in any of the cyber security bills before the Senate?
Mr. McClelland. The GAO did find--they did echo FERC's
finding from its policy statement on smart grid, that it lacked
enforcement authority under the EISA that was passed by
Congress. So, we do not have enforcement authority, even if we
find that cybersecurity standards, as recommended by NIST,
achieve sufficient consensus.
The Commission's authority, however, does lie under 215.
So, pursuant to that authority, the Commission has been an
active participant in NIST's SGIP and Cybersecurity Working
Group. Our staff attends those meetings. They are regular
participants. They bring that information then back to the NERC
215 process when they actively engage in the standards
development teams under the cybsersecurity standards. In fact,
the Commission most recently, in approving version 4, even
reminded NERC that it needs to consider those NIST provisions
and incorporate those NIST provisions, as appropriate, in
version 5 of the standards.
So, I can't speak to the pending legislation. I'm sorry,
Senator. I'm just not current with it. But I can say that the
Commission is actively engaged in the NIST process, is actively
working to incorporate the relevant aspects of that NIST
process into the NERC standards.
Senator Wyden. Mr. Wilshusen----
Mr. Wilshusen. Yes----
Senator Wyden. You helped prepare this report, so do you
have any comment?
Mr. Wilshusen. Right. I would just add that what Mr.
McClelland is referring to with section 215 is their ability to
enforce mandatory standards established by NERC over the bulk
power system. But under the Energy Independence and Security
Act, which deals primarily with the implementation of smart
grid technologies, much of those technologies are implemented
and deployed at the distribution level, which is more under the
purview of the State regulatory commissions and others.
I believe FERC does not have the enforcement capability at
that level, under EISA or----
Senator Wyden. Mr. Snitchler, that is fine with you?
Mr. Snitchler. Senator, we----
Senator Wyden. From what I am hearing?
Mr. Snitchler. Correct. We think we have got an adequate
handle. Ohio has approached the smart grid deployment than
other States--each of us has approached it in a different
fashion--where we have rolled it out in a series of pilot
projects with one utility that is now moving toward full
deployment, others who are further behind the curve, but are
moving forward. We have been able to work closely with those
utilities to make sure that they are operating in a way that
gives us a level of comfort, that they have a sufficient amount
of security going forward.
We actually have had a couple of open dockets at the
Commission, in an effort to determine where companies are at,
what steps are being taken. But, like other State commissions,
it is sometimes a challenge to have our utilities come in and
disclose the weaknesses in their system. So, the issue of
confidentiality, again, rears its head, even at the State
level, as we try to protect that information and prevent it
from becoming part of the public domain.
Senator Wyden. Taiwan, Singapore, China, South Korea are
among the largest manufacturers of semi-conductors and
microprocessors for these smart devices.
There are concerns that if a cyber criminal gained access
to such devices, especially during a manufacturing process,
they could covertly insert code in the devices to impair its
function.
For any of you, are we testing these purchased devices to
mitigate potential vulnerabilities?
Mr. Wilshusen. I guess I will take that question first. IT
supply chain has been a key vulnerability into systems and the
critical infrastructures of this Nation. We issued a report
earlier this year that dealt with IT supply chain and dealt
specifically with some of the microprocessing chips.
We looked at several agencies, including DHS, Energy,
Department of Defense. To a large extent, we found that the
procedures for reviewing the vulnerabilities on IT supply
chains and the types of equipment that are being acquired,
agencies really have not established effective mechanisms to
adequately address that vulnerability.
To some extent, it needs to be done at the national level,
because the risks are more national in scope. The
administration has recently developed an IT supply chain
strategy. We are in the process of looking at that strategy as
part of our ongoing work.
Senator Wyden. My time is up. Does anyone have another
comment? I saw Mr. McClelland be nodding.
Mr. McClelland. I would only add that, you know, hardware
is one component. Any time there is two-way electronic
communication, there is a chance for compromise, and there are
some very sophisticated entities out there that employ various
mechanisms, including hardware compromise, to accomplish that
task. So, it is a critical aspect of network security.
Senator Wyden. OK. Thank you, gentlemen.
Mr. Chairman, thank you.
The Chairman. Mr. McClelland, you mentioned this problem of
electromagnetic pulse events. I gather our former Congressman
and Speaker, Newt Gingrich, had a op-ed in the ``Washington
Post'' this last week, where he argued that we need to pass
legislation to protect against electromagnetic pulse events,
and you seem to say the same thing in your testimony as I read
it.
Is there anything being done, just at the current time, to
deal with this problem?
Mr. McClelland. The Commission recently held a technical
conference on this very subject. It invited NERC and industry
experts, and it compared the Commission's report through the
Oak Ridge National Laboratory, to the NERC report. It asked for
comments and sought consensus.
So, the Commission does have the industry's comments. We
are reviewing what can be done, where there is areas of
agreement and disagreement. But one thing that was encouraging
from the conference is that we thought we heard, regardless of
the scale of destruction or damage to the equipment itself,
there would be a widespread grid collapse, and everyone agrees
that that must be prevented.
So, coordinated studies need to be done among the entities.
There are, likely, standards that need to be passed, not
necessarily NERC standards, but industry standards, to prevent,
you know, damage to vulnerable equipment. There is a subset of
critical and vulnerable equipment that should be protected--no
regrets actions that should be pursued to protect the public
against this issue.
The Chairman. I guess one obvious question is, What kind of
timeframe are we talking about here? I have the distinct
impression we may be studying this issue while the electric
grid collapses. What is your understanding of the timeframe to
get something done?
Mr. McClelland. The Commission is moving through completion
of reviewing those comments, and under existing authority, it
can address the geomagnetic disturbance issue through
reliability standards. So, the Commission is now informing
itself from the NERC study, from the Oak Ridge study, and from
the public comments, and it is moving to review its options
under its existing authority to address the issue.
The Chairman. So, does that mean this year something is
going to be done?
Mr. McClelland. I'm sorry, I just can't speak to the timing
of Commission action.
The Chairman. Whenever people talk about, ``We're moving to
review our options,'' that doesn't sound like anything imminent
to me.
Mr. Cauley, did you have a point of view on this issue?
What is NERC doing to solve this problem of the threat from
electromagnetic pulse attacks?
Mr. Cauley. Thank you, Mr. Chairman.
We issued a report in February, which put the engineering
and science behind the characteristics of what kind of failures
and things we might see, and we have initiated a number of
actions. We issued an alert to industry. We have been working
with NASA and NOAA in terms of enhancing the alert system, so
we can let industry know if there is an issue impact coming,
and that we can put the system in a more conservative position
to withstand an event.
We are also working with EPRI, Electric Power Research
Institute, in terms of locating monitors on--Earth current
monitors, as well as equipment monitors, so we can understand
and see the behavior of the impacts and know what we need to do
to address that.
This is a long-term effort. I realize that we could have
impacts near-term, but really there is a lot to learn and
develop. We are also looking at doing testing on transformers,
in terms of inducing Earth-type simulated currents in them and
seeing how they behave and how they react.
So, there is a lot of working on them on multiple fronts.
We are not waiting for standards. We are actually moving on the
engineering and the modeling and the operational----
The Chairman. When you say you issued an advisory--or an
alert, I guess--what did you refer to it as, an advisory or an
alert?
Mr. Cauley. It was a NERC alert, yes.
The Chairman. An alert. Was that a set of directions to
utilities to take particular action, or was this just basically
saying, ``Here's a problem''?
Mr. Cauley. This one was informative, sir, so it gave
actions that could be taken if there was a impact full storm
that was going to come toward the Earth, actions that would be
recommended to be taken. But it was not issued as a required
set of actions.
The Chairman. So, no required actions have been----
Mr. Cauley. Not in this particular----
The Chairman. Recommended----
Mr. Cauley. That is correct.
The Chairman. At this or put forward?
Senator Murkowski, did you have other questions?
Senator Murkowski. This is more of a general question to
all of you. I think Mr. Wilshusen, you mentioned that, perhaps,
standards should not be spelled out too specifically or
utilities kind of get in this compliance mode of trying to meet
the standards, instead of safeguarding the systems.
We want to push everybody to be one step ahead of the guys
that are trying to disassemble things, and so, we don't want to
get them focused on just checking the boxes off; we need them
to be thinking ahead every single day. This whole issue of
flexibility within a system, as opposed to a prescriptive set
of standards concerns me. My concern is that the legislation
that is being considered right now, not the secure IT, but what
is coming out of Homeland, is a more prescriptive approach.
Can I ask each of you to speak just to that issue, as to
the need for flexibility in this area that allows us to be a
little more nimble, rather than just complying with a set of
standards?
We'll just go from you, Mr. McClelland, on down.
Mr. McClelland. Thank you, Senator.
I agree. I think all of the panelists would, too, that the
individual entities have to have the latitude to have the
directive, but not be so prescriptive as to tie them into any
singular response.
On the other hand, though, someone needs to make certain
that the Mitigation Act is effective. Back to that question
about Aurora, you know, it's not enough just to collect survey
data; it is important to verify the mitigation. So, I agree; I
think the standard needs to compel action, but provide the
latitude that the individual entities might need to address the
issue on their systems.
Mr. Wilshusen. Yes, definitely, I think standards need to
be flexible. They should not be overly prescriptive, because
you want them to stand the test of time. You don't want to
necessarily change your standard every time there is a new
threat or a new technology that emerges that presents
additional vulnerabilities.
As a parallel, in the Federal Government, NIST issues
Federal information processing standards, which are mandatory
requirements. In addition, though, it has issued lower levels
of guidance, usually through special publications and
guidelines that provide increasingly more detailed actions that
can be taken to secure systems in cybersecurity. But they are
more prescriptive, and they are at a greater level of detail
than the actual Government-wide standards. This greater level
of detail is needed to effectively secure systems.
So, it is good NIST had that flexibility and multiple
layers of guidance--standards, guidelines, and instructions, if
you will, to provide to organizations to secure their systems.
Senator Murkowski. Mr. Cauley.
Mr. Cauley. Senator Murkowski, I agree, as well. The most
effective standards will be based on risk controls, setting up
systems to catch issues that need to be identified, not on a
prescriptive, line-by-line, rule-based-type standards. We are
adopting those risk controls in the version 5 standards. We are
looking at the NIST model. We have extracted from their set of
standards, the ones that we think would work in the power
system, and we are flushing those out within those standards.
There is an added factor within--in the security arena, is
that you really want to incent people to report issues. Because
part of the intelligence is finding out what are the bad guys
doing and what information are we finding, and lots of little
pieces mean something when you roll it all up together.
