[Senate Hearing 112-40] [From the U.S. Government Publishing Office] S. Hrg. 112-40 CYBER SECURITY ======================================================================= HEARING before the COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE ONE HUNDRED TWELFTH CONGRESS FIRST SESSION TO RECEIVE TESTIMONY ON A JOINT STAFF DISCUSSION DRAFT PERTAINING TO CYBER SECURITY OF THE BULK-POWER SYSTEM AND ELECTRIC INFRASTRUCTURE AND FOR OTHER PURPOSES __________ MAY 5, 2011 [GRAPHIC NOT AVAILABLE IN TIFFF FORTMAT] Printed for the use of the Committee on Energy and Natural Resources __________ U.S. GOVERNMENT PRINTING OFFICE 67-362 PDF WASHINGTON: 2011 _____________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND NATURAL RESOURCES JEFF BINGAMAN, New Mexico, Chairman RON WYDEN, Oregon LISA MURKOWSKI, Alaska TIM JOHNSON, South Dakota RICHARD BURR, North Carolina MARY L. LANDRIEU, Louisiana JOHN BARRASSO, Wyoming MARIA CANTWELL, Washington JAMES E. RISCH, Idaho BERNARD SANDERS, Vermont MIKE LEE, Utah DEBBIE STABENOW, Michigan RAND PAUL, Kentucky MARK UDALL, Colorado DANIEL COATS, Indiana JEANNE SHAHEEN, New Hampshire ROB PORTMAN, Ohio AL FRANKEN, Minnesota JOHN HOEVEN, North Dakota JOE MANCHIN, III, West Virginia BOB CORKER, Tennessee CHRISTOPHER A. COONS, Delaware Robert M. Simon, Staff Director Sam E. Fowler, Chief Counsel McKie Campbell, Republican Staff Director Karen K. Billups, Republican Chief Counsel C O N T E N T S ---------- STATEMENTS Page Bingaman, Hon. Jeff, U.S. Senator From New Mexico................ 1 Cauley, Gerry, President and Chief Executive Officer, North American Electric Reliability Corporation...................... 17 Hoffman, Patricia, Assistant Secretary, Office of Electricity Delivery and Energy Reliability, Department of Energy.......... 3 McClelland, Joseph, Director, Office of Electric Reliability, Federal Energy Regulatory Commission........................... 8 Murkowski, Hon. Lisa, U.S. Senator From Alaska................... 2 Owens, David, Executive Vice President, Business Operations, Edison Electric Institute...................................... 24 Tedeschi, William, Senior Scientist, Engineer, Sandia National Laboratories, Albuquerque, NM.................................. 31 APPENDIX Responses to additional questions................................ 61 CYBER SECURITY ---------- THURSDAY, MAY 5, 2011 U.S. Senate, Committee on Energy and Natural Resources, Washington, DC. The committee met, pursuant to notice, at 9:37 a.m. in room SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman, chairman, presiding. OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW MEXICO The Chairman. OK. Good morning. Thanks for coming today to this hearing. It's a hearing devoted to cyber security in the electric sector. The safety of the North American power system is critical to the Nation's economy and to our security. Today that power system includes over 200,000 miles of high voltage transmission lines, thousands of generating facilities, millions of digital controls. Each year we upgrade and expand the system, adding more miles of transmission lines, new supply resources and control devices. As we upgrade and expand the Nation's electric system we are also modernizing that system. Information technology and communication systems have come to play a significant role in ensuring the reliability and security of the electric sector. While modernization allows us to achieve a variety of important economic and environmental objectives, it also introduces new security concerns. As this process unfolds, preserving and enhancing the cyber security of our electric infrastructure must be among our top priorities. So, let me highlight 2 things. First, the electric sector is already subject to a set of mandatory and enforceable cyber security standards that are developed by industry stakeholders and approved by the Federal Energy Regulatory Commission. This fundamentally distinguishes the electric sector from virtually all other critical infrastructure sectors. However, I do not believe that the existing suite of reliability standards and the process for developing them is sufficient to defend electric infrastructure against deliberate cyber attacks and to address system vulnerabilities. The new authorities contemplated in the discussion draft that we've circulated fill these gaps in a way that will help to complement current cyber security standards. The second point I wanted to make is that today it's almost 2 years since the day--since our cyber security hearing occurred in the 111th Congress. In fact, we are fortunate to welcome many of the same witnesses. The draft legislation we're discussing today is very similar to the legislation we discussed in 2009. It recognizes positive changes in the standards development and approval processes. However, in the time since our last hearing the security environment has also changed and certainly much more quickly. Cyber related threats can arise virtually anytime/anywhere and change without warning. For these reasons, there is no reason we should not delay in acting to enhance the cyber security of our electric system. I note that this is not the only committee in the Senate working on cyber security issues. I welcome the opportunity to work closely with other committees to ensure that the product of this committee's efforts work seamlessly with the proposals coming out of other committee's work. With that let me call on Senator Murkowski for her comments. STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR FROM ALASKA Senator Murkowski. Thank you, Mr. Chairman. Welcome to the witnesses this morning. The 2007 Aurora experiment by the Department of Energy and the Idaho National Lab put us all on notice of dangers of a cyber attack. In that experiment researchers hacked into a replica power plant's control systems causing the generator to self destruct. Aurora showed us that large coordinated attacks could severely damage the Nation's electric infrastructure. Since then there have been a growing number of cyber intrusions in government and critical infrastructure networks. Starting in November 2009, cyber attacks which were dubbed ``Night Dragon'' attacks, were launched against several global oil, energy and petrochemical companies. The attackers targeted highly sensitive proprietary and financing information on oil and gas fuel bids and operations. Then last year the Stuxnet worm demonstrated the complexity of what a potential cyber security attack could look like in this country. I think we recognize that the danger that is posed to our Nation's electric infrastructure from a possible cyber attack is very clear. Congress must provide government agencies with the authority to respond to cyber security threats and their vulnerabilities and do so in a timely manner. At the same time it's critical to recognize the electric industry is currently the only critical infrastructure sector to have mandatory and enforceable cyber security standards in place. We must continue to encourage a public/private partnership to protect the Nation's critical infrastructure. To that end, we must ensure that the private sector has the information that it needs to respond to credible cyber threats and vulnerabilities. I think we recognize that it is industry that has the expertise in operating our Nation's complex utility systems. The discussion draft legislation that we're considering can be part of a responsible solution. The draft provides both FERC and DOE with needed tools to address today's known risks and weaknesses as well as future threats. We've also tried to respect the so-called section 215 process that was originally created in the 2005 Energy Policy Act. That Act passed an electric reliability organization, since designated as NERC, with developing mandatory, enforceable, reliability standards in partnership with industry stakeholders. I understand that section of the discussion draft may still need a little bit of work here. So I would look forward to hearing from our witnesses on that aspect of it this morning. One area that we have not included in the draft legislation are the physical threats posed by electromagnetic pulses and geomagnetic storms. Based on the testimony that we receive today the committee will need to decide if we should address those issues within this legislation. As the chairman has noted, this committee is just 1 of 7 committees that are examining the cyber issue. What we're considering today is an electricity sector piece. But it does appear that the administration and the leadership prefer a government wide, comprehensive approach to cyber security. Clearly cyber security involves a great many actors and a host of technical considerations. We'll work to report out our part of the cyber puzzle. Then if a comprehensive approach is decided on, certainly work with other committees and leadership in fitting our piece into the broader field. I thank you again, Mr. Chairman, and look forward to the testimony from the witnesses. The Chairman. Thank you very much. We have 5 witnesses today. Let me just introduce them briefly. The Honorable Patricia Hoffman, who is the Assistant Secretary for the Office of Electricity Delivery and Energy in the Department of Energy. Thank you for being here. Mr. Joseph McClelland, who is the Director of the Office of Energy Projects with the Federal Energy Regulatory Commission. Thank you for being here. Mr. Gerry Cauley, who is President and Chief Executive Officer of the North American Electric Reliability Corporation. Thank you for being here. Mr. David Owens, the Executive Vice President for Business Operations with Edison Electric Institute. Thank you for being here. Finally, Mr. William Tedeschi, who is the Senior Scientist and Engineer with Sandia National Laboratory in Albuquerque. Thank you all for coming. Why don't each of you take 5 or 6 minutes, tell us the main things you think we need to know about this subject? We will then have some questions. Ms. Hoffman, please go right ahead. STATEMENT OF PATRICIA HOFFMAN, ASSISTANT SECRETARY, OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, DEPARTMENT OF ENERGY Ms. Hoffman. Good morning, Mr. Chairman and members of the committee. I'd like to extend my thanks to the chairman, the ranking member and the esteemed members of the committee for inviting me here today to discuss the cyber security issues facing the electric industry as well as the discussion draft legislation intended to strengthen the protection of the bulk power system and the electric infrastructure from cyber security threats. Ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure, which other sectors depend upon for essential services. The Homeland Security Presidential Directive 7 designated the Department as the sector specific agency for the energy sector. My office works closely with the private sector, and State and Federal regulators to provide secure sharing of threat information, to identify and fund gaps in infrastructure research and testing, to conduct vulnerability assessments, and to encourage risk management strategies for critical energy infrastructure. Our office is building its capabilities to facilitate assistance to industry, and to conduct forensics and obtain situational awareness. The Administration's cyberspace Policy Review underscores the need to strengthen the public/private partnerships in order to design more secure technologies as well as improve the resilience of critical government and industry systems and networks. Our office has long recognized that neither the government, nor the private sector, nor individual citizens can meet cyber security challenges alone. We must work together. The Office of Electricity Delivery and Energy Reliability (OE) has launched several new initiatives to enhance cyber security in the energy sector. In coordination with the Department of Homeland Security and other Federal agencies, we have conducted several cyber threat information sharing workshops to analyze classified information to determine the impact to the sector and develop flexible mitigations specifically designed to work for the energy sector. In coordination with National Institute of Standards and Technologies and NERC, OE is leading a collaborative effort with representatives from across the public and private sectors to develop cyber security risk management guidelines. Through competitive solicitations and partnerships with industry, academia and national laboratories, OE has supported the development of several advanced cyber security technologies that are now commercially available within the energy sector. Some examples include: A technology to secure serial communications for control systems. Software tool kits that provide auditing of SCADA security settings. Vulnerabilities assessments of 38 different SCADA systems, and a common cyber security vulnerabilities report to help utilities and vendors mitigate vulnerabilities found in many SCADA systems. We are currently in the process of updating this report and hope to have that released this summer. The Senate discussion draft recognizes the important difference between cyber security vulnerabilities and the cyber security threat. In addition, section 224F requires a comprehensive plan to identify emergency measures to protect the reliability of the electric power supply of national defense facilities. Pertinent to that, in July 2010 DOE and DOD signed a Memorandum of Understanding concerning cooperation and a strategic partnership to enhance energy security. This MOU will provide an opportunity to develop a comprehensive approach that reduces the impact of power loss to defense critical assets in considering both the mitigation and response measures to ensure vital defense capabilities are not disrupted. Finally, the draft discussion does not address, a unique but sensitive cyber security information disclosure issue faced by the Federal Power Marketing Administrations that are subjected to both the Freedom of Information Act as well as mandatory reliability standards that are approved by FERC. This security vulnerability could be avoided if legislation was enacted that provided statutory protection of this information under Exemption Three of the Freedom of Information Act. In conclusion, I would like to again thank this committee for its leadership in supporting the protection of the bulk power system and the critical electric infrastructure against cyber security threats. Recognizing the interdependencies between different sectors, it is important to have a comprehensive strategy for cyber security legislation. DOE looks forward to the continued dialog with this committee on this legislation. I ask that my written statement be submitted for the record. I would be pleased to answer any questions this committee may have. Thank you. [The prepared statement of Ms. Hoffman follows:] Prepared Statement of Patricia Hoffman, Assistant Secretary, Office of Electricity Delivery and Energy Reliability, Department of Energy Chairman Bingaman, Ranking Member Murkowski and members of the Committee, thank you for this opportunity to discuss the cyber security issues facing the electric industry, as well as proposed legislation intended to strengthen protection of the bulk power system and electric infrastructure from cyber security threats. Title XIII of the Energy Independence and Security Act of 2007 (EISA) states, ``It is the policy of the United States to support the modernization of the Nation's electricity transmission and distribution system to maintain a reliable and secure electricity infrastructure.'' The protection and resilience of critical national infrastructures is a shared responsibility of the private sector, government, communities, and individuals. As the complexity, scale, and interconnectedness of today's infrastructures have increased, it has changed the way services and products are delivered, as well as the traditional roles of owners, operators, regulators, vendors, and customers. Ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services. Over the past two decades, the roles of electricity sector stakeholders have shifted: generation, transmission, and delivery functions have been separated into distinct markets; customers have become generators using distributed generation technologies; and vendors have assumed new responsibilities to provide advanced technologies and improve security. These changes have created new responsibilities for all stakeholders in ensuring the continued security and resilience of the electric power grid. cyber security activities and accomplishments For more than a decade, the Department of Energy's Office of Electricity Delivery and Energy Reliability (OE) has been substantively engaged with the private sector to secure the electric grid. In December 2003, the Homeland Security Presidential Directive 7 (HSPD?7) designated the Department as the sector?specific agency (SSA) for the energy sector responsible for collaborating with all federal agencies, state and local governments, and the private sector. As the SSA, OE, representing the Department, works closely with the private sector and state/Federal regulators to provide secure sharing of threat information, to collaborate with industry to identify and fund gaps in infrastructure research, development and testing efforts, to conduct vulnerability assessments of the sector, and to encourage risk management strategies for critical energy infrastructure. The 2010 National Security Strategy underscores the need to strengthen public-private partnerships in order to design more secure technology that will better protect and improve the resilience of critical government and industry systems and networks. OE has long recognized that neither government, nor the private sector, nor individual citizens can meet cyber security challenges alone. In 2006, OE facilitated the development of the Roadmap to Secure Control Systems in the Energy Sector to provide a detailed collaborative plan for improving cyber security in the energy sector and concrete steps to secure control systems used in the electricity and oil and natural gas sectors. The plan calls for a 10-year implementation timeline with a 5- year update scheduled for release in the summer of 2011. To implement the priorities in the Roadmap, the Energy Sector Control Systems Working Group was formed and comprised of cyber security and control systems experts from government, the electricity sector, and the oil and natural gas sector. Since 2006, the Roadmap has provided a collaborative strategy for prioritizing cyber security needs and focusing actions under way throughout government and the private sector to ensure future energy system security. The Roadmap goals and strategy have also been fully integrated into the Energy Sector-Specific Plan. Since the Roadmap was released, important progress has been made in improving cyber security in the energy sector. These improvements have benefited existing systems and are contributing to the secure design and integration of advanced systems that incorporate smart grid technologies. Through competitive solicitations and partnerships with industry, academia and national laboratories, OE has supported the development of several advanced cyber security technologies that are now commercially available within the energy sector:A technology to secure serial communications for control systems, based on the Secure Supervisory Control and Data Acquisition (SCADA) Communications Protocol developed by the Pacific Northwest National Laboratory. This technology is rapidly being adopted by utilities. Software toolkits, available for download from the vendor website, that let electric utilities audit the security settings of SCADA systems. The latest release addresses the Inter-Control Center Communications Protocol (ICCP), which is used for utility-to-utility communications. Monitoring modules that aggregate security events from a variety of data sources on the control system network and then correlate the security events to help utilities better detect cyber attacks. An Ethernet security gateway, based on an interoperable design developed by Sandia National Laboratories, that secures site-to-site Ethernet communications and protects private networks. OE established the National SCADA Test Bed in 2003 to provide a national capability for cyber security experts to systematically evaluate the components of a functioning system for inherent vulnerabilities, develop mitigations, and test the effectiveness of various cyber security technologies. Major accomplishments include: Completed vulnerability assessments of 38 SCADA systems and provided mitigation recommendations. As a result, vendors have implemented many of the recommendations in ``hardened'' next- generation SCADA systems that are now commercially available and being deployed in the power grid. Utility groups have also formed partnerships to fund additional cyber security assessments at the test bed to address specific cyber security concerns. Provided advanced cyber security training for over 2300 representatives from over 200 utilities to demonstrate how to detect and respond to complex cyber attacks on SCADA systems. Developed the ``Common Cyber Security Vulnerabilities Observed in Control System Assessments'' report to help utilities and vendors mitigate vulnerabilities found in many SCADA systems. OE has also worked with the North American Electric Reliability Corporation (NERC) to develop the Top Ten Vulnerabilities of Control Systems and their Associated Mitigations report in 2006 and 2007. OE is also working closely with academic and industry partners through the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG), which is a University led public-private research partnership supported by OE, Department of Homeland Security (DHS), and Industry for frontier research that supports resilient and secure smart grid systems. TCIPG leverages and expands upon previous research funded primarily by the National Science Foundation. TCIPG research focuses on building trusted energy delivery control systems from un-trusted components, and transitioning next-generation cyber security technologies to the energy sector. As an example, TCIPG released the Network Access Policy Tool that is now being used by industry and asset owners to characterize the global effects of local firewall rules in control system architectures. The tool will help utilities better manage and maintain security on their highly-complex communications networks. Just recently, OE launched several new initiatives to enhance cyber security in the energy sector. OE, in coordination with DHS and other Federal agencies, has conducted several cyber threat information sharing workshops to analyze classified information, determine the impact to the sector, and develop mitigations that were specifically designed to work in the sector. This cooperative process has proven to be more effective and accepted than dictating solutions to the sector. OE, in coordination with the National Institute of Standards and Technology (NIST) and NERC, is leading a collaborative effort with representatives from across the public and private sectors to develop a cyber security risk management guideline. The objective of this effort is to provide a consistent, repeatable, and adaptable process for the electric sector, and enable organizations to proactively manage risk. Ensuring the cyber security of a modern, digital electricity infrastructure is a key objective of national smart grid efforts. As a result, a number of key initiatives have been developed to ensure future system security and enable the energy sector to better design, build, and integrate smart grid technologies. OE has engaged in partnerships to perform these activities with key organizations including Federal Energy Regulatory Commission (FERC), the U.S. Department of Commerce, NIST, DHS, the Federal Communications Commission, the Department of Defense (DoD), the intelligence community, the White House Office of Science and Technology Policy, state public utility commissions, the National Association of Regulatory Utility Commissioners, NERC, the Open Smart Grid Subcommittee, Electric Power Research Institute (EPRI), and other energy sector organizations. The American Recovery and Reinvestment Act of 2009 accelerated the development of smart grid technologies by investing in pilot projects, worker training, and large scale deployments. This public-private investment worth over $9.6 billion was dedicated to a nationwide plan to modernize the electric power grid, enhance the security of U.S. energy infrastructure, and promote reliable electricity delivery. The $4.5 billion in Recovery Act funds, managed by OE, was leveraged by $5.1 billion in funds from the private sector to support 132 Smart Grid Investment Grant and Smart Grid Demonstration Grant projects across the country. Each project awardee committed to implementing a cyber security plan that includes an evaluation of cyber risks and planned mitigations, cyber security criteria for device and vendor selection, and relevant standards or best practices the project will follow. As called for in Section 1305 of EISA, OE is collaborating with NIST and other agencies and organizations to develop a framework and roadmap for interoperability standards that includes cyber security as a critical element. As part of this effort, NIST established the public-private Smart Grid Interoperability Panel, and within that, the 450-member Cyber Security Working Group (CSWG) to lead the development of cyber security requirements for the smart grid. After engaging members in numerous workshops and teleconferences and following two formal reviews, the CSWG released the first version of its ``Cyber Security Guidelines for the Smart Grid''. The three-volume document details a strategy that includes smart grid use cases, a high-level smart grid risk assessment process, smart grid-specific security requirements, development of a security architecture, assessment of smart grid standards, and development of a conformity assessment program for requirements. To address cyber security needs for smart grid technologies, OE partnered with leading utilities and EPRI to develop cyber security profiles for major smart grid applications--Advanced Metering Infrastructure, Third-Party Data Access, and Distribution Automation. These profiles provide vendor-neutral, actionable guidance to utilities, vendors and government entities on how to build cyber security into smart grid components in the development stage, and how to implement those safeguards when the components are integrated into the power grid. These documents support the NIST ``Cyber Security Guidelines for the Smart Grid'' NISTIR--7628. OE also co-chairs the NIST CSWG. senate energy and natural resources committee proposed legislation The proposed bill includes provisions intended to strengthen the bulk power system and electric infrastructure by addressing cyber security vulnerabilities and protecting against cyber security threats by adding a new section to the Federal Power Act (FPA). While the Administration does not yet have a position on the bill, the Department offers the following observations. To begin with, the proposed bill correctly identifies, defines, and distinguishes between a cyber security vulnerability and a cyber security threat. These are two related, but different concepts. Vulnerabilities need to be identified and addressed, while threats need to be protected against. In that regard, references in the proposed bill to ``protecting critical electric infrastructure from cyber security vulnerabilities'' should be changed to ``addressing critical electric infrastructure cyber security vulnerabilities.'' In addition, Section 224(a)(1) defines critical electric infrastructure to include distribution assets that affect interstate commerce. This significantly expands FERC's jurisdiction for setting reliability standards beyond the bulk power system as provided in FPA section 215. Also, Section 224(f) would require a comprehensive plan identifying emergency measures to protect the reliability of the electric power supply of national defense facilities located in Alaska, Hawaii, and Guam in the event of an imminent cyber security threat. Pertinent to that, in July 2010, DOE and DoD signed a memorandum of understanding (MOU) ``Concerning Cooperation in a Strategic Partnership to Enhance Energy Security''. The purpose of the MOU is to enhance national energy security and demonstrate Federal Government leadership in transitioning America to a low carbon economy. This MOU provides an opportunity to develop a comprehensive approach that reduces the impact of power loss to defense critical assets, considering both mitigation and response measures to ensure vital defense capabilities are not disrupted. Finally, the legislation does not yet address a unique, sensitive cyber security information disclosure problem faced by Federal Power Marketing Administrations subject to both the Freedom of Information Act and mandatory reliability standards enacted under Section 215 of the Federal Power Act. This sensitive information, developed under the mandatory reliability standards, appears not to be protected from public disclosure under the Freedom of Information Act. This security vulnerability could be avoided if legislation providing statutory protection for this information were enacted that qualified under Exemption 3 of the Freedom of Information Act. conclusion In conclusion, I would like to again thank this Committee for its leadership in supporting the protection of the bulk power system and critical electric infrastructure against cyber security threats. Recognizing the interdependencies between different sectors, it is important to have a comprehensive strategy for cyber security legislation. DOE would be happy to work with the Committee on this legislation. I would be pleased to address any questions the Committee might have. The Chairman. Thank you very much. Everyone's statement will be included in the record as if read, including the one that you've prepared. So, Mr. McClelland, go right ahead. STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION Mr. McClelland. Mr. Chairman and members of the committee, thank you for the privilege to appear before you today to discuss the security of the power grid. My name is Joe McClelland and I am the Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. I am here today as a Commission Staff Witness and my remarks do not necessarily represent the views of the Commission or any individual commissioner. In the Energy Policy Act of 2005 Congress entrusted the Commission with a major new responsibility, to oversee a mandatory, enforceable reliability and cyber security standards for the Nation's bulk power system. This authority is in section 215 of the Federal Power Act. It is important to note that FERC's authority under section 215 is limited to, ``the bulk power system,'' which excludes Alaska and Hawaii, transmission facilities in certain large cities such as New York, as well as all local distribution systems. Under section 215, FERC cannot author or modify reliability or cyber security standards but must depend upon an electric reliability organization or ERO to perform this task. The Commission selected the North American Electric Reliability Corporation or NERC as the ERO. The ERO develops and proposes cyber security standards or modifications for the Commission's review which it can either approve or remand. If the Commission approves the proposed cyber security standard it becomes mandatory and enforceable in the United States to all users, owners and operators of the bulk power system. If the Commission remands a proposed standard it is sent back to the ERO for further consideration. Pursuant to its responsibility to oversee the reliability and cyber security of the power grid, in January 2008 FERC approved eight cyber security standards known as the Critical Infrastructure Protection or CIP standards, but also directed NERC to make significant modifications to these standards. Compliance with these eight standards first became mandatory on July 1st, 2010. Although NERC has filed and the Commission has approved some modifications to the CIP standards the majority of the Commission's directed modifications to these standards have not yet been addressed by NERC. It is not clear how long it will take for the CIP standards to be modified to eliminate some of the significant gaps in protection within them. On a related note, as Smart grid technology is added to the bulk power system greater cyber security protections will be required. Given that this technology provides more access points thereby increasing the grid's vulnerabilities. The CIP standards will apply to some but not most of the Smart grid applications. Moreover there are non cyber threats that also pose national security concerns. Naturally occurring events are physical attacks against the power grid that cause equal or greater disruption than cyber attacks and the Federal Government should have no less ability to protect against them. One example is electromagnetic pulse or EMP. An EMP event could seriously degrade or shut down a large part of the electric power grid. In addition to manmade attacks, EMP events are also naturally generated caused by solar flares and storms disrupting the Earth's magnetic field. Such events are inevitable, can be powerful and can also cause significant and prolonged disruptions to the power grid. In fact, FERC, DHS and DOE recently completed a joint EMP study conducted through the Oak Ridge National Laboratory. The study evaluated both manmade and naturally occurring EMP events to determine their effects on the power system and to identify protective mitigation measures that could be installed. Included among its findings was that without effective mitigation that the solar storm of 1921 which is considered a one in one hundred year event were to occur today, over 300 bulk power system transformers could be damaged or destroyed thereby interrupting power to 130 million people for 10 years. Although section 215 of the Federal Power Act can provide an adequate statutory foundation for the development of routine reliability standards for the bulk power system, the threat of cyber attacks or other intentional, malicious acts against the grid is different. These are threats that can endanger national security that may be posed by criminal organizations, terrorist groups, foreign Nations or others, intent on attacking the United States through its electric grid. A widespread disruption of electric service can quickly undermine our government, our military, our economy as well as endanger the health and safety of our citizens. Given the national security dimensions to this threat there may be a need to act quickly, to act in a manner where action is mandatory rather than voluntary and to protect certain information from public disclosure. The Commission's legal authority is inadequate for such action. New legislation should address several key concerns. First, FERC should be permitted to take direct action before a cyber or physical national security incident has occurred. Second, FERC should be allowed to maintain the appropriate confidentiality of security sensitive information. Third, the limitations on the term ``bulk power system'' should be understood as our current jurisdiction under 215 does not apply to Alaska and Hawaii as well as some transmission facilities and all local distribution facilities. Fourth, entities should be able to recover costs they incurred to mitigate the vulnerabilities and threats. Finally, legislation on national security threats to reliability should cover not only cyber security threats but also natural events and intentional, non-cyber, malicious acts including threats from an EMP. The cyber security discussion draft addresses many of these issues. Thank you for your attention today. I look forward to any questions that you might have. [The prepared statement of Mr. McClelland follows:] Prepared Statement of Joseph Mcclelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission Mr. Chairman and Members of the Committee: Thank you for this opportunity to appear before you to discuss the security of the electric grid. My name is Joseph McClelland. I am the Director of the Office of Electric Reliability (OER) of the Federal Energy Regulatory Commission (FERC or Commission). The Commission's role with respect to reliability is to help protect and improve the reliability of the Nation's bulk power system through effective regulatory oversight as established in the Energy Policy Act of 2005. I am here today as a Commission staff witness and my remarks do not necessarily represent the views of the Commission or any individual Commissioner. My testimony summarizes the Commission's oversight of the reliability of the electric grid under section 215 of the Federal Power Act (FPA) and the Commission's implementation of that authority with respect to cyber security primarily through Order No. 706. I also will describe some of the current limitations in Federal authority to protect the grid against physical and cyber security threats, and also comment on the cyber security discussion draft. The Commission currently does not have sufficient authority to require effective protection of the grid against cyber or physical attacks. If adequate protection is to be provided, legislation is needed and my testimony discusses the key elements that should be included in legislation in this area. background In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted the Commission with a major new responsibility to oversee mandatory, enforceable reliability standards for the Nation's bulk power system (excluding Alaska and Hawaii). This authority is in section 215 of the Federal Power Act. Section 215 requires the Commission to select an Electric Reliability Organization (ERO) that is responsible for proposing, for Commission review and approval, reliability standards or modifications to existing reliability standards to help protect and improve the reliability of the Nation's bulk power system. The Commission has certified the North American Electric Reliability Corporation (NERC) as the ERO. The reliability standards apply to the users, owners and operators of the bulk power system and become mandatory in the United States only after Commission approval. The ERO also is authorized to impose, after notice and opportunity for a hearing, penalties for violations of the reliability standards, subject to Commission review and approval. The ERO may delegate certain responsibilities to ``Regional Entities,'' subject to Commission approval. The Commission may approve proposed reliability standards or modifications to previously approved standards if it finds them ``just, reasonable, not unduly discriminatory or preferential, and in the public interest.'' The Commission itself does not have authority to modify proposed standards. Rather, if the Commission disapproves a proposed standard or modification, section 215 requires the Commission to remand it to the ERO for further consideration. The Commission, upon its own motion or upon complaint, may direct the ERO to submit a proposed standard or modification on a specific matter but it does not have the authority to modify or author a standard and must depend upon the ERO to do so. Limitations of Section 215 and the Term ``Bulk Power System'' Currently, the Commission's jurisdiction and reliability authority is limited to the ``bulk power system,'' as defined in the FPA, and therefore excludes Alaska and Hawaii, including any federal installations located therein. The current interpretation of ``bulk power system'' also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas. The Commission recently issued Order No. 743, which directs NERC to revise its interpretation of the bulk power system to eliminate inconsistencies across regions, eliminate the ambiguity created by the current discretion in NERC's definition of bulk electric system, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules. NERC is currently developing its response to that order. However, it is important to note that section 215 of the FPA excludes local distribution facilities from the Commission's reliability jurisdiction, so any revised bulk electric system definition developed by NERC will still not apply to local distribution facilities. Critical Infrastructure Protection Reliability Standards An important