So, if we are going in with a checklist style of
compliance, it is not going to be helpful that. We want people
reporting information, actively. I think we are on the right
track for that.
Senator Murkowski. Mr. Snitchler.
Mr. Snitchler. Senator, at the risk of saying, me, too, I
would agree with the comments made by the prior panelists. I
think the flexibility that you have suggested, necessarily,
moves into that resiliency that can be developed by the
multiple utilities that we regulate, taking a different
approach to achieve to same objective. That diversity of
approach to solving a problem also potentially has the ability
to keep an entire system from being knocked down, because,
instead of targeting one set of security concerns, you are
looking at more than one set and ways that that problem may
have been solved, and has the ability to require far more
effort on the part of those that will do ill-will to the
electric grid or to those who may be seeking to try and damage
the country.
I think, also, by moving away from a prescriptive, check-
the-box, as you describe it, list is helpful, and that we are
then charging the utilities that we regulate with being as far
as they can, one step ahead of, in evaluating all the threats,
whatever they may be.
I know that I have been to at least one utility in Ohio's
command center where they are doing just that and have retained
security folks to deal with those issues, in an effort to
ensure that they are viewing all the potential sources of entry
and all the potential manners in which they can respond and
block those out, at various levels within their system.
Senator Murkowski. Thank you, Mr. Chairman.
The Chairman. Senator Udall.
Senator Udall. Thank you, Mr. Chairman.
Good morning to all of you. Thanks for joining us on this
important topic.
Mr. McClelland, if I could, I will start with you. This may
be a tangent--a slight tangent, more accurately. I don't know
if any of the witnesses have addressed work force issues in
their written testimonies, but I realize one of NERC's
standards refers to personnel training requirements.
I am curious whether you believe we have the right people
with the right training in place at FERC, at NERC, at the
utilities, or elsewhere, to develop and implement the standards
to keep the grid secure and respond to threats and
vulnerabilities.
Do you think we would be more secure with additional and
better training to cyber warriors?
Mr. McClelland. I would say, yes. We do have--the
Commission is fortunate to have--it is a small staff, but it is
a very talented staff that we have mostly drawn from other
agencies, and they have spent their entire careers in
cybsersecurity. I think NERC is also gifted with some of the
employees that they have in place. But these folks are as
scarce as hen's teeth, and it is difficult to find them. In
many cases, we steal them from each other.
That said, we have been able to--and I know NERC has also
taken advantage of this. We have leveraged the intel agencies
with some of the best, probably--well, undoubtedly, the best
skill sets in the world. So, we leverage those intel agencies
to help us understand what the issues are and to address the
threats. But, certainly, more and well-trained cybersecurity
people are something that we all need.
Senator Udall. Others on the panel, care to comment?
Mr. Cauley.
Mr. Cauley. Gerry Cauley, NERC. I believe that is an
opportunity for us, and I think we do need to expand and grow
our work force in terms of capabilities. It is another example
of an opportunity to partner between Government and industry.
There is a training program at the Pacific Northwest Lab, and
we have been running as many industry folks as we can through
that. It is a very good, week-long program. It is very intense.
But, we need more of that.
Mr. Wilshusen. I would----
Senator Udall. Mr. Wilshusen.
Mr. Wilshusen. Yes, thank you. I would just add that, not
only just within NERC and FERC, but throughout the Federal
Government. We have issued a report earlier this year, too,
about human capital challenges within the Federal Government,
securing Federal systems. Indeed, that is an area that is a
prime consideration and concern.
Mr. Snitchler. Good morning, Senator.
Senator Udall. Mr. Snitchler.
Mr. Snitchler. One of the issues that we have found,
anecdotally, in talking with our utilities in Ohio, is that
they have actively recruited from within the military, and have
had good success with folks who are used to dealing with top
secret clearance and higher on issues that involve issues of
this nature at the utility. They have found that to be helpful.
That being said, they are also at a premium, and it is very
difficult to find sufficient staff. I would agree with the
prior comments about this being an opportunity for specific
work force development that has long-term implications for the
country.
Senator Udall. Mr. Wilshusen, let me turn to you for the
next question.
You talk about the difficulties in the industry of sharing
information on cybersecurity. Could you describe some ways that
you think the electricity industry could improve in this area?
Mr. Wilshusen. Yes, I think there are a couple of areas.
One would be to have a mechanism in place in which the industry
can collect actionable intelligence--or information about
security incidents and vulnerabilities that may be present
within the industry and then being able to share it with other
members, but after it is been anonymized.
Before you came, we talked about the need to anonymize
certain threat information, alert information, so as not to put
other companies in peril. Then, those companies may be more
willing to share information that they may have of any
incidents occurring at their organizations. So, that will be
one key area.
Another is, to receive information from Federal sources and
through NERC and FERC; particularly, getting additional
information through the intelligence community, through
Department of Homeland Security, on threats that are occurring
and vulnerabilities that are happening within those particular
industries.
Senator Udall. Let me follow that up. In Colorado, we have
the Western Cyber Exchange, which is a public-private
partnership, and it works on a regional geographic basis, both
on improving cybersecurity, and then on incident response.
Do you think regional cross-sector models like this are
something we could encourage and should encourage?
Mr. Wilshusen. I think they serve their place. You know,
regional would help. But many of the threats are international
in scope and come from other sources from which regional
utilities--or groups may not have that information. That is why
it is important at the Federal level, at least, threat
information, alert information from the intelligence community,
through DHS, be shared with those particular groups.
Senator Udall. Mr. Cauley or Mr. Snitchler, would you care
to comment on that question, as well?
Mr. Cauley. Yes, sir. We have the Information Sharing
Analysis Center, and what I think we are trying to create is
hubs of information connected to other hubs. So, ours is
focused on the power system in North America, but we are
connected to intelligence agencies, U.S.-served and other--the
NCICs, who are plugged into these other sources, and we share
information with our members in North America.
I think the one other thing that we could do better is to
have more access to clearances, and to create what I would call
``fusion centers,'' perhaps in cooperation with the FBI local
offices, regional offices, where we can quickly get very
detailed information at the classified level to people in
industry who can understand, at a very granular level, what is
the threat, and what actions should I take. That is an
opportunity for us to think about.
Mr. Snitchler. Senator, I think I would echo the comments
from the GAO, where actionable information that has been
sufficiently anonymized would be helpful, because the issue
that we often hear is the question of, If I provide
information, will this later be used against me? If it is,
obviously, they are reluctant to share that information.
Frankly, if we get into a situation where we have a better
way to exchange information, we can be implementing best
practices and avoiding each individual company's having to
uncover and discover the same problem and work their own
solution, but would then have, in effect, a clearinghouse of
known issues. Then, they could work to solve that with the
flexibility within the standard that may be required.
Senator Udall. Thank you all, again, for appearing and
discussing this very important topic.
Thank you, Mr. Chairman.
The Chairman. Senator Coons.
Senator Coons. Thank you, Chairman Bingaman.
Senator Bingaman, you have been beating the drum on this
issue for some time now, and I was happy to join you last year
in supporting the Grid Cyber Security Act.
I am grateful to you and to Senator Murkowski for convening
this panel into taking another look at where we stand and what
we and Congress have to do in order to raise the baseline for
cyber defense in this most important sector for the American
economy and the American people.
Since we met on this topic a year ago, cybersecurity has
become one of the most talked about challenges facing our
Nation. Everyone, from the Secretary of Defense, who has said
the next Pearl Harbor will be in cyberspace and is coming, to
individual business leaders, have warned that the Nation as a
whole faces a real threat, which Members of Congress need to
work together to address.
There is very few issues I lose more sleep about than our
cyber vulnerabilities, and when I speak to experts, they simply
cause me to lose even more sleep. So, I appreciate the
opportunity to reduce my sleep opportunities further today.
To Mr. Wilshusen of GAO; forgive me. Your written testimony
said that when the GAO looked at the security of utilities, you
concluded that, overall, they were focusing on regulatory
compliance, more than a comprehensive security. I think that's
a quote.
Can you elaborate about more--more on what about the
existing approach, in fact, leads to standards becoming a
ceiling, instead of a floor, for the level of cybersecurity,
and what we could do in terms of standard-setting and internal
partnerships that would strengthen an approach to comprehensive
security, rather than mere compliance?
Mr. Wilshusen. I think that one of the dangers when
organizations just focus on mere compliance is that they don't
take an overarching view and develop a comprehensive program
for assessing the risks and taking the appropriate steps to
assure that they cost-effectively address those risks and
mitigate them to an acceptable level.
I think it is still important, though, that you do have
standards or minimum baselines of security controls that can be
consistent across a wide group of similar organizations,
perhaps, an industry, taking into account that each entity may
have separate risks and controls in place to help mitigate
those risks.
So, it is going to be important that each agency have an
effective program for assessing the risk and then taking the
appropriate steps to implement the appropriate controls to
mitigate that. That would include, not only just assuring
compliance with standards, but also taking other actions as
determined necessary in the facts and circumstances.
Senator Coons. If there were to be standards that were
negotiated--that were agreed to between industry and regulatory
agencies, for an area like cyber, where the threat seems to be
rapidly evolving, how would you update, routinely, those
standards in a way that contributed to actual comprehensive
security; how would you do that in a way that balances the
economic impact, the cost, with promoting and achieving actual
security?
Mr. Wilshusen. I think one way is, first off, with the
standards. They need to be at a sufficiently high level to
where they are flexible enough to allow for movement in the
implementation of controls to address emerging threats and
vulnerabilities that occur.
So, it really gets back to each agency or organization
being able to determine what its risks are, and then take the
appropriate controls to mitigate them. At the same time, there
needs to be a level of standards, such as the CIP standards,
and probably have those evolve as going through the current
process, to address new technologies and vulnerabilities that
occur.
Senator Coons. Mr. Cauley, at NERC, you discussed that your
biggest concern is a coordinated, actual physical and cyber
attack, and that, perhaps, the combination of a terrorist
attack in the physical world, followed by an attack that then
takes down some critical infrastructure, such as the electric
grid. I happen to agree that a cyber attack of this kind would
be particularly dangerous. I would be interested in what sorts
of public-private partnerships NERC is engaging in to prepare
with or promote relationships with local and State responders
to help mitigate those threats, and I would interested in where
you hope to expand on those partnerships in the future.
Mr. Cauley. Thank you, Senator.