part of the Commission's current responsibility to oversee the development of reliability standards for the bulk power system involves cyber security. In August 2006, NERC submitted eight proposed cyber security standards, known as the Critical Infrastructure Protection (CIP) standards, to the Commission for approval under section 215. Critical infrastructure, as defined by NERC for purposes of the CIP standards, includes facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the ``Bulk Electric System.'' Under NERC's implementation plan for the CIP standards, full compliance became mandatory on July 1, 2010. On January 18, 2008, the Commission issued Order No. 706, the Final Rule approving the CIP reliability standards while concurrently directing NERC to develop significant modifications addressing specific concerns. The Commission set a deadline of July 1, 2009 for NERC to resolve certain issues in the CIP reliability standards, including deletion of the ``reasonable business judgment'' and ``acceptance of risk'' language in each of the standards. NERC concluded that this deadline would create a very compressed schedule for its stakeholder process. Therefore, it divided all of the changes directed by the Commission into phases, based on their complexity. NERC opted to resolve the simplest changes in the first phase, while putting off more complex changes for later versions. NERC filed the first phase of the modifications to the CIP Reliability Standards (Version 2) on May 22, 2009. In this phase, NERC removed from the standards the terms ``reasonable business judgment'' and ``acceptance of risk,'' added a requirement for a ``single senior manager'' responsible for CIP compliance, and made certain other administrative and clarifying changes. In a September 30, 2009 order, the Commission approved the Version 2 CIP standards and directed NERC to develop additional modifications to certain of them. Pursuant to the Commission's September 30, 2009 order, NERC submitted Version 3 of the CIP standards which revised Version 2 as directed. The Version 3 CIP standards became effective on October 1, 2010. This first phase of the modifications directed by the Commission in Order No. 706, which encompassed both Version 2 and Version 3, did not modify the critical asset identification process, a central concern in Order No. 706. On February 10, 2011, NERC initiated the second phase of the Order No. 706 directed modification, filing a petition seeking approval of Version 4 of the CIP standards. Version 4 includes new proposed criteria to identify ``critical assets'' for purposes of the CIP reliability standards. This filing is currently under review by the Commission. In order to better understand the NERC Version 4 petition, particularly the number of critical cyber assets that will be identified under this revision, the Commission issued data requests to NERC, with responses due on July 11, 2011, which reflects an extension of time requested by NERC. The remaining CIP standards revisions to respond to the Commission's directives issued in Order No. 706 are still under development by NERC. It is important to note that the majority of the Order No. 706 directed modifications to the CIP standards have yet to be addressed by NERC. Until they are addressed, there are significant gaps in protection such as a needed requirement for a defense in depth posture. NERC's standards development plan filed with the Commission in April 2011 classifies these outstanding revisions to the CIP standards as ``High Priority'' with a targeted completion in the second quarter of 2012. Identification of Critical Assets As currently written, the CIP reliability standards allow utilities significant discretion to determine which of their facilities are ``critical assets and the associated critical cyber assets,'' and therefore are subject to the requirements of the standards. In Order No. 706, the Commission directed NERC to revise the standards to require independent oversight of a utility's decisions by industry entities with a ``wide-area view,'' such as reliability coordinators or the Regional Entities, subject to the review of the Commission. This revision to the standards, like all revisions, is subject to approval by the affected stakeholders in the standards development process. NERC has attempted to address this directive in Version 4 of the CIP standards, which is now under review by the Commission. When, in Order No. 706, the Commission approved Version 1 of the CIP reliability standards, it also required entities under those standards to self-certify their compliance progress every six months. In December 2008, NERC conducted a self-certification study, asking each entity to report limited information on its critical assets and the associated critical cyber assets identified in compliance with reliability standard CIP-002-1. As the Commission stated in Order No. 706, the identification of critical assets is the cornerstone of the CIP standards. If that identification is not done well, the CIP standards will be ineffective at protecting the bulk power system. The results of NERC's self-certification request showed that only 29% of responding generation owners and operators identified at least one critical asset, while about 63% of the responding transmission owners identified at least one critical asset. NERC expressed its concern with these results in a letter to industry stakeholders dated April 7, 2009. NERC conducted another self-certification survey of responsible entities to determine progress towards identification of critical cyber assets. It gathered information about critical assets and critical cyber assets as of December 31, 2009. This survey included additional questions designed to obtain a better understanding of the results from industry's critical asset identification process. In general, this survey did not demonstrate a significant increase in identified critical assets. NERC noted some encouraging results as well as some that were a cause for concern. In addition, the Regional Entities have been performing audits which have included registered entities' determination of their critical cyber asset lists. FERC staff has been observing selected audits to examine the Regional Entities' methods of conducting these audits. It is important to note that although ``critical assets'' are used to identify subsequent ``critical cyber assets,'' only the subset of ``critical cyber assets'' are subject to the CIP standards. NERC's Critical Infrastructure Protection Committee released a guidance document to assist registered entities in identifying their critical assets. That document, which took effect on September 17, 2009, provides ``guidelines'' that define which assets should be evaluated, provides risk-based evaluation guidance for determining critical assets, and describes reasonable bases that could be used to support that determination. A second NERC security guideline regarding critical cyber assets became effective on June 17, 2010. This security guideline ``provides guidance for identifying Critical Cyber Assets by evaluating potential impacts to `reliable operation' of a Critical Asset.'' Neither of these guidance documents contained any actions that were mandatory for users, owners or operators of the bulk-power system. Version 4 of the CIP standards, which are currently pending before the Commission, would change the way in which critical assets are identified. Instead of using a loosely defined risk-based assessment methodology, CIP-002 Version 4 Attachment 1 contains what NERC describes as ``uniform criteria for the identification of Critical Assets.'' For example, criterion 1.1 would identify generation plants equal to or greater than 1500MW as critical assets. The filing asserts that this would account for 29% of the installed generator capacity in the United States. Because this is an on-going proceeding before the Commission, I am limited in what I can discuss about the merits of NERC's petition. the nerc process As an initial matter, it is important to recognize how mandatory reliability standards are established. Under section 215, reliability standards must be developed by the ERO through an open, inclusive, and public process. The Commission can direct NERC to develop a reliability standard to address a particular reliability matter, including cyber security threats or vulnerabilities. However, the NERC process typically requires years to develop standards for the Commission's review. In fact, the CIP standards approved by the Commission in January 2008 took approximately three years to develop. NERC's procedures for developing standards allow extensive opportunity for stakeholder comment, are open, and are generally based on the procedures of the American National Standards Institute. The NERC process is intended to develop consensus on both the need for, and the substance of, the proposed standard. Although inclusive, the process is relatively slow, open and unpredictable in its responsiveness to the Commission's directives. This process requires public disclosure regarding the reason for the proposed standard, the manner in which the standard will address the issues, and any subsequent comments and resulting modifications in the standards as the affected stakeholders review the material and provide comments. NERC- approved standards are then submitted to the Commission for its review. The procedures used by NERC are appropriate for developing and approving routine reliability standards. The process allows extensive opportunities for industry and public comment. The public nature of the reliability standards development process can be a strength of the process. However, it can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures used under section 215 for the development and approval of reliability standards do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps. On September 3, 2010, FERC approved a new reliability standards process manual filed by NERC. While this manual includes a process for developing a standard related to a confidential issue, the new process is untested and it is unclear how the process would be implemented. FERC rules governing review and establishment of reliability standards allow the agency to direct the ERO to develop and propose reliability standards under an expedited schedule. For example, FERC could order the ERO to submit a reliability standard to address a reliability vulnerability within 60 days. Also, NERC's rules of procedure include a provision for approval of ``urgent action'' standards that can be completed within 60 days and which may be further expedited by a written finding by the NERC board of trustees that an extraordinary and immediate threat exists to bulk power system reliability or national security. However, it is not clear NERC could meet this schedule in practice. Moreover, faced with a national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years. That would not be feasible even under the urgent action process. In the meantime, the bulk power system would be left vulnerable to a known national security threat. Moreover, existing procedures, including the urgent action procedure, could widely publicize both the vulnerability and the proposed solutions, thus increasing the risk of hostile actions before the appropriate solutions are implemented. In addition, a reliability standard submitted to the Commission by NERC may not be sufficient to address the identified vulnerability or threat. Since FERC may not directly modify a proposed reliability standard under section 215 and must either approve or remand it, FERC would have the choice of approving an inadequate standard and directing changes, which reinitiates a process that can take years, or rejecting the standard altogether. Under either approach, the bulk power system would remain vulnerable for a prolonged period. This concern was highlighted in the Department of Energy Inspector General's January 2011 audit report on FERC's ``Monitoring of Power Grid Cyber Security.'' The audit report identified concerns regarding the adequacy of the CIP standards and the implementation and schedule for the CIP standards, and concluded that these problems exist, in part, because the Commission's authority to ensure adequate cyber security over the bulk electric system is limited. The audit report concludes that the Commission should take a more aggressive action when ordering new or revised standards and highlights its lack of authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities. This report emphasizes the need for FERC to have additional authority for ensuring adequate cyber security over the bulk electric system. Finally, the open and inclusive process required for standards development is not consistent with the need to protect security- sensitive information. For instance, a formal request for a new standard would normally detail the need for the standard as well as the proposed mitigation to address the issue, and the NERC-approved version of the standard would be filed with the Commission for review. This public information could help potential adversaries in planning attacks. NERC's Formal Notices Currently, the alternative to a mandatory reliability standard is for NERC to issue a formal notice encouraging utilities and others to take voluntary action to guard against a specific cyber or other vulnerability. Such a notice may be an Advisory, a Recommendation or an Essential Action. The notice approach allows for quicker action, but compliance with a notice is voluntary, and will likely produce inconsistent and potentially ineffective responses. For example, two Advisories and a Recommendation were issued in 2010 by NERC, regarding an identified cyber security threat referred to as ``Stuxnet.'' The details of actions taken to mitigate the vulnerabilities identified by Stuxnet, and the assets to which they apply, as well as their effectiveness, are not known. Reliance on voluntary measures to protect national security is fundamentally inconsistent with the conclusion Congress reached during enactment of EPAct 2005, that voluntary standards are not sufficient to protect the reliability of the bulk power system. smart grid The need for vigilance will increase as new technologies are added to the bulk power system. For example, smart grid technology promises significant benefits in the use of electricity. These include the ability to better manage not only energy sources but also energy consumption. However, a smarter grid would permit two-way communication between the electric system and a large number of devices located outside of controlled utility environments, which will introduce many potential access points. Smart grid applications will automate many decisions on the supply and use of electricity to increase efficiencies and ultimately to allow cost savings. Without adequate physical and cyber protections, however, this level of automation may allow adversaries to gain access to the rest of the company's data and control systems and cause significant harm. Security features must be an integral consideration when developing smart grid technology and must be assured before widespread installation of new equipment. The challenge will be to focus not only on general approaches but, importantly, on the details of specific technologies and the risks they may present. Regarding data, there are multiple ways in which smart grid technologies may introduce new cyber vulnerabilities into the system. For example an attacker could gain access to a remote or intermediate smart grid device and change data values monitored or received from down-stream devices, and pass the incorrect data up-stream to cause operators or automatic programs to take incorrect actions. In regard to control systems, an attacker that gains access to the communication channels could order metering devices to disconnect customers, order previously shed load to come back on line prematurely, or order dispersed generation sources to turn off during periods when load is approaching generation capacity, causing instability and outages on the bulk power system. One of the potential capabilities of the smart grid is the ability to remotely disconnect service using advanced metering infrastructure (AMI). If insufficient security measures are implemented in a company's AMI application, an adversary may be able to access the AMI system and could conceivably disconnect every customer with an AMI device. If such an attack is widespread enough, the resultant disconnection of load on the distribution system could result in impacts to the bulk power system. If an adversary follows this disconnection event with a subsequent and targeted cyber attack against remote meters, the restoration of service could be greatly delayed. In addition to any smart grid related standards that may be adopted by the Commission, the CIP standards will apply to some, but not most, smart grid applications. The standards require users, owners and operators of the bulk power system to protect cyber assets, including hardware, software and data, which would affect the reliability or operability of the bulk power system. These assets are identified using a risk-based assessment methodology that identifies electric assets that are critical to the reliable operation of the bulk power system. If a smart grid device were to control a critical part of the bulk power system, it should be considered a critical cyber asset subject to the protection requirements of the CIP standards. However, this designation is currently up to the affected entity as part of its self- determination of critical cyber assets, as discussed previously. Many of the smart grid applications will be deployed at the distribution and end-user level. For example, some applications may be targeted at improving market efficiency in ways that may not have a reliability impact on the bulk power system, such that the protection requirements of the CIP standards, as they are currently written, may not apply. However, as discussed above, these applications either individually or in the aggregate could affect the bulk power system. physical security and other threats to reliability The existing reliability standards do not extend to physical threats to the grid, but physical threats can cause equal or greater destruction than cyber attacks and the Federal government should have no less ability to act to protect against such potential damage. One example of a physical threat is an electromagnetic pulse (EMP) event. In 2001, Congress established a commission to assess the threat from EMP, with particular attention to be paid to the nature and magnitude of high-altitude EMP threats to the United States; vulnerabilities of U.S. military and civilian infrastructure to such attack; capabilities to recover from an attack; and the feasibility and cost of protecting military and civilian infrastructure, including energy infrastructure. In 2004, the EMP commission issued a report describing the nature of EMP attacks, vulnerabilities to EMP attacks, and strategies to respond to an attack.\1\ A second report was produced in 2008 that further investigated vulnerabilities of the Nation's infrastructure to EMP.\2\ Both electrical equipment and control systems can be damaged by EMP. --------------------------------------------------------------------------- \1\ Graham, Dr. William R. et al., Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack (2004). \2\ Dr. John S., Jr. et al., Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack (2008). --------------------------------------------------------------------------- An EMP may also be a naturally-occurring event caused by solar flares and storms disrupting the Earth's magnetic field. In 1859, a major solar storm occurred, causing auroral displays and significant shifts of the Earth's magnetic fields. As a result, telegraphs were rendered useless and several telegraph stations burned down. The impacts of that storm were muted because semiconductor technology did not exist at the time. Were the storm to happen today, according to an article in Scientific American, it could ``severely damage satellites, disable radio communications, and cause continent-wide electrical black-outs that would require weeks or longer to recover from.''\3\ Although storms of this magnitude occur rarely, storms and flares of lesser intensity occur more frequently. Storms of about half the intensity of the 1859 storm occur every 50 years or so according to the authors of the Scientific American article, and the last such storm occurred in November 1960, leading to world-wide geomagnetic disturbances and radio outages. The power grid is particularly vulnerable to solar storms, as transformers are electrically grounded to the Earth and susceptible to damage from geomagnetically induced currents. The damage or destruction of numerous transformers across the country would result in reduced grid functionality and even prolonged power outages. --------------------------------------------------------------------------- \3\ Odenwald, Sten F. and Green, James L., Bracing the Satellite Infrastructure for a Solar Superstorm, Scientific American Magazine (Jul. 28, 2008). --------------------------------------------------------------------------- In March 2010, Oak Ridge National Laboratory (Oak Ridge) and their subcontractor Metatech released a study that explored the vulnerability of the electric grid to EMP-related events. This study was a joint effort contracted by FERC staff, the Department of Energy and the Department of Homeland Security and expanded on the information developed in other initiatives, including the EMP commission reports. The series of reports provided detailed technical background and outlined which sections of the power grid are most vulnerable, what equipment would be affected, and what damage could result. Protection concepts for each threat and additional methods for remediation were also included along with suggestions for mitigation. The results of the study support the general conclusion that EMP events pose substantial risk to equipment and operation of the Nation's power grid and under extreme conditions could result in major long term electrical outages. In fact, solar magnetic disturbances are inevitable with only the timing and magnitude subject to variability. The study assessed the 1921 solar storm, which has been termed a 1-in-100 year event, and applied it to today's power grid. The study concluded that such a storm could damage or destroy up to 300 bulk power system transformers interrupting service to 130 million people for a period of years. The existing reliability standards do not address EMP vulnerabilities. Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure. the need for legislation In my view, section 215 of the Federal Power Act provides an adequate statutory foundation for the ERO to develop most reliability standards for the bulk power system. However, the nature of a national security threat by entities intent on attacking the U.S. through vulnerabilities in its electric grid stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and protective relay maintenance practices. Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. The Commission's current legal authority is inadequate for such action. This is true of both cyber and physical threats to the bulk power system that pose national security concerns. Any new legislation should address several key concerns. First, to prevent a significant risk of disruption to the grid, legislation should allow the Commission to take action before a cyber or physical national security incident has occurred. In my opinion, the cyber security discussion draft addresses this concern by allowing the Commission to timely act on cyber security vulnerabilities before an incident occurs and by giving the Secretary of Energy emergency authority to act on cyber security threats. In particular, the Commission should be able to require mitigation even before or while NERC and its stakeholders develop a standard, when circumstances require urgent action. Second, any legislation should allow the Commission to maintain appropriate confidentiality of sensitive information submitted, developed or issued under this authority. Without such confidentiality, the grid may be more vulnerable to attack and the Commission will not be able to adequately protect it. The cyber security discussion draft also includes provisions for protection of critical electric infrastructure information, which includes a provision for FERC to establish procedures to allow the Commission to release critical infrastructure information to the extent necessary to enable entities to implement any FERC order under the proposal. It also appropriately would require FERC to limit redistribution of information so that the information is only in the hands of those that need to know. Third, if additional reliability authority is limited to the bulk power system, as that term is currently defined in the FPA, it would not authorize Commission action to mitigate cyber or other national security threats to reliability that involve certain critical facilities and major population areas. The cyber security discussion draft would apply to any entity that owns, controls, or operates critical electric infrastructure. While Alaska and Hawaii would be excluded, the discussion draft requires the Secretary of Defense to prepare a comprehensive plan to protect any national defense facilities located in those states. Fourth, it is important that entities be able to recover costs they incur to mitigate vulnerabilities and threats. The cyber security discussion draft requires the Commission to permit public utilities to recover prudently incurred costs required to implement immediate actions ordered by the Secretary of Energy to avert or mitigate a cyber security threat. I support this provision and any clarifications that might better ensure recovery of costs incurred under this legislation. Finally, in my view, any legislation on national security threats to reliability should address not only cyber security threats but also natural events; i.e., a geomagnetic disturbance, or intentional physical malicious acts (targeting, for example, critical substations and generating stations) including threats from an electromagnetic pulse. This additional authority would not displace other means of protecting the grid, such as action by federal, state and local law enforcement and the National Guard. If particular circumstances cause both FERC and other governmental authorities to require action by utilities, FERC would coordinate with other authorities as appropriate. In short, any new authority should allow the Commission to quickly order mandatory measures that are focused and confidential to address fast-moving, sophisticated and targeted cyber and physical attacks and natural events while providing cost recovery to the affected entities. conclusion The Commission's current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system. These types of threats pose an increasing risk to our Nation's electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now. The cyber security discussion draft in front of us today would go a long way to resolving this issue. Thank you again for the opportunity to testify today. I would be happy to answer any questions you may have. The Chairman. Thank you very much. Mr. Cauley, go right ahead. STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION Mr. Cauley. Good morning, Chairman Bingaman, Ranking Member Murkowski, members of the committee and fellow panelists. As CEO of the organization that is charged with overseeing the reliability and security of the North American grid, I wake up every day concerned about the emerging risks caused by intentional actions of our adversaries who would do harm to our Nation and to our citizens. The security of the North American power grid is an utmost priority for NERC. The mainstay of NERC's critical infrastructure program is a set of nine mandatory cyber security standards that we actively monitor and enforce. We've recently made significant strides in improving our cyber standards. When I came onboard at NERC in 2010 I recognized the importance of establishing bright line criteria for the identification of critical assets to be protected. The new standard was developed in 6 months and filed with the Commission in February of this year and is pending their approval. Our standards process works for what it was intended to do, to establish sustained, baseline requirements for the reliability and resilience of the bulk power system. However, there's no single approach, not even compliance with mandatory standards that will protect the grid against all threats from physical and cyber attacks. The threat environment is constantly changing and our defenses must keep pace. Achieving a high degree of resilience requires continuously adaptive measures beyond those outlined in our standards, measure we are actively pursuing today. The most important of these activities is the operation of the electricity sector, information sharing and analysis center. In this role NERC works closely with Federal partners to promptly disseminate threat indications, warnings and analysis to electricity sector participants. The crux of a dynamic, adaptive strategy is to get timely, actionable information to the asset owners and operators and the experts in the field. NERC staff has the necessary security clearances to work with the Department of Homeland Security, DOE and Federal intelligence agencies to generate unclassified recommendations that lead to actions by industry. Using this process NERC has issued 14 security related alerts since January 2010 covering such issues as Aurora, Stuxnet, Night Dragon and other threats. The NERC alert system works well coupled with our CIP standards and availability of a new, confidential and expedited standards development process NERC has the tools we need to protect the cyber security of the bulk power system. NERC is leading a number of other initiatives to ensure the resilience of the bulk power system. We're preparing an industry wide security exercise in November 2011. Jointly with DOE and NIST, we are developing cyber security best practices for electric systems including distribution. In collaboration with the DOE national labs, we're initiating a program to monitor grid cyber networks and another program to improve the training and qualifications of industry cyber experts. With regard to the proposed draft legislation, first and foremost, NERC has consistently supported legislation to address cyber emergencies and improve information sharing between government and the private sector. It is my interpretation of section 215(d)(5) that FERC now has the authority to direct NERC to prepare a standard that is needed to address a specific vulnerability including cyber security and to do so by a certain date. Therefore it is not clear to me that the vulnerability section proposed in the new section 224(b) is needed. If section 224(b) is returned, first I'm concerned that the jurisdiction extends to distribution systems which were intentionally excluded from jurisdiction of FERC and NERC in section 215. If the intent is to expand the scope of authority for electric system security into distribution systems this is a critical issue requiring involvement of the States and also calls for consultation with asset owners and operators and other stakeholders should be included in such a process. Second, I'm concerned that no requirement exists in the draft legislation for FERC to identify any deficiency in existing reliability standards or a cyber security vulnerability for the ERO to address. Without some specific idea of the problem to be solved it would be difficult for the ERO to produce an adequate set of requirements. Third, the discussion draft calls for the ERO to develop a reliability standard in response to a FERC order on vulnerabilities. But given the dynamic nature of threats and vulnerabilities many are not appropriate to be addressed by a standard. Currently NERC's essential action alerts are not legally enforceable. Legislation that provides a means for both standards and other emergency directives to be legally enforceable would significantly enhance the cyber security of the grid. Such an approach would require the involvement of both the ERO and the Commission and sufficient due process for those entities subject to the requirements. I believe legislation addressing the security of the Nation's electricity infrastructure could be beneficial, that the framework should focus on enabling information sharing and problem solving between the government and private sectors. NERC's standards provide a baseline of cyber protection for a power grid. Our alert program is effective in addressing emerging threats. Legislation could help by addressing the due process requirements and enforceability of emergency directives. Thank you for the opportunity to speak today. I look forward to your questions. [The prepared statement of Mr. Cauley follows:] Prepared Statement of Gerry Cauley, President and Chief Executive Officer, North American Electric Reliability Corporation introduction Good morning Chairman Bingaman, Ranking Member Murkowski, members of the Committee and fellow panelists. My name is Gerry Cauley and I am the President and CEO of the North American Electric Reliability Corporation (NERC). I am a graduate of the U.S. Military Academy, a former officer in the U.S. Army Corps of Engineers, and have more than 30 years' experience in the bulk power system\1\ industry, including service as a lead investigator of the August 2003 Northeast blackout and coordinator of the NERC Y2K program. I appreciate the opportunity to testify today on the discussion draft of cybersecurity legislation. --------------------------------------------------------------------------- \1\ The Bulk Power System (sometimes referred to as ``BPS'') is defined as generation and transmission of electricity greater than 100kv, in contrast to the distribution of electricity to homes and businesses at lower voltages. --------------------------------------------------------------------------- NERC's Mission NERC's mission is to ensure the reliability of the bulk power system of North America and promote reliability excellence. NERC was founded in 1968 to develop voluntary standards for the owners and operators of the bulk power system. NERC is an independent corporation whose membership includes large and small electricity consumers, government representatives, municipalities, cooperatives, independent power producers, investor-owned utilities, independent transmission system operators and federal power marketing agencies such as TVA and Bonneville Power Administration. In 2007, NERC was designated the Electric Reliability Organization (ERO) by the Federal Energy Regulatory Commission (FERC) in accordance with Section 215 of the Federal Power Act (FPA), enacted by the Energy Policy Act of 2005. Upon approval by FERC, NERC's reliability standards became mandatory within the United States. These mandatory reliability standards include Critical Infrastructure Protection (CIP) Standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid. To date, these standards (and those promulgated by the Nuclear Regulatory Commission) are the only mandatory cybersecurity standards in place across the critical infrastructures of the United States. Subject to FERC oversight, NERC and its Regional Entity partners enforce these standards, which are developed with substantial input from industry and approved by FERC, to accomplish our mission to ensure the reliability of the electric grid. In its position between industry and government, NERC embodies the often-invoked goal of creating effective partnerships between the public sector and the private sector. As a result of society's growing dependence on electricity, the electric grid is one of the Nation's most critical infrastructures. The bulk power system in North America is one of the largest, most complex, and most robust systems ever created by mankind. Throughout North America, four interconnections with a capacity of over one-million megawatts of generation and nearly half-a-million miles of high voltage transmission lines all acting in unison, meet the electric needs of more than 340 million people, with a maximum demand of nearly 850 thousand megawatts. The electricity being used in this room right now is generated and transmitted in real time over a complex series of lines and stations from as far away as Ontario or Tennessee. As complex as it is, few machines are as robust as the bulk power system. Decades of experience with hurricanes, ice storms and other natural disasters, as well as mechanical breakdowns, vandalism and sabotage, have taught the electric industry how to build strong and reliable networks that generally withstand all but the worst natural and physical disasters while supporting affordable electric service. The knowledge that disturbances on the grid can impact operations thousands of miles away has influenced the electric industry culture of reliability, affecting how it plans, operates and protects the bulk power system. the cybersecurity challenge for the grid and nerc's approach to addressing it Along with the rest of our economy, the electric industry has become increasingly dependent on digital technology to reduce costs, increase efficiency and maintain the reliability of the bulk power system. The networks and computer environments that make up this digital technology could be as vulnerable to malicious attacks and misuse as any other technology infrastructure. Much like the defense of this country, the defense of the bulk power system requires constant vigilance and expertise. As CEO of the organization charged with overseeing the reliability and security of the North American grid, I am deeply concerned about the changing risk landscape from conventional risks, such as extreme weather and equipment failures, to new and emerging risks where we are left to imagine scenarios that might occur and prepare to avoid or mitigate the consequences. Some of those consequences could be much more severe than we have previously experienced. I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures. These threats differ from conventional risks in that they result from intentional actions by adversaries and are not simply random failures or acts of nature. The most effective approach against such adversaries is through thoughtful application of resiliency principles, as outlined in a National Infrastructure Advisory Council (NIAC) report on the grid delivered to the White House in October 2010. I served on that council along with a number of industry CEOs. Resiliency requires proactive readiness for whatever may come our way and includes robustness; the ability to minimize consequences in real-time; the ability to restore essential services; and the ability to adapt and learn. Examples of the NIAC team's recommendations include: 1) a national response plan that clarifies the roles and responsibilities between industry and government; 2) improved sharing of actionable information by government regarding threats and vulnerabilities; 3) cost recovery for security investments driven by national policy; and 4) a strategy on spare equipment with long lead times, such as electric power transformers. critical infrastructure protection (``cip'') reliability standards and other nerc measures to address cybersecurity threats and vulnerabilities NERC's critical infrastructure program, including both reliability standards and alerts, provides many tools to respond to cyber threats and vulnerabilities. Industry, consumers, and government representatives all participate in the NERC standards development process and provide important expertise. 