We do work closely with State and local agencies, in terms
of informing them what we are doing on the system and
vulnerabilities. One of the most concerns that we have is any
challenge that would do any permanent damage to equipment, so
we work closely with law enforcement, FBI, in terms of securing
the physical assets and investigating issues that come up with
breaches and entry into substations and equipment, things like
that.
So, I think there is an opportunity to continue working on
that and expand that, in terms of types of scenarios--of attack
scenarios we might see and run through drills and sort of
understand our communications: who has responsibilities; how do
we need to move personnel from point A to point B and move
equipment; and those kinds of things. So, it's still an
opportunity for us to continue working and developing.
Senator Coons. Broadly, how would you appraise the
capabilities and the preparedness of State and local first
responders, law enforcement, emergency management agencies, to
deal with this sort of a combined attack or the emerging
threats of cyber?
Mr. Cauley. I think we certainly see a lot of experience
and practice there that gives us some confidence--when we have
major storms come through, trees are down, and roads are
blocked. A lot of the capabilities that come into play during
an attack on the grid would be similar to those kinds of
things. So, in terms of securing people, moving people,
securing supplies, those kinds of things, I am confident in the
capability of the local and regional law enforcement and first
responders.
Senator Coons. Thank you.
Mr. Snitchler, at the utility, the PUCO that you are now a
chair of, I was heartened in your prepared testimony to hear
that you addressed the importance, not only of public-private
partnerships, but also Federal-State. I agree, since, in any of
the scenarios we have been discussing, it is likely to be State
and local responders who bear a lot of the responsibility, are
likely to be first on scene, or likely to be leading the
recovery effort.
Now, but on an issue like cyber that doesn't respect
traditional, internal political boundaries or planning
processes, how do you avoid wildly different standards that
lead to uncertain and unreliable security situations or
potentially to overinvestment in security that puts too much of
a burden, in terms of the operating costs of utilities?
Mr. Snitchler. Senator, I think you have hit on the--one of
the primary issues that we often face at the Commission, which
is, What is the appropriate cost and what can consumers and
businesses afford to pay, in order to have the safe, reliable
system that they have come to expect? Certainly, we try to
approach that, being mindful--as I put in my written
testimony--about protecting those critical assets, determining
what those are, those are your diamonds, and giving them the
appropriate level of protection, and then, having your--I hate
to use the term ``less valuable'', but those that perhaps are,
for example, a transformer on a street as opposed to a
substation that is going to power several city blocks. You
would treat those two differently. As a result, you would make
your investments in how you would want those to be treated
differently.
To move back to your first question, to address how do
you--I think what you are asking is how do you not end up with
a litany of ways for States to address these issues, when you
have one issue that may be a national security issue or an
attack on the country. I think you have to look at threats
versus vulnerabilities. I think where you have a threat that
has the ability to impact the entire country or a substantial
region, then, certainly, there is a definite need for Federal
involvement to be able to address those types of concerns.
Where you have got a more localized issue or a
vulnerability that could be exploited, then, certainly, there
is a role for State commissions--the utilities and the State
government, in general--to deal with those concerns. I think it
is a little bit fact-specific, depending on exactly what the
scenario you are describing is; but, certainly, it is not a
good idea to have 51 different ways for us to evaluate a
problem. But, I think if you break that problem down into a
threat versus vulnerability, and then categorize or prioritize,
you can arrive at a more comprehensive way of evaluating those
issues.
Senator Coons. Mr. Snitch, excuse me, Mr. McClelland, if I
might, for a last question.
I just would be interested in your level of confidence that
we have got the information sharing and the collaboration in
place to allow State and local operators to distinguish between
an unexpected outage, a rolling brownout, an equipment
malfunction, and something that, in fact, has originated as a
attack on the Nation, and then, to share relevant information
in real time.
Mr. McClelland. Thank you, Senator.
There is certainly room for improvement. I think the
important aspect is that the interconnections are very large;
there are multiple States within the interconnections. Because
it is a network, and a tightly integrated network, the actions
or inaction of any particular player can have a substantial
impact on the rest of the interconnection.
So, going back to your prior question, I think it is
important that the entities communicate, that minimum standards
be put into place. A minimum in security is a tricky business.
Now, you mentioned before about, you know, sort of, what
are the costs economically to put the standards in place or to
put these protocols in place. But the world moves on, and it is
a very small place. What we are seeing is, you know, folks from
around the world having access--or potential access to SCADA
systems. You can no longer live in isolation.
So, the question would be, What are the adequate security
provisions that an entity must have to protect its business,
and then, how do those practices compare with other practices?
Are we sharing lessons learned? Are we sharing relevant
intelligence? Is it actionable intelligence, so that folks can
see what is happening, they can learn from their neighbor, and
they can put the security in place, because the threats are
moving at lightning speed?
So, as with you, it does keep us up at night. It is
probably the most significant thing that we deal with. It
actually has a potential to become much worse, because, as we
add equipment that was previously dumb equipment and make it
smart equipment, and give it two-way communication, and then
give it the ability to speak with the largest generators on the
system or to have a nexus to the largest generators on the
equipment, then we have introduced a vulnerability. It would be
like on-line banking, without cybersecurity. You really don't
want to go there.
So, I think we are at a point now with the grid and the
changing grid and the cyber connectivity, where no one can live
in isolation. If there is connectivity, there is two-way
communication; there has to be some sort of minimum protocols
and there needs to be sufficient information sharing so that
everyone is able to move ahead with a threat.
Senator Coons. Thank you.
Thank you, Mr. Chairman. Thank you, to the panel.
The Chairman. Senator Murkowski, do you have additional
questions?
Senator Murkowski. I am done, Mr. Chairman. Thank you,
though.
The Chairman. Senator Udall, did you have additional
questions?
Senator Udall. Mr. Chairman, thank you for asking. If I
might. I think much of this could be done for the record, but I
wanted to ask Mr. Cauley what more can we at the Federal level
do to recruit, train, and motivate young people to operate and
defend our critical infrastructure, like the electric grid?
Mr. Cauley. Senator, you know, I think by its--by the very
attention and focus that we are putting on this, I think we are
creating sort of an attractive arena to go into, and I think,
you know, we are seeing that in some of the schools, as well.
But I think, ultimately, one of the other panelists
mentioned recruiting military and people from Government. I
think we have to recognize that the--sort of, the center of
universe intelligence and security state-of-the-art is in the
Government and in the military, and to the extent that it is
not just the hiring of the people, but to do training and
development programs and cooperative programs.
You know, I think information sharing and partnering
between Government and industry are the two most important
things we can do, and this is one area where we could do a lot
more, in terms of Government sharing practices, the art and
skill of security management. I think those kinds of things
would be very useful for industry.
Senator Udall. Mr. Snitchler, would you care to comment?
Mr. Snitchler. I would echo the comments from the other
panelists.
Ohio is blessed to have the Wright-Patterson Air Force Base
near Dayton, where we have a substantial military presence, of
course. As a result, we have a large number of military folks
who may be being discharged from the Service and who are able
to move into those positions. But, as I previously noted, even
with that, we still find that there is a shortage. These
skilled professionals, and they are exactly that, are in short
supply and in high demand, and companies are working very hard
to try and find them.
I think one of the other panelists said, we typically end
up raiding somebody else's cupboard to find someone to be able
to fit that need. That has been my experience in talking with
the utilities that we regulate is, that is often times where
they find them. I think a more concerted effort to demonstrate
that when you have completed your time of Service, if you want
to move into the private sector, these are some of the avenues
that you can pursue to have a long-term viable career, because
these issues are not going to go away. The skills that they
bring to the table make them immediately valuable to an
organization, and I think that has tremendous value.
Senator Udall. I would note, as I conclude, that I sit on
the Armed Services Committee. We are having some of these same
discussions with the Department of Defense, and they are also
concerned about recruiting young cyber warriors, if you will.
So, I think we have got to really focus on growing the pie,
growing the sense that this is an important career path and
work together, not only with the private sector and the public
civilian sector, but also the Department of Defense.
I look forward to working with all of you in that regard.
Thanks, again, for your testimony. It is very helpful.
Thanks.
The Chairman. Yes, thank you very much. I think it has been
a useful hearing.
We will conclude the hearing with that. Thank you.
[Whereupon, at 11:30 a.m. the hearing was adjourned.]
APPENDIX
Responses to Additional Questions
----------
Response of Gerry Cauley to Question From Senator Bingaman
NERC registered entities are required under the currently effective
NERC Critical Infrastructure Protection Standards (specifically
Standard No. CIP-007-3, Requirement 4) to have a malicious software
prevention program to protect critical assets supporting the electric
grid. The standard specifically requires a NERC registered entity to
``use anti-virus software and other malicious software (``malware'')
prevention tools'' (emphasis added) to ``detect, prevent, deter, and
mitigate the introduction, exposure, and propagation of malware.''
Due to the use of the term ``and'', the use of antivirus technology
in a registered entity's malware prevention program appears to be a
minimum requirement for[sic]. However, there are other technologies,
such as whitelisting, that are superior to antivirus in the protection
of these critical assets, but if antivirus is a minimum requirement,
this standard appears to present a roadblock to registered entities
using those newer, superior technologies in malware prevention.
Question 1. Please explain why registered entities should be at
risk for noncompliance and penalties for using a malware prevention
tool other than antivirus.
Answer. NERC has not processed violations for a case as described.
The focus during NERC audits is on assessing how the entities are
handling and mitigating the virus or cyber intrusion risk, and not
strictly on having both methods. NERC's focus is on securing virus and
malware no matter the tools.
Antivirus software is a well-understood protection method, but it
is only one method to detect, prevent, deter, and mitigate the
introduction, exposure and propagation of malware. CIP-007-3 R 4 allows
for and does not prevent the use of additional and alternative methods.
When used, antivirus technologies should be used in conjunction with
other methods, such as whitelisting, file integrity checking, and
computer and network behavior analysis.
Version 5 of the CIP Standards, currently being finalized, requires
that entities ``deploy method(s) to deter, detect, or prevent malicious
code'' and ``mitigate the threat of identified malicious code,'' thus
allowing flexibility by entities to implement the current anti-virus
and/or anti-malware paradigm, implement whitelisting, or choose any
other method so long as it meets the requirement to deter, detect,
prevent, and mitigate threats posed by malicious code.