1. Reliability Standards NERC has nine existing CIP standards that address the following areas: Standard CIP-001: Covers Sabotage Reporting. Standard CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. Standard CIP-003: Requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-004: Requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Standard CIP-005: Requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Standard CIP-006: Intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP-007: Requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s). Standard CIP-008: Ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-009: Ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. In December 2010, NERC approved an enhancement to its Critical Cyber Asset Identification standard (CIP-002 version 4) that establishes bright-line criteria for the identification of critical assets. This enhanced standard was filed with FERC in February 2011 and is currently pending FERC approval. In addition to the development of reliability standards through NERC's regular processes, FERC has authorized NERC to use an expedited standards development process to meet urgent reliability issues. NERC also has rules approved by FERC to enable the development of special standards on an expedited, confidential basis to address imminent or longer term national security threats. Finally, FERC can order NERC to develop a proposed reliability standard or a modification to a reliability standard to address a specific matter (such as a cyber threat or vulnerability) under FPA Section 215(d)(5). In addition, the NERC Board of Trustees may propose and adopt a standard in response to a FERC directive if the board determines that the regular standards process is not being sufficiently responsive to the Commission. Compliance with the NERC CIP standards is an important threshold for properly securing the BPS. However, there is no single security asset, security technique, security procedure or security standard that, even if strictly followed or complied with, will protect an entity from all potential threats. The cybersecurity threat environment is constantly changing and our defenses must keep pace. Security best- practices call for additional processes, procedures and technologies beyond those required by the CIP standards. 2. NERC Alerts Not all vulnerabilities can or should be addressed through a reliability standard. In such cases, NERC Alerts are a key element in critical infrastructure protection. To address cyber challenges not covered under the CIP Standards, NERC works through its Electricity Sector-Information Sharing and Analysis Center (ES-ISAC) to inform the industry and recommend preventative actions. NERC must be able to promptly disseminate threat indications, analyses and warnings to assist electricity-sector participants in taking protective actions. NERC staff with appropriate security clearances often work with cleared personnel from Federal agencies to communicate sanitized sensitive information to the industry. As defined in NERC's Rules of Procedure, the ES-ISAC developed the following three levels of Alerts for formal notice to industry regarding security issues: Industry Advisory.--Purely informational, intended to alert registered entities to issues or potential problems. A response to NERC is not necessary. Recommendation to Industry.--Recommends specific action be taken by registered entities. Requires a response from recipients as defined in the Alert. Essential Action.--Identifies actions deemed to be ``essential'' to bulk power system reliability and requires NERC Board of Trustees approval prior to issuance. Like recommendations, essential actions require recipients to respond as defined in the Alert. The risk to the bulk power system determines selection of the appropriate Alert notification level. Generally, NERC distributes Alerts broadly to users, owners, and operators of the bulk power system in North America utilizing its Compliance Registry. Entities registered with NERC are required to provide and maintain up-to-date compliance and cyber security contacts. NERC also distributes the Alerts beyond the users, owners and operators of the bulk power system, to include other electricity industry participants who need the information. Alerts may also be targeted to groups of entities based on their NERC- registered functions (e.g.; Balancing Authorities, Planning Authorities, Generation Owners, etc.) Alerts are developed with the strong partnership of Federal technical organizations, including the Department of Homeland Security and the Department of Energy National Laboratories, and bulk power system subject matter experts, called the HYDRA team by NERC. NERC has issued 14 CIP-related Alerts since January 2010 (12 Industry Advisories and two Recommendations to Industry). Those Alerts covered items such as Aurora, Stuxnet, Night Dragon and the reporting of suspicious activity. Responses to Alerts and mitigation efforts are identified and tracked, with follow-up provided to individual owners and operators and key stakeholders. In addition, NERC released one Joint Product CIP Awareness Bulletin in collaboration with DOE, DHS and the FBI titled, ``Remote Access Attacks: Advanced Attackers Compromise Virtual Private Networks (VPNs)''. The NERC Alert system is working well. It is known by industry, handles confidential information and does so in an expedited manner. The information needed to develop the Alert is managed in a confidential and expedited manner and does not require a NERC balloting process. NERC understands that the Congress is seeking to ensure the cybersecurity of the electricity grid. Using standards, Alerts and essential actions, NERC is already working with FERC and the industry to protect the cybersecurity of the bulk power system. nerc work with dod, dhs and doe to protect grid cybersecurity As chair of the Electricity Sub-Sector Coordinating Council (ESCC), I work with industry CEOs and our partners within the government, including the Department of Defense, the Department of Homeland Security and the Department of Energy, to discuss and identify critical infrastructure protection concepts, processes and resources, as well as to facilitate information sharing about cyber vulnerabilities and threats. This type of public/private partnership is key to effective cybersecurity protection. Recently, I met with officials from U.S. NORTHCOM where we discussed collaborating on various electric grid-focused activities including participation in the 2011 SecureGrid Exercise, providing electric sector situational awareness and collaborating on the Joint Capability Technology Demonstration (JCTD) Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS). The latter project is being proposed to understand how specific facilities could develop small reliable ``micro-grids'' on a short-term or emergency basis. Similarly, NERC is discussing a project with DOD to develop case studies at critical military installations to further understand the requirements for ``flow of power'' and the implications to military readiness. NERC is working with DHS National Cybersecurity and Communications Integration Center to develop a Memorandum of Understanding for bi- directional sharing of critical infrastructure protection information between the government and the electricity sector in North America. NERC also provides leadership to two significant DHS-affiliated public- private partnerships. These are the Partnership for Critical Infrastructure Security (PCIS) and the Industrial Control Systems Joint Working Group (ICSJWG). The PCIS is the senior-most policy coordination group between public and private sector organizations. On the government side, PCIS comprises the National Infrastructure Protection Plan (NIPP) Federal Senior Leadership Council (FSLC) and the State, Local, and Tribal Government Coordinating Council (SLTGCC), as well as the chairs of all of the other Government Sector Coordinating Councils. On the private side, PCIS comprises the chairs of all of the private- sector coordinating councils. The ICSJWG is a cross-sector industrial control systems working group that focuses on the areas of education, cross-sector strategic roadmap development, coordinated efforts on developing better vendor focus on security needs and cybersecurity policy issues. NERC is engaged with DOE National Laboratories to further the level of awareness and expertise focused on cybersecurity, especially as it pertains to the bulk power system. We are working with Pacific Northwest National Laboratory on the Electric Sector Network Monitoring initiative and also on developing cybersecurity certification guidelines for Smart-Grid Cyber Operators. In a similar fashion, NERC is working with the Idaho National Laboratory to promote the Cyber Security Evaluation Tool for use within the electric sector. NERC also is partnering with the Industrial Control Systems Cyber Emergency Response Team to share threat, vulnerability and security incident information. Finally, NERC is working with DOE and the National Institute of Standards and Technology to develop comprehensive cybersecurity risk management process guidelines for the entire electric grid, including both the bulk power system and distribution systems. We believe this to be particularly important with the increasing availability of smart- grid and smart-meter technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system. Everyone engaged in smart- grid and smart-meter implementation should ensure that appropriate security applications and technologies are built into the system to prevent the creation of additional threats and vulnerabilities. NERC Comments on the Discussion Draft First and foremost, NERC has consistently supported legislation authorizing some government entity to address cyber emergencies, as the draft would authorize the Secretary of Energy to do. Second, NERC strongly supports any effort to improve information sharing between government and the private sector owners of critical electric infrastructure. NERC especially commends the provisions of the discussion draft directing the Secretary and the Commission to establish procedures on the release of critical infrastructure information to entities subject to the proposed legislation. NERC and the electric industry can only deal with the risks they are aware of. It is impractical, inefficient and impossible to defend against all possible threats or vulnerabilities. Entities must prioritize their resources to ensure they are protected against those risks that pose the greatest harm to their assets, their business and their customers. The electric industry is in the best position to understand the impact that a particular event or incident could have on the bulk power system, but the industry does not have the same access to actionable intelligence and analysis that the government does. This lack of information leads the industry to be, at best, a step behind when it comes to protecting against potential threats and vulnerabilities. Too often the industry has heard from government agencies that the threats are real, but is given little or no additional information. This leads to frustration among the private sector leaders who are unable to respond effectively due to ill-defined and nebulous threat information. NERC also appreciates the additional attention in the discussion draft to providing security clearances, but that route will not likely deal with the unavailability of actionable information for electricity industry decision-makers. NERC has over 1900 entities on its Compliance Registry, some have just a few employees and some have many thousands. It is important to be realistic about the number of clearances that may be made available. Of more importance is developing methods and procedures for sanitizing sensitive information so that it can usefully be made available to the broad range of private decision-makers who must take action to protect against the threat or vulnerability. The bulk of NERC's comments are directed to the draft legislation's treatment of ``Cyber Security Vulnerabilities,'' which are something less urgent than ``Cyber Security Threats.'' NERC appreciates that the draft legislation proposes for the ERO to play a meaningful role in addressing cybersecurity vulnerabilities, as the ERO now does. As discussed above, NERC has the tools, the expertise and the relationships with government agencies, intelligence resources and industry subject matter experts to address identified vulnerabilities effectively and efficiently. FERC has the authority now under FPA Sec. 215(d)(5) to direct NERC to prepare a proposed standard to address a specific vulnerability or other matter, and to do so by a certain date. Thus, it is not clear to NERC that the vulnerability section (proposed new FPA Section 224(b)) is needed. If this section is retained, please consider the following concerns: 1. FERC's jurisdiction under this bill extends to distribution systems; the ERO's does not: The definition of Critical Electric Infrastructure in proposed Section 224 extends to distribution systems. Section 215 does not provide NERC with that jurisdiction. Thus, existing NERC reliability standards and requirements cannot be as broad as FERC's jurisdiction under the draft bill, and standards prepared by NERC at the direction of FERC similarly cannot be as broad as FERC's direction if FERC directs an action to protect the distribution system action. If NERC is intended to have the same jurisdiction as FERC over the distribution system and assets, this needs to be clarified. Without such clarification, FERC could always find that an ERO-proposed reliability standard ``fails to provide adequate protection of critical electric infrastructure from a cybersecurity vulnerability'' and reject the ERO's efforts under Section 224, effectively removing the ERO role from the vulnerabilities section. 2. Identification of vulnerability: No requirement exists in the legislation for FERC to identify any deficiency in existing reliability standards or the specific cybersecurity vulnerability for the ERO to address. Without some idea of the ``target'' that FERC would like the ERO to hit, it will be difficult for the ERO to produce an adequate set of requirements, assuming the jurisdiction issue above is addressed. 3. Enforceable tools in addition to standards: The discussion draft calls for the ERO to develop a reliability standard in response to a FERC order on vulnerabilities, but given the constantly changing nature of vulnerabilities, not all vulnerabilities can or should be addressed by a standard. Currently, NERC actions other than standards are not legally enforceable. Legislation that provides a means for both standards and other NERC directives to be legally enforceable would significantly enhance the cybersecurity of the grid. Such an approach would require the involvement of both the ERO and the Commission. 4. Due process: The discussion draft would authorize FERC to promulgate an interim final rule without consultation or any due process. In addition, unlike the 90-day sunset on DOE emergency orders, there is no such limitation on FERC interim final rules. conclusion NERC works with multiple agencies, industry, consumers and government to support a coordinated comprehensive effort to address cybersecurity. As outlined today, NERC has many tools available including the ESCC and the ES-ISAC to address imminent and non-imminent threats and vulnerabilities through our Alerts and standards processes. These existing processes should be enhanced, not pre-empted, by cybersecurity grid legislation. We appreciate this opportunity to discuss NERC's activities on cybersecurity with the committee and to offer our views on legislation that would improve cybersecurity protection of the grid. The Chairman. Thank you very much. Mr. Owens. STATEMENT OF DAVID K. OWENS, EXECUTIVE VICE PRESIDENT, BUSINESS OPERATIONS, EDISON ELECTRIC INSTITUTE Mr. Owens. Good morning, Chairman Bingaman, Ranking Member Murkowski and other distinguished members of this committee. As was said earlier, my name is David K. Owens. I'm Executive Vice President at the Edison Electric Institute. You're aware that EEI is the trade association of the U.S. shareholder owned electric companies. Our members serve about 75-70 percent of end users of electricity. I certainly do appreciate this opportunity to appear before you today to talk about cyber security and critical electric infrastructure. Now to accompany my written statement is a document titled, ``Principles for Cyber Security and Critical Infrastructure Protection.'' Now this document was adopted by EEI's Board of Directors last September. It demonstrated the significant concern of our industry and our CEOs in particular, about cyber security threats and the need to develop consensus around a framework to improve security of the electric grid. Now rather than me getting into all the details of observations I've made about the bill or restating my testimony. I'd like to leave you with 2 principle points. I'd like to talk very specifically about the need for coordination, planning and information sharing. I believe some of the other witnesses, Secretary Hoffman stressed that. The need also for clear regulatory structure that focuses resources where they're needed. Now all of you know cyber security is not a check the box exercise. You can't say if we do these ten things we're not going to have a cyber security problem. Instead cyber security requires an evolutionary process and an ongoing dialog involving industry and government. Now the threats that we face daily and the mechanisms for identifying them also vary. Sometimes a government will become aware of a threat or other times it will be the industry or individual utilities that will be aware of this or outside security firms or academia. The point is that there is no perfect process for identifying what tomorrow's threats are nor how a creative hacker might exploit vulnerabilities. A better approach in my view is fostering coordination and dialogs both horizontally and vertically between industry and government. Now I know you're probably saying well what does he mean by that? Horizontal communication, in my view, is across--should be across the industry and across government. Now the electric industry, the private sector, we're working with a lot of other utilities that serve our Nation. We're working with public entities. We're working with governmental entities and so forth because we all have a commonality of keeping the lights on. So the entire electric sector is working very closely together. That's an example of horizontal communication. We also have interdependencies. For example, we rely on telecommunications industry so that we can communicate and improve our overall day to day operations. We also use water systems in order to cool our facilities. We use transportation in order to move our fuel. We also look at financial markets that fund our operations. So there's an interdependency. That's also horizontal communication. Now no single industry, in my view, can be considered secure unless we're engaged in coordination across those industry sectors. Let me talk a little bit about horizontal communication within the government. Here I'm perfectly sure that DOE and the FERC communicate regularly. One agency probably has substantial intelligence about what's occurring in the electric network and in other vital facilities in our Nation, whereas the other agency may have the responsibility of mandating reliability standards. But it's critically important that those agencies work together. So in addressing cyber security, my view, is that the government needs to consider how they engage in horizontal communications as well. Then there's vertical communications. The vertical communications is the government communicating with industry and vice versa. Now we are not in the business in the utility industry of identifying threats, but the government is and needs to coordinate very closely with industry. On the other hand, we're pretty good at operating our systems and providing reliable electric service and understanding how to address potential vulnerabilities. So I believe there's a shared responsibility. There's a responsibility of government. There's a responsibility of industry to work together. If we're working together then we can provide greater security over the overall electric system. One of the things that I've observed in terms of the disaster in Japan was the need for planning before a crisis occurs. Protecting critical infrastructure demands planning both from government and from the private sector. The roles and responsibilities need to be very clear. Now I applaud this committee's efforts and our Congress for its deep consideration of how we put these various pieces together to protect our critical infrastructure. Let me move to my