Responses of Gerry Cauley to Questions From Senator Murkowski
Question 1. A few months ago the White House and the Department of
Homeland Security staged a mock scenario for Senators featuring a
cyber-attack on the grid in New York City. I was disappointed to learn
that neither FERC nor NERC was invited to participate in this exercise,
particularly since at no time during the briefing did the
Administration ever inform members that the utility sector is already
subject to mandatory cyber standards to protect the Bulk Power System
(BPS). Why was FERC not invited to participate in the Administration's
grid cyber-attack exercise? How does FERC interact with DHS in the
cyber arena currently? Is DHS aware of the cybersecurity standards
currently in place for the BPS?
Answer. NERC is unaware of the circumstances regarding why FERC was
not invited to the DHS exercise; NERC is also unaware of FERC's
interaction with DHS in the cyber arena. NERC was not invited to
participate in the White House/DHS/Senate briefings and thus could not
brief Members and staff on the action that Congress took in the Energy
Policy Act of 2005 to address mandatory standards for cybersecurity for
the BPS, and how that authority has been implemented.
DHS is aware that BPS owners and operators are subject to mandatory
cybersecurity standards. In November 2011, NERC hosted the first-ever
sector-specific distributed play security exercise, GridEx, which
involved NERC's mandatory cybersecurity standards. DHS personnel,
including representatives from the Industrial Control Systems Cyber
Emergency Response Team and the Office of Infrastructure Protection
(including the Electricity Sub-sector Specialists), helped plan and
execute GridEx, and participated in it.
In addition to awareness of NERC's standards, DHS is also aware of
Alerts issued by NERC's Electric Sector Information Sharing Advisory
Council (ES-ISAC). NERC and DHS agreed to have ES-ISAC employees staff
the National Cybersecurity and Communications Integration Center, where
the ES-ISAC has access to actionable intelligence, including classified
contextual information available to appropriately cleared staff within
the BPS community. NERC also provides anonymous situational awareness
to DHS analysts to supplement the information DHS received from the
intelligence community. This effort is crucial to improving the level
of threat awareness within the industry and improving information
sharing between government and industry.
As I mentioned in my testimony, NERC regularly interacts with DHS,
partnering on many efforts, including several industry task forces
working to improve security compliance and risk management.
Specifically, DHS participates in the NERC Critical Infrastructure
Protection Committee and the Electricity Sub-sector Coordinating
Council. Additionally, NERC has partnered with DHS for each Cyber Storm
exercise to educate federal partners on the BPS and industry's response
to security threats.
Question 2. Many of the hearing witnesses noted that you simply
cannot protect an entity from all potential cyber-attacks. Mr.
Snitchler from the Ohio PUC cautions that while you can try to ``gold-
plate'' or even ``platinum-plate'' a system, the critical
infrastructure we're trying to protect will become too expensive to
run. Instead, he suggests we prioritize, using a risk-based approach.
Please comment on the issue of cybersecurity costs and the suitability
of using a risk-based approach. Do you agree with Mr. Snitchler that we
should be protecting ``diamonds like diamonds'' and ``apples like
apples''? Is the current FERC/NERC process for addressing cyber
security vulnerabilities risk-based? If not, why not?
Answer. Since becoming President and CEO of NERC, I have
prioritized incorporating a risk based approach to reliability. We are
developing a strong portfolio of standards that address performance,
risk containment, and competency. We are applying a defense-in-depth
strategy that has proven successful in managing risks in critical
sectors, such as nuclear as well as the aerospace industry. I am fully
confident that this approach will work well in managing risks to the
reliability of the BPS.
The NERC CIP Standards have always approached cybersecurity
protection from a risk management basis. Version 4 of the CIP standards
(approved by FERC earlier in 2012) established a set of impact-based
``bright lines'' to remove subjectivity from the process of determining
what BPS components are deemed ``critical.'' Under this paradigm,
industry resources are focused on protecting the BPS components that
have the most impact on reliable operations.
Version 5 of the CIP Standards will have a three-tier approach for
the categorization of critical cyber assets. Under Version 5, industry
resources will still be focused on protecting the components with the
greatest potential to affect the BPS at the highest levels, while
recognizing that the remaining components still contribute to reliable
operations of the BPS, and thus must be appropriately protected.
Question 3. What are NERC's standard operating procedures once it
receives credible threat intelligence that may affect the bulk electric
system?
Answer. NERC's Electricity Sector Information Sharing and Analysis
Center (ES-ISAC) has developed different Alerts to inform industry
about emerging threats. Alerts are different from standards, and can be
developed and issued very quickly, depending on the urgency of the
situation.
Specifically, the ES-ISAC first reviews classified information with
industry subject matter experts (SME) who hold the appropriate level of
security clearances. As a part of the vetting process, a preliminary
saturation and impact assessment determines the relative significance a
compromise of the targeted technology would have on the BPS. Once NERC
and the industry SMEs determine how a compromise may occur and the
potential impact or significance of the compromise, ES-ISAC staff and
industry SMEs develop a draft Alert that contains specific, actionable
information that BPS entities can use to establish a defense against
the threat or help remediate an already existing impact.
This draft Alert, which should be no more sensitive than ``For
Official Use Only,'' is then distributed to a larger technical team of
BPS SMEs called the HYDRA Team. The HYDRA Team is a broad coalition of
industry volunteers with specialties in fields such as transmission,
generation, planning, operations, and cybersecurity of industrial
control systems. Typically, the vendor of the targeted technology is
also involved in the Alert review, as is the vulnerability researcher
who discovered the underlying vulnerability in the technology. Members
of the technical staffs of the DOE, DHS, and the FERC are also members
of the HYDRA Team. They receive draft Alerts and contribute to making
final Alerts valuable for the industry.
The finalized Alert is then sent to both US (including FERC) and
Canadian governmental authorities for their final review and comment.
Thereafter, the Director of the ES-ISAC/Chief Cyber Security Officer
approves the Alert for release to industry. When the Alert is
distributed, it not only goes to NERC's Registered Entities, but also
to other Electricity Sub-sector participants. Alerts may also be
targeted to groups of entities based on their NERC-registered functions
(e.g., Balancing Authorities, Planning Authorities, Generation Owners,
etc.). Using this process, NERC has issued an alert in as little as 32
hours after receiving classified information about a threat.
Question 4. On Thursday, July 19, 2012, FERC approved an order that
allows the ERO to fine the Southwestern Power Administration up to
$19,500 for violating two cybersecurity-related reliability standards
in July 2011. Please explain the nature of these cybersecurity
violations. I understand that DOE believes the federal government is
exempt from such penalties under the Federal Power Act. Please specify
for the Committee why the federal government is, in fact, subject to
compliance with the FERC/NERC reliability standards, including
cybersecurity standards.
Answer. The Southwestern Power Administration (SWPA) violated NERC
CIP-004-1 (Cyber Security--Personnel and Training) and CIP-007-1 (Cyber
Security--Systems Security Management). CIP-004-1 sets out requirements
for personnel that have authorized cyber access or authorized
unescorted physical access to Critical Cyber Assets, including
requirements related to personnel risk assessment, training, and
security (including cyber security). CIP-007-1 sets out requirements
related to security systems determined to be Critical Cyber Assets and
other assets within an ``Electronic Security Perimeter.''
Agencies and instrumentalities of the federal government that are
users, owners and operators of the bulk power system (such as the
Tennessee Valley Authority and the Bonneville Power Administration) are
subject to compliance with the FERC/NERC Reliability Standards,
including cybersecurity standards. DOE has recognized that such
entities are subject to the Reliability Standards, but it has taken the
position that neither FERC nor NERC may impose financial penalties on
those entities for violation of the standards.
By way of background, Section 215(c) of the Federal Power Act
(FPA), 16 U.S.C. Sec. 824o(c), authorizes FERC to certify and oversee
an electric reliability organization (ERO) responsible for developing
and enforcing mandatory Reliability Standards that are applicable to
all users, owners and operators of the Bulk-Power System (BPS). FERC
certified NERC as the ERO in 2006,\1\ and has since approved over one
hundred national Reliability Standards as mandatory and enforceable,
pursuant to FPA Section 215(d).
---------------------------------------------------------------------------
\1\ North American Electric Reliability Corp., 116 FERC Sec.
61,062, order on reh'g and compliance, 117 FERC Sec. 61,126 (2006),
order on compliance, 118 FERC Sec. 61,190, order on reh'g 119 FERC
Sec. 61,046 (2007), aff'd sub nom. Alcoa Inc. v. FERC, 564 F.3d 1342
(D.C. Cir. 2009).
---------------------------------------------------------------------------
FPA Section 215(b) (1), ``Jurisdiction and applicability,''
describes FERC's reliability jurisdiction as follows:
The Commission shall have jurisdiction . . . over . . . all
users, owners and operators of the bulk-power system, including
but not limited to the entities described in section 201(f) . .
. for purposes of approving reliability standards established
under this section and enforcing compliance with [FPA Section
215]. All users, owners and operators of the bulk-power system
shall comply with reliability standards that take effect under
this section.
Because they are described in FPA Section 201(f), agencies or
instrumentalities of the United States are expressly included within
the term ``users, owners, and operators of the bulk-power system'' in
Section 215 and made subject to FERC's jurisdiction to both approve and
enforce reliability standards. The requirement in FPA Section 215(b)(1)
that all users, owners and operators of the bulk-power system must
comply with reliability standards that take effect under Section 215
thus applies to Federal entities.
In orders issued since 2009, FERC has held consistently that a
federal entity that uses, owns or operates the Bulk-Power System must
comply with mandatory Reliability Standards.\2\ Most recently, in its
July 19, 2012 order, FERC found that Section 215 explicitly conveys
authority to assess a monetary penalty against a federal entity that is
a user, owner, or operator of the Bulk-Power System for violations of a
mandatory Reliability Standard.\3\ FERC rejected arguments that the
grant of enforcement authority under FPA Section 215 is limited by the
scope of the Commission's general civil penalty authority over federal
entities, as set out in FPA Section 316A, and instead found that the
separate grant of penalty authority over federal entities under FPA
Section 215 is ``explicit and unambiguous.'' FERC found that this
penalty authority under FPA Section 215(e) applies to both the ERO and
the Commission.
---------------------------------------------------------------------------
\2\ North American Electric Reliability Corp., 129 FERC Sec.
61,033 (2009) (2009 Jurisdictional Order), reh'g denied, 130 FERC Sec.
61,002 (2010); North American Electric Reliability Corp., 133 FERC
Sec. 61,214 (2010), reh'g denied, 137 FERC Sec. 61,044 (2011).
\3\ North American Electric Reliability Corporation, 140 FERC Sec.
61,048 (2012).
---------------------------------------------------------------------------
Response of Gerry Cauley to Question From Senator Barrasso
Question 1. In your testimony, you encourage Congress to
``facilitate information sharing between the public and private
sector.'' You recommend ``making more clearances available to industry,
identifying alternative methods to communicate classified information
to our Canadian partners, and encouraging increased information sharing
by US Government departments and agencies with asset-owners.'' Would
you please expand upon the steps Congress should take to facilitate
information sharing between the Federal government and industry?
Answer. The most important action that can be taken to address
cybersecurity is improving information sharing. Improved information
sharing depends on a fundamental understanding by government that the
private sector owners and operators of the BPS need to know as much as
possible about a threat, as soon as possible, so that they can take the
appropriate action. The owners and operators of the BPS know their
systems and the consequences that actions taken in one part of the BPS
may have for another part. They cannot merely be told that there is a
threat; they must be provided with sufficient information about the
threat so that proper mitigation measures can be developed. In NERC's
experience, this has been difficult for government security
professionals to understand. As I noted in the hearing, it took more
than three years to get actionable information from the government on
the Aurora vulnerability. Once that information became available in a
form that NERC could share with industry, NERC issued an Alert to
industry, and industry then began developing mitigation plans.
Any action Congress can take to make more secret-level clearances
available to the Electricity Sub-sector would assist in information
sharing efforts. Individuals from the Electricity Sub-sector should be
able to access and analyze classified information and share it among
other cleared partners. In addition, in the instance of a cyber attack,
these individuals should be assured that they have access to local
secure centers, such as fusion centers or local Federal Bureau of
Investigation offices.
Continued support for NERC's existing cybersecurity efforts,
including NERC standards and the Electricity Sector Information Sharing
and Analysis Center (ES-ISAC), the Electric Sector Coordinating Council
and NERC's grid security exercise and conference, which provide forums
for improving information concerning cybersecurity among the public and
private sector, is appreciated. NERC's ES-ISAC is one of the most
effective tools NERC has to inform industry about emerging
cybersecurity threats through Alerts. As I mentioned in my testimony,
the ES-ISAC partners with several industry and government organizations
to not only share critical cyber information, but to also develop these
Alerts.
Also, reflecting the international nature of the BPS, NERC is
responsible for ensuring the reliability of the BPS within the US and
Canada. Currently, NERC is unable to share sensitive information
regarding cyber threats or vulnerabilities with our Canadian partners.
We are aware that the government has mechanisms in place to facilitate
government-to-government information sharing at classified levels.
Further work needs to be done to facilitate information sharing with
industry officials in Canada, as well.
______
Responses of Joseph McClelland to Questions From Senator Bingaman
Question 1. You testify that the majority of the Directives that
FERC issued in Order No 706 have yet to be addressed. Could you
describe some of the most important of them?
Answer. First, the Commission directed NERC to develop a process of
external review and approval of critical asset lists in order to ensure
that the proper assets were consistently covered by the CIP standards
under a system that depends on the entities to self-designate their
equipment. In Order No. 761, the Commission stated that the adoption of
appropriate, bright line criteria for Critical Asset identification may
obviate the need for an external review. However, as stated in that
order, whether this development ultimately eliminates the need for an
external review process as directed in Order No. 706 will depend on the
discretion allowed to individual registered entities to self-identify
and characterize assets or systems for critical infrastructure
protection to support the nation's bulk-power system. It also will
depend on whether the bright line criteria generally include adequate
facilities. Second, Order No. 706 directed the ERO to require immediate
revocation of access privileges when an employee, contractor or vendor
no longer performs a function that requires physical or electronic
access to a critical cyber asset for any reason (including disciplinary
action, transfer, retirement, or termination).
Question 2. Some have argued that FERC has the authority to order
NERC to produce a fairly specific standard. Could you do so, and if you
did what would be the process then?
Answer. The Commission can direct NERC to develop a reliability
standard to address a specific reliability matter. However, the
Commission cannot ensure that the content of the standard returned to
it by NERC will adequately respond to the specific reliability matter
as the Commission may not directly author or modify a reliability
standard under section 215. Under section 215, reliability standards
must be developed by the ERO through an open, inclusive, and public
process. The NERC process is intended to develop consensus on both the
need for, and the substance of, the proposed standard. Although
inclusive, the process is relatively slow, open and unpredictable in
its responsiveness to the Commission's directives.
Responses of Joseph McClelland to Questions From Senator Murkowski
Question 1. A few months ago the White House and the Department of
Homeland Security staged a mock scenario for Senators featuring a
cyber-attack on the grid in New York City. I was disappointed to learn
that neither FERC nor NERC was invited to participate in this exercise,
particularly since at no time during the briefing did the
Administration ever inform members that the utility sector is already
subject to mandatory cyber standards to protect the Bulk Power System
(BPS). Why was FERC not invited to participate in the Administration's
grid cyber-attack exercise? How does FERC interact with DHS in the
cyber arena currently? Is DHS aware of the cybersecurity standards
currently in place for the BPS?
Answer. I do not know why the Commission was not involved in this
exercise. That question is best answered by those who organized the
exercise.
With respect to the Commission's interaction with DHS, Commission
staff works closely with the DHS both on an informal basis and through
formalized processes such as the Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT), the Cyber Unified Coordination
Group, and the National Protection and Programs Directorate at DHS.
Commission staff meets monthly with the Nuclear Regulatory Commission
(NRC), Federal Bureau of Investigation (FBI), and the Department of
Energy (DOE) at the Top Secret/ Sensitive Compartmented Information
level to discuss events and threats. Meetings with ICS-CERT are also
conducted as required to discuss imminent threats and events that could
impact the security of the electric grid. The meetings take place so
the ICS-CERT can provide guidance to entities on how to address these
issues.
Question 2. Many of the hearing witnesses noted that you simply
cannot protect an entity from all potential cyber-attacks. Mr.
Snitchler from the Ohio PUC cautions that while you can try to ``gold-
plate'' or even ``platinum-plate'' a system, the critical
infrastructure we're trying to protect will become too expensive to
run. Instead, he suggests we prioritize, using a risk-based approach.
Please comment on the issue of cybersecurity costs and the suitability
of using a risk-based approach. Do you agree with Mr. Snitchler that we
should be protecting ``diamonds like diamonds'' and ``apples like
apples''? Is the current FERC/NERC process for addressing cyber
security vulnerabilities-risk based? If not, why not?
Answer. In general, the use of a risk-based approach to identify
assets that are critical to the operation of the Bulk Power System can
be suitable. The cost of cyber protection must be considered against
both the effectiveness of the measures and the impact that the
facilities in-question can have on the reliability of the Bulk Power
System. However the designation of ``diamonds'' does not just depend
upon the size or expense of the equipment, but also depends upon the
connectivity of the equipment, whether it can be compromised and, in
turn, be used to compromise other equipment that may alone or in
aggregate successfully compromise the operation of the Bulk Power
System or the customers it serves.
The currently applicable CIP standards include a risk-based
methodology to determine which facilities are ``critical assets and the
associated critical cyber assets,'' and therefore are subject to the
requirements of the CIP reliability standards. However these standards
allow utilities significant discretion to determine which of their
facilities fit that description. The recently-approved Version 4 CIP
Reliability Standards, which will go into effect on April 1, 2014,
replace this risk-based assessment with ``bright line'' criteria.
Version 4 relies upon the affected entities to self-designate their
``Critical Cyber Assets''. Only facilities that are self-designated by
the regulated entities as ``Critical Cyber Assets'' are covered under
the CIP standards. In order to help guide their decisions, the CIP
standards identify categories of ``Critical Assets'' as a starting
point in the process. If the entities have any ``Critical Assets''
(i.e., such as generating stations at 1500 MW or above, reactive power
supplies at 1000 MVAR or above, transmission facilities at 500 kV or
above, etc.), they are then required to determine if they have any
``Critical Cyber Assets'' at these facilities and if they decide that
they do, those facilities will fall under the CIP standards. Entities
can only designate ``Critical Cyber Assets'' from the ``Critical
Asset'' list.
In Order No. 761, the Commission supported the application of the
tiered-approach in the National Institute of Standards and Technology
(NIST) Framework. That framework would, among other things, (1) ensure
that all Cyber Systems associated with the Bulk-Power System, based on
their function and impact, receive some level of protection; (2)
customize protection to the mission of the cyber systems subject to
protection; and (3) apply a tiered approach to security controls that
specifies the level of protection appropriate for systems based upon
their importance to the reliable operation of the Bulk-Power System.
The Commission stated that incorporating these applicable features of
the NIST Framework into the CIP Reliability Standards would be a
positive step in improving cyber security for the Bulk-Power System. In
addition to considering the NIST Framework, the Commission in Order No.
761 stated that the criteria adopted for the purpose of identifying
Critical Cyber Assets should include a cyber asset's ``connectivity''
and its potential to compromise the reliable operation of the Bulk-
Power System. Therefore, we expect Version 5 to address these issues.
NERC, in its comments to the CIP Version 4 proceeding, stated that it
is incorporating into the Version 5 CIP Reliability Standards the NIST
risk-based approach.
Question 3. We hear a lot about the potential benefits from smart
grid systems, including reduced rates and improved reliability.
However, we're starting to hear more about an unintended consequence
from smart grid systems--namely that the smart grid's reliance on IT
systems and networks exposes the electric grid to cybersecurity
vulnerabilities which could be exploited by attackers. In the 2007
energy bill, Congress directed NIST to develop smart grid
interoperability standards that FERC would later adopt. I understand
that while NIST has developed these standards, FERC has not yet taken
action because of a lack of consensus on the standards.
a. The 2009 stimulus bill provided over $4 billion in smart
grid funding before these NIST interoperability standards were
even developed. In fact, the stimulus bill provided $10 million
in funding for NIST to perform the standard development work.
What cybersecurity protections were included in the smart grid
assets purchased with stimulus money? Doesn't it cost more to
implement security after the network is already up and running?
Answer. I do not know what cyber security protections were included
in any assets purchased with the stimulus money, since this program was
administered by the Department of Energy. Generally, it costs more and
may be less effective to implement security after a network is
installed.
b. GAO has previously suggested that FERC monitor industry
compliance with NIST's voluntary smart grid standards. Has the
Commission done so? If not, why not? What is FERC doing in the
smart grid arena with regard to cybersecurity standards?