second principle. I'd like to believe that we all recognize that a risk based approach for dealing with cyber security that is identifying assets, that make the system vulnerable, is very, very critical. We strongly support that. We also recognize as well that under section 215, the Federal Power Act, that we had mandatory and enforceable reliability standards. We recognize that. But we also recognize that there's a gap. That gap means that we need to have a process where we can deal with imminent threats. We have to separate imminent threats from potential vulnerabilities. I see that I'm almost out of time. So I'm just going to say this. We look forward to work with the committee in these areas. I look forward to your questions. [The prepared statement of Mr. Owens follows:] Prepared Statement of David K. Owens, Executive Vice President, Business Operations, Edison Electric Institute My name is David Owens, and I am Executive Vice President in charge of the Business Operations Group at the Edison Electric Institute (EEI). EEI is the trade association of U.S. shareholder-owned electric companies and has international affiliate and industry associate members worldwide. EEI's U.S. members serve 95 percent of the ultimate customers in the shareholder-owned segment of the industry and represent about 70 percent of the U.S. electric power industry. I appreciate your invitation to discuss the cyber security of critical electric infrastructure and to comment on the Committee's draft legislation. It is almost two years since I last had the opportunity to testify on this subject before this Committee. Since then, EEI's member companies--along with other owners, operators, and users of the electric grid--have continued to make cyber security a priority, while working together to make our critical infrastructure more resilient. In fact, EEI is part of a broader coalition of electric power stakeholders working on these issues. While I am not officially testifying on its behalf, this coalition includes several major trade associations representing the full scope of electric generation, transmission and distribution in the United States, as well as regulators, Canadian interests and large industrial consumers. Rarely do these groups find consensus on public policy issues, but in the case of securing the electric grid, there is unanimous support for a regime that leverages the strength of both the public and private sectors to improve cyber security. My testimony focuses on the value of this cooperative relationship, the unique nature of threats to the power grid, and the ongoing efforts of the nation's electric sector to respond to those threats. I also will share our analysis of the Committee's bill, particularly as it relates to EEI's ``Principles of Cyber Security and Critical Infrastructure Protection,'' which is attached for the record. This document was adopted by our Board of Directors last September in an effort to address cyber security threats and develop consensus around a framework to improve security for the electric grid. Included in this document, and most salient to the Committee's work today, are the following principles the industry believes are integral to successful cyber security policy: Leveraging public and private sector expertise, while including robust information sharing between government and the private sector, as well as among other stakeholders; and, A clear regulatory structure that focuses resources and attention on protecting truly critical assets from imminent threats. public-private coordination and information sharing Among the myriad lessons learned following the earthquakes and tsunami in Japan is the need for dialogue and coordination before disaster strikes. It is clear that critical infrastructure protection is a shared cause that demands planning, as well as an understanding of roles and responsibilities ahead of time. Both the federal government and electric utilities have distinct realms of responsibility and expertise in protecting the bulk power system. The optimal approach to utilizing the considerable knowledge of both government intelligence specialists and electric utilities in ensuring the cyber security of the nation's electric grid is to promote a regime that clearly defines these complementary roles and responsibilities and provides for ongoing consultation and sharing of information between government agencies and utilities. Fundamentally, the private sector can be disadvantaged in assessing the degree and urgency of possible or perceived cyber threats because of limitations on its access to classified information. The government is entrusted with national security responsibilities and has access to volumes of intelligence to which electric utilities are not privy. Thus the government is able to detect threats, evaluate the likelihood or risk of a malicious attack, and utilize its expertise in law enforcement. On the other hand, electric utilities are experienced and knowledgeable about how to provide reliable electric service at a reasonable cost to their customers, and we understand how our complex systems are designed and operated. Owners, users, and operators of the electric grid are in a unique position to understand the consequences of a potential malicious act as well as proposed actions to prevent such exploitation, including ensuring against unintended consequences of remedial actions. It is critically important to establish a workable structure that enables the government and the private sector to work together in order to provide a more secure system for our customers. Thus, the industry appreciates that the Committee's draft bill acknowledges the need for intelligence sharing between government and the private sector, though we believe a more robust and explicit mandate is required. It also is important to recognize that a strong industry partnership with government agencies currently exists. On an ongoing basis, the electric power industry communicates and collaborates in the United States with the Department of Homeland Security (DHS), the Department of Energy (DOE), and the Federal Energy Regulatory Commission (FERC). The industry also works very closely with the North American Electric Reliability Corporation (NERC) to develop mandatory reliability standards, including an array of ``Critical Infrastructure Protection'' or ``CIP'' standards. In addition, NERC, in its capacity as the Electric Sector Information Sharing and Analysis Center (ESISAC), uses its ``alert and advisory'' procedures to provide the electric power industry with timely and actionable information received from various federal agencies to assure the continued reliability and security of the nation's electric systems. This NERC advisory system continues to evolve and, in the time since I last testified, has proven its ability to respond and disseminate information successfully when responding to significant national security events like the Stuxnet worm. I would urge you not to reinvent the wheel, nor jump to conclusions about the efficacy of the existing cyber security regimes. The mechanisms in place to deal with these new and constantly evolving threats are, themselves, evolving. It is important that the Committee support continued participation in NERC's stakeholder-driven and FERC- approved standards and development process, which will yield mandatory CIP cyber security standards for the bulk power system that are clear, technically sound, and enforceable. Finally, I would add that simply creating mechanisms for information sharing and public-private coordination is only part of the solution. Those lines of communication must be developed at the highest levels of both government and industry, and then drilled on a regular basis to ensure that, in times of crisis, those with relevant information and operational expertise can communicate seamlessly, quickly and, when needed, securely. clear, focused regulatory structure A successful cyber security framework also needs to focus on protecting truly critical assets from imminent threats. There is a security axiom that states: if you try to protect everything, you protect nothing. Put another way, risk-based prioritization ensures both government and private sector resources are allocated wisely. The distinction between imminent threats and vulnerabilities is an important one. Threats, by definition, constitute an emergency, while vulnerabilities might be exploited at a later date, providing time to determine the best way to respond to them. EEI agrees that it is appropriate for this Committee and Congress to consider legislation providing federal energy regulators new authority to address emergency cyber security threats. I want to emphasize, however, that current law already provides the means to address the many non-emergency cyber security issues in the electric industry. Section 215 of the Federal Power Act (FPA), which this Committee helped develop and which was enacted by Congress as part of the Energy Policy Act of 2005, provides for the Electric Reliability Organization to establish mandatory and enforceable electric reliability standards, specifically including standards to address cyber security, under FERC oversight. Chairman Bingaman and other Senators on this Committee should be commended for their work on enacting Section 215 and other efforts to ensure the reliability of the electric grid. The basic construct of the relationship between FERC and NERC in developing and enforcing reliability standards is sound. In summary, NERC, using a well-defined stakeholder process that leverages the vast technical expertise of the owners, users, and operators of the North American electric grid, develops reliability standards, which are then submitted to FERC for review and approval. In approving such standards, FERC is to give ``due weight'' to the technical expertise of the ERO. Once approved by FERC, these standards are legally binding and enforceable in the United States. Any stakeholder, including FERC, may request that a standard be developed to address some aspect of reliability, expressly including cyber security. I suggest the question on which the Committee should focus is, ``What additional authority should be provided to federal energy regulators in order to promote clarity and focus in response to emergency situations?'' Legislation in this area should complement, not supplant, the mandatory reliability regime already established under FPA Section 215. Any new federal authority should be appropriately narrow and focused only on unique problems that cannot be addressed under Section 215. The Section 215 mandatory reliability framework reflects years of work and broad consensus reached by industry and other stakeholders in order to ensure a robust, reliable grid. It should not be undermined so early in its implementation. While the open stakeholder processes used for developing industry- wide reliability and critical infrastructure protection standards admittedly are not well-suited to emergencies requiring immediate mandatory action with confidential handling of information, the vast majority of cyber security issues do not rise to the level of national security emergencies. Rather than creating broad new federal regulatory authorities that could undermine the consensus-driven policy framework developed through years of stakeholder input and memorialized in section 215, legislation should be focused on addressing a relatively narrow set of potential threats that legitimately merit special federal emergency authority. Because of its extraordinary nature and potentially broad impacts on the electric system, any additional federal emergency authority in this area should be used judiciously. Legislation granting such authority should be narrowly crafted and limited to address circumstances where the President or his senior intelligence or national security advisors determine there is an imminent threat to national security or public welfare. Also, the Committee draft provides DOE and FERC with parallel authorities to address cyber security threats and vulnerabilities, respectively. The Committee's draft could be clarified and strengthened by providing for a single agency to take expedited actions based on advice or information from the President or intelligence agencies. To further focus efforts on those threats that have the potential to do the greatest harm, any new authority also should be limited to truly critical assets. Over-inclusion of electric utility infrastructure would be counterproductive; efforts to maintain and enhance the cyber security of the nation's critical electric infrastructure should focus first on the critical facilities that, if not protected, could cause substantial disruption to the nation's electric grid. Any new legislation giving additional statutory authority should be limited to true emergency situations involving imminent cyber security threats where there is a significant declared national security or public welfare concern. In such an emergency, it is imperative that the government provide appropriate entities clear direction about actions to be taken, and assurance that those actions will not have significant adverse consequences to power operations or assets, while at the same time avoiding any possible confusion caused by potential conflicts or overlap with existing regulatory requirements. build security into the grid A separate but equally important component of grid security is to ensure that manufacturers of critical grid equipment and systems are adequately fulfilling their security responsibilities by adopting good security practices in their organizations, building security into their products, and establishing effective programs so that, as new vulnerabilities are discovered, they can inform customers and provide technical assistance with mitigation. As grid technologies continue to evolve, they inevitably will include greater use of digital controls. Congress recognized the potential cyber security vulnerabilities, as well as benefits, that could result from greater digitization of the grid when it directed DOE to study these issues in Section 1309 of the Energy Independence and Security Act of 2007. As new smart grid technologies are developed, it will be imperative for the industry to work closely with vendors and manufacturers to ensure they understand that cyber security is essential so that cyber security protections are incorporated into devices as much as possible. EEI is encouraging the development of a security certification program and expansion of National Lab involvement to provide independent testing for new grid components. Such a program would help utilities differentiate among different vendor solutions to select those that provide appropriate cyber security. ferc ``interim final rule'' authority Under the Committee's draft legislation, FERC is to determine whether the current NERC reliability standards are ``adequate to protect critical electric infrastructure from cyber security vulnerabilities.'' Under Section 224(b)(6)(C), any interim rule FERC enacts would stay in effect until NERC develops a reliability standard or modification that ``the Commission determines provides adequate protection to critical electric infrastructure from the cyber security vulnerability addressed by the interim final rule.'' Since NERC reliability rules apply only to the bulk electric system, FERC would have unilateral authority to write rules without input from the NERC stakeholder-driven process to establish technical standards. And, with no hearing or prior notice required before making the rule immediately effective, we are concerned about the lack of due process for stakeholder input. It would be desirable to at least have some requirement for FERC to consult with industry if time permits, similar to the consultation language in other parts of the bill. ferc and doe emergency procedure authorities Having both FERC and DOE able to designate critical electric infrastructure introduces confusion and potential duplication. The lack of procedures or specific criteria for designating critical electric infrastructure is also problematic. It is unclear how, or if, an entity could challenge a designation by DOE under the general review provisions of the FPA. conclusion With thousands of entities operating a single complicated, interdependent machine like the electric grid, the intra-industry coordination undertaken by the electric sector under the auspices of NERC has been invaluable. There also are interdependencies not just within the electric sector, but across other critical infrastructure. For this reason, it would be preferable for Congress to take a comprehensive, multi-sector approach to legislation. Electric utilities, for example, rely on telecommunications systems to operate the grid, pipelines to fuel our generation, and wholesale markets to sell our product. Should any of these critical sectors be compromised, the electric grid would be impacted as well. The interconnected nature of critical infrastructure prevents us from claiming victory unless a comprehensive approach is taken. I understand this Committee's jurisdiction and interest focus specifically on protecting the electric grid, but would urge you to work with the appropriate congressional committees to address cyber security more holistically. That said, while many cyber security issues already are addressed under current law, we believe it is appropriate to provide federal energy regulators with explicit statutory authority to address cyber security in a situation deemed sufficiently serious to require a Presidential declaration of emergency. In such a situation, the legislation should clarify the respective roles, responsibilities, and procedures of the federal government and the industry, including those for handling confidential information, to facilitate an expeditious response. Promoting clearly defined roles and responsibilities, as well as ongoing consultation and sharing of information between government and the private sector, is the best approach to improving cyber security. Each cyber security situation requires careful, collaborative assessment and consultation regarding the potential consequences of complex threats, as well as mitigation and preventive measures, with owners, users, and operators of the bulk power system. EEI and its member companies remain fully committed to working with the government and industry partners to increase cyber security. EEI's commitment to such coordinated efforts is illustrated by the broad coalition of industry stakeholder associations that continue to work together on these matters. I appreciate the opportunity to appear today and would be happy to answer any questions. Attachment.