Answer. The Commission has not monitored compliance with NIST's
voluntary smart grid standards. Much of the smart grid involves
facilities used in local distribution, which are not under the
Commission's Federal Power Act (FPA) jurisdiction. However, Commission
staff attends and observes meetings of the NIST Cyber Security Working
Group, Smart Grid Task Force, and participates in a collaborative with
the National Association of Regulatory Utility Commissioners concerning
the smart grid. Commission staff also regularly performs outreach to
NIST and the Smart Grid Interoperability Panel and is following the
development of smart grid standards. Commission staff also monitors
developments of the North American Synchrophasor Initiative (NASPI)
relative to applicable cyber security standards. Lastly, pursuant to
its FPA 215 responsibilities Commission staff attend and participate in
the NERC standards development process--including the CIP standards.
Commission staff offers guidance that can include information relevant
to the smart grid.
Question 4. You testified that because FERC's Federal Power Act
authority does not extend to local distribution facilities there may be
some ``significant facilities [that are] vulnerable to the threat of a
cyber or physical attack.'' Mr. Snitchler's testimony included a
snapshot of state actions, including those undertaken in New York, that
demonstrate a proactive stance on cyber security. Are there particular
cities or local facilities where FERC is concerned no action has been
taken by your state counterparts to protect their distribution system
from cyber incursions?
Answer. I cannot identify specific cities or local facilities where
no action has been taken by the states but am aware of the types of
risks which such facilities might be facing.
Question 5. Throughout your testimony you note your frustration
with the time it takes for NERC and its stakeholder process to develop
these cybersecurity standards. However, NERC filed its enhanced
Critical Cyber Asset Identification Standard (CIP-002 version 4) with
the Commission in February 2011 and it took FERC a full 14 months to
approve that revision. Why is it taking so long for the Commission to
act on such filings and what can the Commission do by way of
improvement?
Answer. In general, the Commission could shorten the time to
process the NERC filings using an Order versus a Notice of Proposed
Rulemaking (NOPR). The NOPR process requires the Commission to propose
Commission action on the standard. The Commission must then solicit
comments on the NOPR and issue a Final Rule on the proposed standard.
Although longer, the NOPR process allows for open communication between
the Commission and the commenters including opportunities for meetings
between Commission members and individual stakeholders and industry
interest groups on the Commission's proposed dispositions. Because the
Commission may not directly author or modify a reliability standard
under section 215, the NOPR process is the most effective way to detail
the Commission's concerns regarding a proposed reliability standard
before issuing a final rule regarding that standard. In Order No. 693,
the Commission stated that it anticipates that it will address most, if
not all, new Reliability Standards proposed by NERC through the more
open rulemaking process which has been strongly preferred by industry.
Additionally, the CIP cyber security standards are extremely technical
and it takes both the Commission time to appropriately analyze them and
the industry time to prepare its comments to the Commission proposed
rule. These procedures, which ensure the Commission has a sufficient
record on which to act on the technical aspects of the cyber security
standards, take time to implement.
Specifically with respect to the Version 4 standards, on February
10, 2011, NERC filed a petition seeking Commission approval of the
Version 4 CIP Reliability Standards. On April 12, 2011, Commission
staff issued a data request to NERC in order to receive supplemental
information necessary to understand the filing because the filing
lacked information necessary for the Commission to process them. On
April 13, 2011, NERC requested an extension of time to respond to a
portion of the Commission's April 12, 2011 data request. The Commission
granted this request, and NERC provided the information on May 27, 2011
and June 30, 2011. The Commission issued the Notice of Proposed
Rulemaking September 15, 2011 and allowed 60 days from publication in
the Federal Register for the industry to comment, or November 21, 2011.
The Commission then issued the final rule on April 19, 2012, 150 days
later, after reviewing comments from 28 entities and reply comments
from NERC.
Question 6. The electricity sector has told us that what it needs
in the event of a cybersecurity emergency is timely, specific, and
actionable information. Does FERC agree? What do the words ``timely,
specific and actionable'' mean to FERC?
Answer. I agree with this statement. I believe that ``timely,
specific and actionable'' means that, to prevent a significant risk of
disruption to the grid, the information should allow mitigating action
to be taken before a cyber security event. Because cyber events have
the ability to compromise multiple systems simultaneously, both
prevention and quick intervention are keys. Sufficient and accurate
information about both the vulnerability and the targeted systems must
be available to develop specific details regarding how to defend,
mitigate, or eradicate a cyber attack as quickly as possible, which may
require pre-emptive mandatory actions in order to be effective.
Specific and actionable means that the information must be detailed in
a manner for the owner/operators to be able to quickly apply the
mitigations to the equipment allowing for prevention or mitigation of a
cyber attack.
Question 7. On Thursday, July 19, 2012, FERC approved an order that
allows the ERO to fine the Southwestern Power Administration up to
$19,500 for violating two cybersecurity-related reliability standards
in July 2011. Please explain the nature of these cybersecurity
violations. I understand that DOE believes the federal government is
exempt from such penalties under the Federal Power Act. Please specify
for the Committee why the federal government is, in fact, subject to
compliance with the FERC/NERC reliability standards, including
cybersecurity standards.
Answer. That order is subject to rehearing, so I cannot comment at
this time on the issues presented in the proceeding. For your
convenience, attached is the Commission's order in that proceeding.
Responses of Joseph McClelland to Questions From Senator Barrasso
In your testimony, you state that ``[t]he Commission is committed
to protecting the reliability of the nation's bulk electric system.''
However, I am concerned that the Commission, under Chairman
Wellinghoff, has downplayed the cumulative impact of EPA's new and
proposed regulations on electric reliability. On May 17, 2011, Senator
Murkowski sent a letter to Chairman Wellinghoff inquiring about the
impact of EPA's regulations on reliability. Commissioner Norris has
testified that he had three conversations last year with Heather
Zichal, Deputy Assistant to the President for Energy and Climate Change
Policy, ``regarding FERC staff's review of EPA regulations.''
Commissioner Norris testified that Ms. Zichal contacted him on two
occasions--in late June or July of 2011--``for information on the
timing of the FERC studies on the reliability impact of the pending EPA
Rules and the timing of FERC responses to Sen. Murkowski's questions to
the Commissioners.'' Notably, Chairman Wellinghoff and Commissioners
Norris and LaFleur did not respond to Senator Murkowski until August 1,
2011--more than two months after receiving the Senator's letter. In
their response, the Chairman and Commissioners Norris and LaFleur
revealed that your staff had--after almost one year--completed only an
``informal assessment'' of the impact of EPA's regulations on
reliability. Your staff's analysis found that as much as 41 GW of coal-
fired generating capacity was ``very likely'' to retire, with another
40 GW ``likely'' to retire, on account of EPA's regulations. On
September 14, 2011, Chairman Wellinghoff testified before the House
Subcommittee on Energy and Power and characterized your staff's
analysis as ``back-of-the-envelope.'' However, your staff's analysis,
as far as I can tell, is turning out to be a reasonably accurate
prediction of the retirements. I am concerned that it took an inquiry
from this Committee to bring your staff's analysis to light. I am also
concerned about the timing of that analysis.
Question 1. Have you or any member of your staff had any direct or
indirect contacts or exchanges, in person, by telephone, electronic
mail, or otherwise (e.g., together with or in the company of the
Chairman or any Commissioner(s)), with Ms. Zichal or anyone in the
Executive Office of the President (EOP) about the potential impact of
EPA's regulations on electric reliability or on any other subject
(e.g., the ``informal assessment'' as Chairman Wellinghoff used the
term in his correspondence with Senator Murkowski, or ``FERC staff's
review'' or ``FERC studies'' as Commissioner Norris used the terms in
his testimony)? If so, please list the dates the contacts or exchanges
took place and provide the names and titles of the individuals involved
in these contacts or exchanges.
Answer. To the best of my knowledge, neither I nor my staff has had
any direct or indirect contacts with Ms. Zichal or anyone in the
Executive Office of the President on these issues, except as noted in
the Chairman's response to Senator Murkowski's May 17, 2011 letter.
Question 2. What was the purpose and the subject matter of the
contact(s) or exchange(s) you have identified in question 1?
Question 3. Have you or any member of your staff advised or
provided any information to the Chairman or any of the Commissioners in
connection with any contact or exchange (to include, as in question 1
above, in person, by telephone, electronic mail, or otherwise) that the
Chairman or any Commissioner may have had with Ms. Zichal or others in
the EOP? If so, (a) what was the purpose and the subject matter of the
advice or information you or your staff gave to the Chairman or
Commissioner(s) in connection with contacts or exchanges with Ms.
Zichal or others in the EOP; and (b) please list the dates the contacts
or exchanges took place and provide the names and titles of the
individuals involved in these contacts or exchanges.
Answer. No
______
Response of Todd A. Snitchler to Question From Senator Bingaman
Question 1. Mr. Wilshusen has recommended that FERC coordinate with
the states and other nonjurisdictional entities (such as Coops or
munis) to evaluate the extent to which utilities are complying with
voluntary standards and to develop strategies for addressing gaps in
compliance. Does that sound like a recommendation that you would
welcome? Would it work, given the splits in jurisdiction, differences
in state laws and regulations and the fact that many entities are
jurisdictional neither at the state or federal level?
Answer. Recognition must be given that voluntary standards are,
indeed, voluntary. By requiring utilities to develop strategies for
addressing ``gaps in compliance'', these ``voluntary'' standards then
become ones which are mandatory. I do not believe we are all (FERC,
states, utilities) in agreement with respect to mandatory standards or
which standards, if any, ought to be mandatory. However, I believe that
there could be benefits to having increased coordination between the
states, non-jurisdictional entities, jurisdictional utilities, and the
federal government in addition to the existing FPA Sec. 215 process. A
collective meeting of the parties would be useful in sorting out and
resolving these issues.
Response of Todd A. Snitchler to Question From Senator Murkowski
Question 1. You note that the Ohio PUC has worked closely with the
Wright Patterson Air Force Base. What can you tell us about your
state's efforts in working with the military?
Answer. The Public Utilities Commission of Ohio has met with Wright
Patterson Air Force Base (WPAFB) representatives on a variety of topics
and issues over the years. Our staff addressed WPAFB representatives on
energy assurance issues back in 2009. At that time, the PUCO encouraged
WPAFB personnel to engage in meaningful discussions with their local
electric utility regarding the specific needs and concerns for base
operations, enhanced reliability requirements, and mitigating threats
to these enhanced reliability requirements (including generation/
supply, distribution/delivery, and system security--physical as well as
cyber). Also at that time, the PUCO offered to facilitate those
discussions, but was assured that appropriate base personnel would work
directly with the appropriate utility personnel on these issues.
Subsequently, the PUCO extended an invitation to WPAFB representatives
to participate in Ohio's Energy Assurance tabletop exercise conducted
in June 2011; a major component of the event featured a cybersecurity
panel discussion with representatives from: the U.S. Department of
Energy's Cybersecurity for Energy Delivery Systems (CEDS) program; the
Supervisory Special Agents for the Cyber Squads in the Cincinnati and
Cleveland Divisions of the U.S. Federal Bureau of Investigation; a
Cyber Security Advisor from the U.S. Department of Homeland Security's
National Cyber Security Division; the two Protective Security Advisors
from the U.S. Department of Homeland Security's Office of
Infrastructure Protection which serve the State of Ohio; and Ohio's
Homeland Security Advisor. Additionally, the PUCO met with
representatives from the electric utility serving WPAFB as early as
2009 to discuss the utility's cybersecurity program and posture.
The PUCO also was instrumental in working with the U.S. Air Force
at WPAFB to eliminate our nation's, and especially our military's,
dependence on foreign oil. Research into synthetic fuel from domestic
coal, shale, biomass, and other sources using the Fischer-Tropsch
process in order to reduce our dependence on foreign oil and achieve
greater price stability has resulted in the creation of the Assured
Aerospace Fuels Research Facility (AAFRF). This lab was created to
perform essential research and development of these coal-to liquid,
biomass-to-liquid, and shale-to-liquid synthetic fuel technologies. It
serves as an excellent research tool for professional researchers from
government, academia, and industry as well as training grounds for
creating skilled operators, technicians, and researchers for future
commercial facilities.
Responses of Todd A. Snitchler to Questions From Senator Barrasso
Question 1. In your testimony, you state that ``one-size solutions
for cybersecurity may not be the most effective means to mitigate and
reduce known vulnerabilities.'' Would you expand upon your comments for
the Committee?
Answer. Broad-based principles regarding good cybersecurity
practices may be more appropriate for utility applications. Industrial
Control Systems (ICS) and Supervisory Control And Data Acquisition
Systems (SCADA) tend to be very specialized equipment monitoring and
controlling extremely complex networks. What may be considered a best-
practices approach for one control system may not function as a best-
practices approach for a different control system. The existing
differences in approaching cybersecurity utilized by the utilities and
also the RTOs actually has a positive effect in that an attack on one
utility's system will not necessarily bring down all systems because
each has its own method of ensuring their cybersecurity. By allowing
disparate approaches to solving the cybersecurity issue, while
establishing the broad based, best practices, we potentially strengthen
defenses against attacks to the grid.
Question 2. In your testimony, you state that ``smart grid
[technology] fundamentally makes the electric system more secure.''
However, you also say that ``this technology brings with it new
vulnerabilities. . .which should be taken extremely seriously.'' Would
you expand upon the vulnerabilities that smart grid technology brings
to our electric grid?
Answer. The ``Smart Grid'' too often is defined as being synonymous
with ``smart meters'' or advanced metering infrastructure (AMI). Other
important portions of the Smart Grid often overlooked include
synchrophasors, protective relays, reclosers, and substation
automation, among others. These components improve fault-detection
capabilities and enable self-healing of the electricity grid. Taken as
a whole, these technologies do make the electric system more secure and
more reliable. The additional vulnerabilities are introduced by
converting previously one-directional flows of power and information to
become bi-directional. As additional points of data collection and
gathering are introduced, so, too, are there additional points where
hackers or other non-native data sources may introduce false
information feeds into the network in an attempt to cause disruptions
or system actions undesirable to the system operators. Finally, each
new potential access point creates a remote source of entry to the
system. It is essential to security protocols that proper backstopping
from those potential entry points ensure that remote access is denied
and the system is able to lock out or compartmentalize the access
points to ensure that access, if secured, can be isolated and prevent
substantial harm to the system.
Question 3. In your testimony, you explain that state regulators
and industry ``are unable to provide the. . .protection necessary to
help secure our nation's critical infrastructure if the relevant
Federal agencies do not provide actionable information to address
imminent threats.'' You go on to say that ``asset owners who provide
information about their systems to Federal agencies in the spirit of
cooperation. . .never receive truly meaningful, actionable, timely
information in return.''
a. Do you know why the Federal government is not sharing this
information with state regulators and industry?
Answer. An often-cited answer is lack of security clearances in
order to share specific threat information with state regulators or
industry. This is understandable for specific threat information.
Present practice provides monthly or intermittent threat briefings to
the electricity sector, yet such threat information is often too stale
or so non-specific as to be un-actionable. Surely an opportunity exists
to provide more timely or actionable information without disclosing
classified information. Addressing this fundamental problem would be a
tremendous help to state regulators and, I expect, to the electricity
industry. For instance, in the case of the ``Aurora'' situation, the
federal government and its regulators in essence told the electric
utility sector, ``we have a secret problem on our hands and we can't
tell you what it is. . . .now go fix it.'' In this specific case, the
government knew of a vulnerability (they created it in a lab), and
wanted that vulnerability addressed yet would not or could not disclose
that information at that time. There must be a way for the federal
government to provide such actionable intelligence in a timely manner
so that those that need to take action know what action to take before
the vulnerability becomes a threat and a threat becomes a tragedy.
b. Do state regulators and industry lack the security
clearances necessary to obtain this information?
Answer. A lack of security clearances by regulators and utilities
often is cited as the primary impediment to sharing of information by
the federal government. However, granting additional regulatory
authority to FERC or another federal agency does nothing to change that
fact. Therefore, it would appear that it might be worth some time
devising a means for the federal government to share relevant,
actionable, and timely information with state regulators and utilities
without divulging the methods or sources by which that information has
been obtained. Additionally, the federal agencies responsible for
providing security clearances should establish a consultative process
with those in the electricity sector (state government and industry) to
identify to whom or to which positions within the industry and/or state
government ought to be provided an opportunity to gain the necessary
clearance and at what level. The agencies should then be instructed to
establish a procedure to thoroughly review and process these requests.
In order to secure timely transfer of information, select members of
state commissions and/or utilities should be considered for security
approval and permitted access to information critical to maintenance
and protection of the grid.
Question 4. In your testimony, you state that ``our utilities can
provide a `gold-plated' or even a `platinum-plated' system which is
ultra-cyber secure.'' However, you go on to ask ``how much more do we
want a kilowatt hour of electricity to cost?'' Would you discuss the
potential impact of new cyber security investments on ratepayers?
Answer. It is difficult to assess a financial cost of cybersecurity
investments imposed by a federal regulatory agency not yet granted the
authority to order such investments. It also is difficult to ascertain
what cybersecurity requirements might be imposed by such a scheme. Yet,
nothing is too expensive for one who doesn't have to pay the bill.
My point is this: there are risks these businesses must manage
everyday in running their utility systems. Cybersecurity is one more of
those risks that must be managed. There is a definite role for the
federal and state governments to assist these critical infrastructures
in securing their networks. But, as stated above, a best-practices
approach for one utility, when applied to another utility, may not have
the same positive impact on that second utility's cybersecurity
posture. In other words, what may be prudent and necessary
cybersecurity infrastructure expenditures for a utility system in
Washington, DC, which houses much of our federal government, may not be
appropriate in Houston, Texas, which houses petroleum refining. And
neither of the appropriate cybersecurity expenditures in those two
instances may be prudent to a utility serving Pleasantville, Ohio. The
opportunity exists for the federal and state governments to ensure
appropriate cost recovery for necessary cybersecurity remediations or
enhancements. Undoubtedly, these utility control systems must become
more secure and resilient; but most beneficial would be federal
guidance to the electricity sector and state regulatory bodies that
would assist us in determining how to best direct scarce resources in
the most cost-effective appropriate fashion to be directed against the
most imminent threats and against the likely vulnerabilities to the
electricity sector.
In the end, we cannot, and we should not, expend resources on every
known vulnerability: it would just be too expensive. For instance, to
use the analogy of physical security, we could place 24-hour manned
guardhouses at the base of each major electric transmission tower in
order to prevent the vulnerability of a terrorist bringing down the
grid with the destruction of multiple towers in several key locations.
However this would be a very expensive solution for a low probability
vulnerability. We must address the cybersecurity threats and
vulnerabilities just as we address the physical security threats and
vulnerabilities to our nation's infrastructure.
Question 5. At what point do the costs and vulnerabilities
associated with smart grid technology outweigh the value for
ratepayers?
Answer. There is no simple answer to the question posed here. The
experience of power outages brought on by storm activity is
fundamentally no different than a cyber attack that may disable the
grid. A cost-benefit analysis must be performed--either explicitly or
implicitly--to ascertain if the costs associated with the risk are
worth the benefit achieved by implementation of the grid.
The self-healing ability of the smart grid, shorter outage times
and increased reliability are all substantial benefits as a result of
the use of the smart grid. Further, in restructured markets customers
have greater access to options to control their utility usage and
control their costs, as well as the increasingly varied pricing options
available are all dependent on the utilization of the smart grid tools.
______
Government Accountability Office,
Washington, DC, August 2, 2012.
Hon. Jeff Bingaman,
Chairman, Committee on Energy and Natural Resources, U.S. Senate.
Subject: Responses to Questions for the Record; Hearing on Status of
Action Taken to Ensure that the Electric Grid Is Protected from Cyber
Attacks
This letter responds to your July 26, 2012, request that we reply
to additional questions arising from the Committee's July 17, 2012,
hearing on the status of actions to protect the electricity grid from
cyber attacks. At the hearing, we discussed (1) cyber threats facing
cyber-reliant critical infrastructures, which include the electricity
grid, and (2) actions taken and challenges remaining to secure the grid
against cyber attacks.\1\ The enclosure provides our responses, which
are primarily based on previously issued products that were performed
in accordance with generally accepted government auditing standards.\2\
---------------------------------------------------------------------------
\1\ GAO, Cybersecurity: Challenges in Securing the Electricity
Grid, GAO-12-926T (Washington, D.C.: July 17, 2012).
\2\ Including: GAO-12-926T; Critical Infrastructure Protection:
Cybersecurity Guidance Is Available, but More Can Be Done to Promote
Its Use, GAO-12-92 (Washington, D.C.: Dec. 9, 2011); Electricity Grid
Modernization: Progress Being Made on Cybersecurity Guidelines, but Key
Challenges Remain to be Addressed, GAO-11-117 (Washington, D.C.: Jan.
12, 2011); Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, D.C.: Sept. 10, 2007); and Information Security: TVA
Needs to Address Weaknesses in Control Systems and Networks, GAO-08-526
(Washington, D.C.: May 21, 2008).
---------------------------------------------------------------------------
Should you or your office have any questions on the matters
discussed in this letter, please contact me at (202) 512-6244 or
[email protected] or David C. Trimble, Director, Natural Resources and
Environment, at (202) 512-3841 or [email protected].
Sincerely yours,
Gregory C. Wilshusen,
Director, Information Security Issues.
[Enclosure.]
Responses to Questions From Senator Bingaman
Question 1. You recommend that FERC develop an approach to
coordinate with state regulators and entities that are not subject to
state regulation to evaluate the extent to which utilities and
manufacturers are following voluntary standards, and to develop
strategies for addressing gaps in compliance with standards. What
encourages you to believe that efforts like this could be successful?
Answer. Electricity industry regulation is fragmented, with
oversight responsibility divided among various regulators at the
federal, state, and local levels. Such regulatory fragmentation can
make it difficult for individual regulators to develop an industry-wide
understanding of whether utilities and manufacturers are following
voluntary standards. This is due to the large number of regulators in
the industry-the Federal Energy Regulatory Commission (FERC),
electricity regulators in 50 states and the District of Columbia, and
regulators of thousands of cooperative and municipal utilities-and
their potentially limited visibility over parts of the grid outside
their jurisdiction. This complex reality of electricity regulation led
us to believe that a coordinated approach to monitoring whether
utilities and manufacturers follow voluntary standards would be more
successful than an approach in which one or more regulators attempted
such an assessment on its own. We are encouraged by the fact that FERC
has previously worked with state regulators and groups representing
entities not subject to state regulation on a range of issues. For
example, we reported that FERC and the state commissions had already
begun initial collaboration on smart grid and demand-response
issues,\3\ and these and other entities have also collaborated on other
topics, including issues related to Regional Transmission Organizations
and electric reliability and environmental regulations.
---------------------------------------------------------------------------
\3\ GAO-11-117.
---------------------------------------------------------------------------
Question 2. I think that you are primarily talking about the NIST
smart grid standards that FERC did not adopt because they did not find
sufficient consensus in the industry to do so. Do you believe that FERC
has the authority to adopt those standards without such consensus?
Answer. Section 1305(d) of the Energy Independence and Security Act
(EISA)\4\ provides that any time after the National Institute of
Standards and Technology's (NIST) work has led to sufficient consensus
in FERC's judgment, FERC shall institute a rulemaking proceeding to
adopt such standards and protocols as may be necessary to ensure smart-
grid functionality and interoperability. In July 2011, FERC declined to
institute a rulemaking procedure to adopt initial smart grid standards
identified as a part of the NIST efforts, finding that there was not
sufficient consensus to do so. EISA does not give FERC authority to
adopt the standards in the absence of a determination by FERC that
sufficient consensus has been achieved.
---------------------------------------------------------------------------
\4\ EISA Sec. 1305(d), Pub. L. No. 110-140, Sec. 1305(d), 121
Stat. 1492, 1788 (Dec. 19, 2007).
---------------------------------------------------------------------------
As noted in our testimony statement, smart grid standards
identified through the NIST-led process outlined under EISA are
voluntary unless regulators use other authorities to indirectly compel
utilities and manufacturers to follow them. In this regard, FERC's
authority over the rates, terms, and conditions of transmission and
wholesale sales in interstate commerce and its responsibility for
reliability standards for the bulk-power system may be relevant. For
instance, to the extent that smart grid interoperability and
cybersecurity standards are deemed necessary by FERC to ensure the
reliability of the bulk power system, these standards could be
considered through reliability-based authority provided under the
Federal Power Act.\5\ Under this authority, the North American Electric
Reliability Corporation (NERC) can develop standards to protect the
reliability of the bulk power system, or be requested by FERC to do so.
If approved, such standards would be considered mandatory and
enforceable by both NERC and FERC. However, the FERC Chairman has
described limitations on FERC's reliability jurisdiction in the context
of securing smart grid systems.\6\
---------------------------------------------------------------------------
\5\ See Sec. 215 of the Federal Power Act, 16 U.S.C. Sec. 824o.
\6\ Letters from the FERC Chairman to Chairman Inouye and Ranking
Member Cochran and to Chairman Rogers and Ranking Member Dicks on
actions taken in response to GAO-11-117 (Feb. 14, 2012).
---------------------------------------------------------------------------
Responses to Questions From Senator Murkowski
Question 1. Many of the hearing witnesses noted that you simply
cannot protect an entity from all potential cyber-attacks. Mr.
Snitchler from the Ohio PUC cautions that while you can try to ``gold-
plate'' or even ``platinum-plate'' a system, the critical
infrastructure we're trying to protect will become too expensive to
run. Instead, he suggests we prioritize, using a risk-based approach.
Please comment on the issue of cybersecurity costs and the suitability
of using a risk-based approach. Do you agree with Mr. Snitchler that we
should be protecting ``diamonds like diamonds'' and ``apples like
apples''?
Answer. We have reported on the importance of using a risk-based
approach for securing critical infrastructures, including control
systems.\7\ Risk management has received widespread support within and
outside government as a tool that can help set priorities on how to
protect critical infrastructures.\8\ Security controls identified
through a risk management process should be cost-effective and reduce
risk to an acceptable level. In making decisions about risks associated
with the electricity grid, other sectors' reliance on electricity
should be an important consideration.\9\ Due to these
interdependencies, the consequences of an attack on the electricity
grid could cascade across many sectors, impacting our national economy
and security and the health and well-being of citizens.
---------------------------------------------------------------------------
\7\ See GAO, Risk Management: Further Refinements Needed to Assess
Risks and Prioritize Protective Measures at Ports and Other Critical
Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005).
\8\ Risk is the probability that a particular threat-source will
exercise (accidentally trigger or intentionally exploit) a particular
information system vulnerability. Risk management is the process of
identifying risk, assessing risk, and taking steps to reduce risk to an
acceptable level.
\9\ Federal policy established 18 critical infrastructure sectors,
including the energy sector, which has two subsectors for oil and gas
and for electricity. Other sectors include: banking and finance;
chemical; commercial facilities; communications; critical
manufacturing; dams; defense industrial base; emergency services; food
and agriculture; government facilities; health care and public health;
information technology; national monuments and icons; nuclear reactors,
materials, and waste; postal and shipping; transportation systems; and
water.
---------------------------------------------------------------------------
In relation to the need for risk-based approaches, we testified
that, in May 2012, the Department of Energy released the Electricity
Subsector Cybersecurity Risk Management Process.\10\ The guideline is
intended to ensure that cybersecurity risks for the electric grid are
addressed at the organization, mission or business process, and
information-system levels. We have not evaluated this guide.
---------------------------------------------------------------------------
\10\ U.S. Department of Energy, Electricity Subsector Cybersecurity
Risk Management Process, DOE/OE-0003 (Washington, D.C.: May 2012).
---------------------------------------------------------------------------
Question 2. We hear a lot about the potential benefits from smart
grid systems, including reduced rates and improved reliability.
However, we're starting to hear more about an unintended consequence
from smart grid systems-namely that the smart grid's reliance on IT
systems and networks exposes the electric grid to cybersecurity
vulnerabilities which could be exploited by attackers. In the 2007
energy bill, Congress directed NIST to develop smart grid
interoperability standards that FERC would later adopt. I understand
that while NIST has developed these standards, FERC has not yet taken
action because of a lack of consensus on the standards.
The 2009 stimulus bill provided over $4 billion in smart grid
funding before these NIST interoperability standards were even
developed. In fact, the stimulus bill provided $10 million in funding
for NIST to perform the standard development work. What cybersecurity
protections were included in the smart grid assets purchased with
stimulus money? Doesn't it cost more to implement security after the
network is already up and running?
Answer. We have not conducted the work necessary to answer the
question regarding what cybersecurity protections were included in the
smart grid assets purchased with stimulus money. However, with respect
to the Smart Grid Investment Grant program that received additional
funds under the American Recovery and Reinvestment Act of 2009, the
Department of Energy Inspector General found that three of the five
cybersecurity plans (required to be submitted by grantees) that it
reviewed were incomplete, and did not always sufficiently describe
security controls and how they were implemented.\11\ While this finding
cannot be projected across all such grants, it indicates a risk that
grantors and grantees were not adequately considering security prior to
the issuance of grants.
---------------------------------------------------------------------------
\11\ U.S. Department of Energy, Office of the Inspector General,
Office of Audits and Inspections, Audit Report: The Department's
Management of the Smart Grid Investment Grant Program, OAS-RA-12-04
(Washington, D.C.: January 20, 2012).
---------------------------------------------------------------------------
Generally, implementing information security features after the
technology is operating is more difficult and more costly than is
designing and developing the technology with security in mind.
Responses to Questions From Senator Barrasso
Question 1. The President's stimulus bill provided about $3.5
billion for the Smart Grid Investment Grant program. In January of this
year, the Department of Energy's Inspector General issued a report
about this program. The Inspector General stated that DOE ``approved
cyber security plans for Smart Grid projects even though some of the
plans contained shortcomings.'' The Inspector General also stated that
DOE ``was so focused on quickly disbursing [stimulus] funds that it had
not ensured [its] personnel received adequate grants management
training.'' In the Department's rush to deploy smart grid technology,
has it compromised the security of our nation's electric grid?
Answer. We have not examined the cybersecurity aspects of the smart
grid technology deployed through DOE's Smart Grid Investment Grant
program and thus cannot comment on its impact to the security of the
nation's electric grid.
Question 2. Would you please estimate how much it will cost to
secure the smart grid systems that have been deployed as a result of
stimulus funding?
Answer. We have not conducted the work necessary to answer this
question.
Question 3. Who is likely to bear the costs identified in question
2? Will it be asset-owners? Will it be ratepayers? Will it be Federal
taxpayers?
Answer. As noted above, we have not conducted the work necessary to
estimate how much it will cost to secure smart grid systems deployed as
a result of stimulus funding. As noted in previous questions, some
federal taxpayer money is being spent on smart grid systems under the
Smart Grid Investment Grant Program. However, it is unlikely that
federal taxpayers would be responsible for the costs associated with
additional activities to secure these smart grid systems unless
additional funds were designated by Congress for that purpose.
In general, however, smart grid investments-like other electricity
investments made by utilities-may be paid for in one of a number of
ways. The costs of investments in electricity systems may be passed on
to ratepayers if they are approved by the relevant regulator according
to that regulator's standards for rate recovery. In cases where an
investment is not approved by the relevant regulator, the owners of the
asset may have to bear the cost of the investment.