--EEI Principles for Cyber Security and Critical Infrastructure Protection September 9, 2010 background Protecting the nation's electric grid and ensuring a reliable supply of power is the electric power industry's top priority. Cyber security incidents may disrupt the flow of power or reduce the reliability of the electric system. Key to the success of this effort is the ability to provide measures capable of protecting the evolving intelligent network against interruption, exploitation, compromise or outright attack of cyber assets, whether the attack vector is physical, cyber or both. The electric power industry takes cyber security threats very seriously. As part of the industry's overall reliability effort, electric companies work to maintain the reliability and the security of the computers, control systems, and other cyber assets that help electric companies operate the electric grid. In response to the cyber threat, electric companies employ various strategies to protect these systems, but cyber security threats still exist. addressing cyber security threats Reliability is more than a slogan for the electric utility industry--it's a mandate. In fact, federal and state regulators have significant interest and statutory authority in ensuring electric companies provide adequate reliability. Thus, utilities take very seriously their responsibility to address cyber vulnerabilities and the security of the computers, control systems, and other cyber assets that help operate the electric grid. This focus on reliability, resiliency and recovery takes into account an all-hazards approach, recognizing risks from natural phenomena such as hurricanes or geomagnetic disturbances to intentional cyber attacks. Protecting the grid from cyber attacks requires a coordinated effort among electric companies, the federal government, and the suppliers of critical electric grid systems and components. Electric companies work closely with the North American Electric Reliability Corporation (NERC) and federal agencies to enhance the cyber security of the bulk power system. This includes coordination with the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE), as well as receiving assistance from federal intelligence and law enforcement agencies. To complement its cyber security efforts and to address rapidly changing intelligence on evolving threats, the industry embraces a cooperative relationship with federal authorities to protect against situations that threaten national security or public welfare, and to prioritize the assets which need enhanced security. A well-practiced, public-private partnership utilizes all stakeholders' expertise, including the government's ability to provide clear direction and assess threats, while owners and operators of the critical infrastructure propose mitigation strategies that will avoid significant adverse consequences to utility operations or assets. At the same time a constructive regulatory environment will assure that incremental investments to protect the grid are prudent, and reduce risk in a manner proportional to the cost. protecting the grid is a shared responsibility 1. Prioritize Assets to Ensure Effective Protection Recognizing that there are a variety of interdependencies, and potential consequences associated with the loss of different facilities, the utility industry supports a risk-based, prioritized approach that identifies assets truly critical to the reliable operation of the electric grid. This ensures the most important elements of our system receive the highest level of attention, as well as the resources necessary to secure them. 2. Threats Require Emergency Action; Vulnerabilities Should Be Addressed More Deliberately In this context, a threat is imminent and requires a rapid response. In these instances, the industry is willing to accommodate certain operational consequences in the interest of addressing the threat. Vulnerabilities, on the other hand, have a longer time horizon and can benefit from a more measured response. Government authority should reflect and respect these different levels of danger. 3. Clear Regulatory Structure and Open Lines of Communication The Federal regulatory framework and roles for all stakeholders involved in securing the electric grid should be clear to avoid duplicative or conflicting actions in times of crisis. The electric utility industry is not in the law enforcement or intelligence gathering business, and the government has limited experience operating the electric grid. Thus, each should be consulted, and the flow of information should be regularly exercised, before a threat becomes a crisis. It is critical that the federal government and industry communicate with each other seamlessly; to avoid confusion, those at the highest levels of government and industry should be involved in coordinating responses and declaring the need for emergency action. 4. Proactively Manage New Risks As the new Smart Grid develops, it is essential that cyber security protections are incorporated into both the grid architecture and the new smart grid technologies. The electric power industry must continue to work closely with vendors, manufacturers, and government agencies and be aligned with emerging and evolving cyber security standards (such as those being driven by NIST) to ensure that the new technology running the grid is, most importantly, secure and reliable. We encourage the development of a security certification program that would independently test smart grid components and systems and certify that they pass security tests. This certification process would help utilities select only those systems that provide appropriate cyber security. 5. Committed to Protecting Bulk Electric System and Distribution Assets The utility industry understands that cyber attacks affecting distribution systems could have broader implications. Since jurisdiction is split between state regulators and the Federal Energy Regulatory Commission, the utility industry supports enhanced threat information coordination and communication between regulatory agencies and utilities to protect our systems (whether distribution or the bulk electric system) while also honoring the existing regulatory model. 6. Cost Recovery and Liability Protection Costs associated with emergency mitigation are, by definition, unexpected and thus not included in a utility's rate base. To ensure emergency actions do not put undue financial strain on electric utilities, the industry supports mechanisms for recovering costs. In addition, electric utilities support liability protections for actions taken under an emergency order. The Chairman. Thank you very much. Mr. Tedeschi, go right ahead. STATEMENT OF WILLIAM TEDESCHI, SENIOR SCIENTIST, SANDIA NATIONAL LABORATORIES, ALBUQUERQUE, NM Mr. Tedeschi. Good morning, Chairman Bingaman, Ranking Member Murkowski and distinguished members of the Senate Committee on Energy and Natural Resources. Thank you for the opportunity to testify. I am William Tedeschi, Senior Scientist and Licensed Professional Engineer at Sandia National Laboratories, a multi program, national security laboratory. I am honored to be here today with the Honorable Patricia Hoffman of the United States Department of Energy, Joe McClelland of the Federal Energy Regulatory Commission, Gerry Cauley of the North American Electric Reliability Corporation and David Owens of the Edison Electric Institute. Sandia is one of the 3 national Nuclear Security Administration Laboratories with responsibility for stockpile stewardship and annual assessment of the Nation's nuclear weapons. Within the U.S. nuclear weapons complex, Sandia is uniquely responsible for the systems engineering and integration of the nuclear weapons and the stockpile and for the design development and qualification of non-nuclear components of nuclear weapons. While nuclear weapons remain Sandia's core mission the science and technology and engineering capabilities required to support this mission position us to support other aspects of national security as well. Indeed there is natural increasingly significant synergy between our core mission and our broader national security work. This broader role involves research and development and non-proliferation, counter proliferation, counter terrorism, energy security, defense and homeland security. My statement today will focus on the risk of nuclear electromagnetic pulse threats against the U.S. power grid and the potential need to harden the grid against such threats. I am a subject matter expert, nuclear weapons system and affects including electromagnetic pulse threats and in assessing the risks posed by such threats. I will first refer to the results of a recent technical peer review of 7 reports focused on the topic of this testimony, a peer review that a Sandia team of experts provided to the Federal Energy Regulatory Commission. Then I will present the view of the Sandia team on the risk of nuclear electromagnetic pulse attacks and the potential need to harden the U.S. power grid against them. We commend the Federal Energy Regulatory Commission and the authors of the 7 reports on evaluating the impact of nuclear, high altitude, EMP pulse threats to the U.S. power grid for their comprehensive work which represents an excellent start on modeling a very complex problem. However we respectfully suggest that further computational and experimental work is required before fully informed decisions can be made about where and to what extent the power grid should be hardened solely against nuclear, high altitude, electromagnetic pulse threats. If the decision is made to protect the power grid against a broader set of more likely electromagnetic pulse threats including solar geomagnetic and electromagnetic interference threats than an awareness of nuclear, high altitude, EMP environments in effect, should also be considered. From an integrated risk perspective the Sandia team considers nuclear, high altitude, electromagnetic pulse threats to be a remote likelihood. Also, the true extent of the grid's susceptibility and vulnerability to such effects and the resulting consequences are mostly unknown. Except for the apparent worse case environments and assumptions made in the reports that the Sandia team, peer review, evaluated. The Sandia team recommends that this complex problem be studied in more depth in order to include results from additional computer based simulations and experimental testing specifically under nuclear, high altitude, electromagnetic threat conditions. How to high voltage transformers and their protection and control elements respond to the range of induced current insults? If they fail, how do they fail and at what level of insult? Answering such questions would provide critical data to enable better understanding and validation of results by advancing a complete understanding of all the risk elements as well as quantification and reduction of uncertainties in order to fully inform decisions that may be made about hardening the U.S. power grid. We suggest that a graded hardening approach to be considered whereby selective hardening could be accomplished easily and cost effectively in combination with addressing new and emerging threats to the grid, for example intentional electromagnetic interference. Also by further evaluating the consequence of electromagnetic pulse attacks on mission critical U.S. installations and functions, for example important U.S. war fighting or continuity of operations. Specific sites may be identified that may require selective electromagnetic pulse hardening. This concludes my prepared remarks. I would be pleased to respond to any questions. Thank you. [The prepared statement of Mr. Tedeschi follows:] Prepared Statement of William Tedeschi, Senior Scientist, Sandia National Laboratories, Albuquerque, NM introduction Chairman Bingaman, Ranking Member Murkowski, and distinguished members of the Senate Committee on Energy and Natural Resources, thank you for the opportunity to testify. I am William Tedeschi, senior scientist and licensed professional engineer at Sandia National Laboratories. Sandia is a multiprogram national security laboratory owned by the United States Government and operated by Sandia Corporation\1\ for the National Nuclear Security Administration (NNSA). --------------------------------------------------------------------------- \1\ Sandia Corporation is a subsidiary of the Lockheed Martin Corporation under Department of Energy prime contract no. DE-AC04- 94AL85000. --------------------------------------------------------------------------- Sandia is one of the three NNSA laboratories with responsibility for stockpile stewardship and annual assessment of the nation's nuclear weapons. Within the U.S. nuclear weapons complex, Sandia is uniquely responsible for the systems engineering and integration of the nuclear weapons in the stockpile and for the design, development, and qualification of nonnuclear components of nuclear weapons. While nuclear weapons remain Sandia's core mission, the science, technology, and engineering capabilities required to support this mission position us to support other aspects of national security as well. Indeed, there is natural, increasingly significant synergy between our core mission and our broader national security work. This broader role involves research and development in nonproliferation, counterproliferation, counterterrorism, energy security, defense, and homeland security. My statement today will focus on the risk of nuclear electromagnetic-pulse (EMP) threats against the U.S. power grid and the potential need to harden the grid against such threats. I have been employed at Sandia National Laboratories for 26 years, where I have done engineering work on the U.S. nuclear stockpile and have assessed a broad range of foreign threats to U.S. national security assets and infrastructures. I am a subject matter expert in nuclear weapon systems and effects, including EMP threats, and in assessing the risks posed by such threats. Part of this expertise came from Sandia having technically supported the congressionally mandated EMP Commission from 2002 to 2008 through targeted EMP testing of a whole range of electronic equipment, assessments of water-and financial-system infrastructure susceptibility, and targeted writing assignments. I was the program manager for that work. My testimony starts with a description of a recent technical peer review of seven reports focused on the topic of this testimony, a peer review that a Sandia team of experts provided to the Federal Energy Regulatory Commission; thereafter, the testimony puts forward the view of the Sandia team on the risk of EMP attacks and the potential need to harden the U.S. power grid against them. major points of this testimony It is the belief of a Sandia team of experts that 1. Nuclear high-altitude electromagnetic-pulse (HEMP) attacks against the U.S. power grid are of remote likelihood. 2. The susceptibility of the power grid to EMP attacks is not well characterized and should be further addressed with computer-based simulations and experimental testing in order to understand all the risk elements, quantify and reduce uncertainties, and thus fully inform decisions that may be made about the U.S. power grid. 3. Possible approaches to mitigating electromagnetic threats to the U.S. power grid could be graded hardening, whereby selective hardening would be accomplished easily and cost- effectively while addressing new and emerging threats to the grid, or selective hardening for protection of some critically important U.S. nodes. electromagnetic pulse (emp) threats to the u.s. power grid Sandia Team Provided a Technical Peer Review for the Federal Energy Regulatory Commission The Federal Energy Regulatory Commission (FERC) recently requested Sandia to do a peer review of seven reports (more than 700 pages in length) on electromagnetic threats to the U.S. power grid and on possible actions for mitigating such threats. A team of six subject matter experts (including myself) in EMP threats and effects, including damage susceptibility and consequences, conducted this work. Included in the team were two members with significant expertise in modeling national infrastructures and their interdependencies. Our assessment and recommendations do not constitute a position of or an endorsement by Sandia National Laboratories. Rather, they represent the conclusions the team reached after conducting a technical service Sandia is frequently called upon to perform for national security purposes. The team's high-level observations and findings were threefold: The reports are comprehensive, and the authors' knowledge about the U.S. power grid design and operations, as well as solar-induced and nuclear high-altitude EMP (HEMP) environments, is impressive. The work represents an excellent start on modeling a very complex problem, but it is not yet complete and, in our view, should not be the basis for any short-term national decisions on whether and to what extent to harden the U.S. power grid solely against nuclear HEMP threats. Further study of this complex problem is recommended in order to include computer-based simulations and experimental testing to better understand, validate, and add to the existing work so that a complete understanding of all the risk factors and associated uncertainties can be obtained to support ongoing decisions. Some additional general comments about the reports that the Sandia technical peer review team provided to FERC include the following: The identified threats appear to be worst-case nuclear HEMP threats, but no details are provided to indicate the seriousness and plausibility of such threats or what might be the full spectrum of possible HEMP threats. Not all nuclear bombs are created equal; technical details matter--details not only on the potential severity of nuclear HEMP effects, but also on the likelihood of such threats ever materializing. Further elaboration on this aspect is warranted but must be done in a classified setting. Numerous assumptions are made about the nuclear HEMP environments' coupling efficiency into the exposed power grid and about the susceptibility of key system elements and the upset or damage that might occur to those key elements (that is, protective features, control systems, and the high-voltage transformers). Few to no data and only a few referenced citations and limited technical analysis are offered to buttress the assertions made. Many assumptions are also made about the power grid and the type and implementation of its equipment. The power grid referenced in the reports as the ``normal grid design'' is portrayed without any information about validation from utilities. Assumptions about age, design, and failure thresholds of transformers introduce additional uncertainty and are based on limited samplings of transformers of a particular type and from a clear source. All the assumptions point to large uncertainties in the output results and interpretations from the model; therefore, statements on the number of ``at-risk'' transformers and the severity of the regional damage should be viewed as illustrative only. More modeling and simulation and experiments to characterize the response space of these key elements are recommended. Finally, in our team's view, the reports' assessment of possible effects on the U.S. power grid as a result of nuclear HEMP attacks is too negative, based on a series of compounded, apparently worst-case assumptions. The reports lack discussion of the effect of possible uncertainties and mitigators on the results. More detailed and specific technical comments were submitted to FERC for its consideration, and those can be provided upon request. sandia team's position on electromagnetic pulse (emp) threats to the u.s. power grid Background on Nuclear High-Altitude EMP (HEMP) Threats: Effects, Damage, and Hardening Nuclear EMP effects at Earth's surface are created by nuclear bomb explosions high inside the atmosphere (at an altitude of 40?100 kilometers) and in near outer space (from 100 kilometers to hundreds of kilometers above Earth's surface). According to publicly available information, both the United States and Russia experienced and characterized this class of nuclear weapon effects in the early 1960s during their high-altitude nuclear tests. The type and yield of the bomb and the altitude at which it is detonated primarily determine the strength of the EMP effects at ground level. Once the nuclear bomb's parameters are defined, predicting nuclear HEMP environments with computer-based models is a well-established capability in the United States. The hostile nuclear EMP environment is created by the gamma-ray output (as well as x-rays and bomb debris for exo-atmospheric bursts) from the nuclear explosion (the ``source'') and the subsequent electron generation and dynamics within the atmosphere and magnetic field perturbations outside the atmosphere. Nuclear bomb explosions at high altitude in the atmosphere and in near-Earth space create three distinct components of EMP threats that are characterized by the timeframe over which they occur after the burst (from nanoseconds to a microsecond, from microseconds to a second, and from a second to many minutes). These electromagnetic threats are termed the E1, E2, and E3 components of nuclear HEMP. Each EMP threat component has different electric field strengths (typically ranging from kilovolts per meter for E1 to volts per kilometer for E3) and frequency content (ranging from many hundreds of megahertz to many hertz) that ultimately determine how much current is ``coupled'' into which parts of the exposed power-grid infrastructure elements, and whether or not that component will be temporarily or permanently disabled. The EMP waves travel downward (or ``propagate'') to the ground at the speed of light, exposing objects to the EMP threat waveforms. The amount of damage, if any, to the exposed electronics (for example, grid control centers and supervisory control and data acquisition, or SCADA, elements) and objects (such as transformers) connected to long electrical conductors (such as long power and copper communication lines) depends on how much energy in the form of induced electric current couples into the object or item that was exposed to the EMP. The added current going into an exposed electronic component or item of electrical equipment represents an ``insult,'' over and above the normal operating conditions within the component that can then cause an upset or burnout of the object. The U.S. nuclear EMP effects community has the computational ability to model the created EMP threat waveforms from the source and propagate them down to the ground and thereby to exposed objects. This community is also generally able to calculate how much current is induced in exposed conductors (for example, long lines) and well-defined discrete objects (such as buildings and electronics boxes). However, the more complicated the exposed object's design and geometry (for example, the design and geometry of a transformer), the more difficult it is to computationally model the induced current. Therefore, experiments are also conducted to help characterize the induced, or coupled, current insults as a complement to computational modeling approaches. The ultimate response of the exposed component or subsystem depends on the magnitude of the incoming current insult (how many amperes and over what timeframe). Sometimes, the high current insult burns out a sensitive device or circuit inside the exposed object, and the item is then permanently damaged. That is, the component will no longer work, and it would need to be replaced with a new component before system functionality and operability could be restored. For more moderate incoming current insults, local heating is generated inside the object because of current dissipation, and the local heating can have a temporary disruptive effect. Once the generated heat inside the object is dissipated, the object can return to normal functionality, but sometimes this return to functionality occurs only after human intervention to power down and power up the object. If the incoming current insult is low and not significant, the object can absorb the current insult and continue operating as designed. If the component is simple (for example, an electrical circuit or device), we can model the response of the exposed object to the current insult and thus determine whether it would be upset or damaged. However, many electrical components, subsystems, and even integrated systems have complex designs and constructions, and therefore we must resort to a combination of computer-based models and experimental test-based approaches to understand their response to the EMP-caused current insults. For complex, interdependent linked systems, such as the U.S. power grid, it is essential that computational and experimental modeling approaches be combined in order to verify and validate that the correct problem is being modeled and acquire the right level of confidence in the results. Once an electronics-based device, component, subsystem, or system has been fully characterized to nuclear HEMP threats and has been found to be susceptible or vulnerable to the EMP-induced current insult, adverse effects (such as temporary or permanent failure) can be mitigated in several ways. One would want to consider mitigating the adverse affects, especially if that component is a critical element in a larger networked system. A common approach for mitigation is to harden the exposed object(s) against the EMP threat using a range of well-established design hardening techniques, such as faraday-cage shielding, grounding, filters, fast-acting current shunt devices, and responsive control systems to manage the effects that could start to cascade across a larger network of linked objects. If hardening against EMP effects is done early in the design definition and development process, before manufacturing, it can be added in the easiest and most cost-effective manner. The designer must know ahead of time the expected nuclear HEMP threat environments and the required level of hardness for the exposed component or subsystem needed for continued operation after the EMP attack. The U.S. electric power grid contains some level of inherent hardness to the three nuclear EMP components. E1 (the high-frequency component) corresponds to electromagnetic interference threats from nearby transmitters (for example, cell-phone, radar, TV, and Wi-Fi transmissions), and electromagnetic compatibility standards are followed to protect against such electromagnetic threats. The E2 (mid- frequency) component corresponds to the EMP from nearby lightning strikes, which the power grid is already protected against. Finally, E3 (the low-frequency component) corresponds to solar-induced geomagnetic storms and the resultant ground-induced current threats, which the power grid is already resilient against to a degree and is more resilient against in some northern latitudes. A key unanswered question remains: How much more severe would the full range of possible nuclear-driven E1, E2, and E3 components be, and what level of protection would the existing power grid have against HEMP effects generated by a nuclear detonation? The answer depends, in part, on the type, yield, and detonation altitude of the nuclear bomb that produces the HEMP effects, the real-world orientations of power grid elements relative to the detonation, any inherent shielding properties of the exposed infrastructure elements, and the robustness of the exposed elements to withstand the EMP insult. More computer- based modeling and simulation, as well as experimental testing, would provide a basis for a more complete understanding of the response of the power grid to a HEMP attack and of the specific hardening measures to be considered for addition to the grid. As new technologies are studied, developed, and added to the power grid (such as smart grid monitoring and control), being aware of and considering the evolving threat space (for example, intentional electromagnetic interference) and natural environments (such as variations in solar geomagnetic storm intensity) that could affect the performance and reliability of the new technologies may offer opportunities to add some level of inherent hardness against specific nuclear HEMP environments. Assessing the Risks Posed by Nuclear High-Altitude EMP (HEMP) Attacks In assessing the risk posed by nuclear HEMP attacks, we use the classical risk equation, where risk is expressed in terms of likelihood (or probability) of the attack, susceptibility (or vulnerability) to the hostile environments created by the attack, and consequence (or system-level impact) as a result of the attack. In Sandia team's view, the likelihood of a nuclear HEMP attack occurring above the United States is very remote. The advanced nuclear weapon states have had the capability to do significant damage against the United States and our power grid for many decades, but they have been and hopefully will continue to be deterred from such attacks by a strong U.S. strategic deterrent. Some argue that terrorists who might someday gain possession of a nuclear device can conduct a similar type of attack and generate the same amount of damage. According to the team, the assertion that terrorists can use a nuclear warhead in a crippling HEMP attack against the United States is not credible, and the likelihood of something like that happening is low. More detailed explanation can be provided in a classified venue. In terms of actual susceptibility of the power grid to nuclear HEMP effects, the limited available data on damage effects make it difficult to know what will precisely happen to exposed elements across the grid, especially to the large high-voltage transformers. Given the amount of investment associated with potentially hardening against EMP effects, additional computational analysis and testing are needed for higher confidence in whether and to what extent exposed elements are susceptible to any temporary or permanent EMP damage effects. While computer modeling work to date has been extensive on the induced currents on exposed power lines, very few experimental data exist on how the exposed grid elements (the controllers, protective devices, high-voltage transformers, etc.) would actually respond to higher than normal currents. Highly instrumented testing of key power-grid components to E1 and E3 threat insults is recommended and should include characterizing how failures (physical damage) occur and at which insult levels they occur. Such data would help validate existing power-grid models, reduce inherent uncertainties about the amount of damage induced, and provide more confidence in the results. Finally, not enough data exist to confidently assess the extent of any power-grid outages from a nuclear HEMP attack and the amount of time needed for recovery. Several real-world examples have been studied of how the grid might respond to E3-like effects (for example, the March 1989 Hydro-Quebec grid collapse due to a severe solar geomagnetic storm and the August 2003 power outage in the Northeastern United States), and table-top exercises have been developed on how utilities would find and fix the resultant EMP-induced damage and bring the grid back online after a certain period. However, one can only parametrically evaluate the impact of nuclear E1 and E3 attacks because we do not know the level and extent of damage that would actually occur. If additional data were to become available on E1 and E3 damage effects and lethality levels of critical power-grid components, then the basis would exist for more-confident U.S. power grid simulations of the extent and magnitude of damage and the resultant recovery times. summary and conclusions From an integrated ``total'' risk perspective, the Sandia team considers nuclear HEMP threats to be of remote likelihood. Also, the true extent of the grid's susceptibility and vulnerability to such effects (be they temporary, permanent, or even not present) and the resulting consequences (damage extent and period they would be lasting) are mostly unknown, except for the assumed worst-case environments and assumptions made in the current nuclear HEMP threat studies that the Sandia technical peer review team evaluated. We commend FERC and the authors of the studies for their excellent work to date on evaluating the impact of EMP threats to the U.S. power grid. However, we respectfully suggest that more computational and experimental work is required before fully informed decisions can be made about where and to what extent the power grid should be hardened solely against nuclear HEMP threats. If the decision is made to protect the power grid against a broader set of likely EMP threats, including solar geomagnetic and electromagnetic interference threats, then an awareness of nuclear HEMP environments and effects should also be considered. The Sandia technical review team recommends that this complex problem be studied in more depth in order to include results from additional computer-based simulations and experimental testing. Specifically, under nuclear HEMP threat conditions, how do high-voltage transformers and their protection and control elements respond to the range of induced current insults, and if they fail, how do they fail? Answering such questions would provide critical data to enable better understanding and validation of results by advancing a complete understanding of all the risk elements, as well as quantification and reduction of uncertainties in order to fully inform decisions that may be made about the U.S. power grid. We suggest that a graded hardening approach could be considered, whereby selective hardening could be accomplished easily and cost-effectively, in combination with addressing new and emerging threats to the grid (for example, intentional electromagnetic interference). Also, by further evaluating the consequence of EMP attacks on mission-critical U.S. installations and functions (for example, important U.S. war fighting or continuity of operations), specific sites may be identified that may require selective EMP hardening. The Chairman. Thank you all very much. Let me start with a few questions here. Mr. McClelland, your testimony, as I understand it is, that the Commission's legal authority is inadequate and that the draft legislation that we've prepared address many of those issues. Can you be more specific as to the ones we are not adequately addressing? Mr. McClelland. The draft legislation provided the Commission with the ability to address vulnerabilities rather than wait until there was a designation that there was an imminent danger. The legislation allows the Commission to address the vulnerabilities. We believe from the read that it also addressed a situation where it may not be appropriate or it may not be possible to wait for the ERO to develop a standard to address a specific issue. For instance a particular threat against a utility or a grouping of utilities that serves a particular military base. There may need to be some interim action that they take. It wouldn't necessarily be applicable to other utilities. We believe from the read that we have that the Commission wouldn't have to wait until the ERO made a designation about a particular standard or attempted to craft a particular standard to address that circumstance. The Commission would be able to move directly to address that issue. The Chairman. You're giving us an example here. Mr. McClelland. Yes. The Chairman. Where the draft does give you, in your view, the authority that you would need to deal with a situation. Are there instances where you think the draft fails to give you the authority you need to deal with particular situations? Mr. McClelland. No, not in particular. There are areas where the Commission does not have authority under 215. Some of those exclusions, for instance, for allowing Alaska and Hawaii continue. But the draft does address that circumstance in another manner. Except, I guess, the point would be that if it addresses-- if it allowed the Commission to address vulnerabilities. If it allows the Commission to reach beyond the definition of bulk power system. If it allows the Commission to address EMP and non cyber aspects, then it would address the issues that I raised in the testimony. The Chairman. OK. Ms. Hoffman, did you have any comment on any of this? Ms. Hoffman. No, I don't have any comment. The Chairman. OK. Let me ask on this EMP thing because I heard your testimony, Mr. McClelland. You were talking about EMP generally, as I understood it. You had this particular reference in here which I thought was pretty startling where you say that the study has been done assessing the 1921 solar storm which has been termed a one in 100 year event. Applying that, what happened in that 1921 solar storm to today's power grid. The study concluded such a storm could damage or destroy up to 300 bulk power system transformers interrupting service to 130 million people for a period of years. That's very different than what Mr. Tedeschi was referring to. As I understand it he's talking about the electromagnetic pulse problem which could be created by a nuclear blast intentionally by someone. I guess I'm just unclear. You think you don't have the authority to take the appropriate or to require the appropriate hardening to deal with either of those circumstances? Is that what I understand? Mr. McClelland. The Commission's authority is coupled through the Standards Development Process. The Standards Development Process is too slow. It's too unpredictable. It's too open to address national security threats. So the Commission may order a standard be returned on a particular matter. But it can't be prescriptive or specific. It can't write the terms of the standard. It can only turn the standard over to the ERO for standards development. The Chairman. OK. So I think, I believe Mr. Owens made the point that there are 2, sort of, parts of this problem we're trying to deal with. One is the problem of potential vulnerabilities. hat would be the electromagnetic pulse issue. Then there's the other part of it which is the potential of imminent threats and the ability of the Commission to act or the ability of anyone to act quickly to deal with immediate imminent threats. You're basically saying that you believe something like what we've got in draft form here is essential to shore up the ability of the government to deal with both sets of problems? Mr. McClelland: Yes. It would allow the Commission to address a sophisticated and targeted attack or an event aside from the Standards Development Process. That's right. The Chairman. OK. Senator Murkowski. Senator Murkowski. Thank you, Mr. Chairman. Just to follow on to the questions here. I direct this to you, Mr. Tedeschi. When we're talking about the EMP attack or geomagnetic disturbances, these are not new in the sense that we're just now learning of them. So given the knowledge, given what we have in terms of the potential for these types of disruptions. What have we done to date in order to protect the grid? I'll ask you and then if others can step up here. Mr. Tedeschi. Senator, I would just suggest that the geomagnetic threats mimic part of the nuclear EMP threat space. The geomagnetic threats do occur with regularity. The severity of those is ongoing in terms of our scientific understanding. Those threats have manifested in the past. There are examples where elements of the grid have gone down. The utility owners, NERC, FERC, others, have responded to those. In some cases, added some of a hardening against the geomagnetic EMP threats. Our view on the nuclear electromagnetic threats there's the component that mimics the geomagnetic threats that it's a very low likelihood of occurrence. So from our perspective if the utilities, if NERC, FERC, the legislation, allow DOE and others to harden against the geomagnetic threats, which are real and do occur. That that will provide an inherent level of hardness against nuclear EMP threats if those were to occur someday. But I think others are more able to answer the question of likelihood and the severity. Senator Murkowski [presiding]. Ms. Hoffman. Ms. Hoffman. Part of the problem is a natural progression over time. Some of the older transformers may have some weaknesses in them that make them more vulnerable to any sort of event. Some of the newer transformers in use have a stronger capability to withstand certain incidents. Part of the discussion and the investigation that needs to take place is what level of protection do we want to require transformers and the electric grid to have, what level of event should they be able to withstand? Do we want to protect against the 1921 event with very high induced currents or do we want to actually look and say here is a median level of event which the industry should progress to protect against with respect to transformers, with respect to harmonics on the electric system. So a lot of this discussion comes down to the parameters that we should be building the technology to withstand. That's the direction I think the conversation is evolving toward. Senator Murkowski. Mr. McClelland, did you want to go ahead? Mr. McClelland. Sure. There are operational procedures in place today where if the industry is alerted then they can take precautions to go in the more conservative operations to protect equipment. The problem is though that we haven't seen a 1921 event. A 1921 event, we found from our assessment, could be catastrophic in nature to the grid itself. So the question would be not so much as to what level we dampen to, but can we block all events. The answer we think is, yes. But there's still some work to do as Mr. Tedeschi pointed out. We still need to identify the proper equipment. Test the equipment. Then move for mitigation against these events. Then we wouldn't have to worry about whether we have a 25 year event, a 50 year event, a 100 year event. If we block it, it's taken care of. It's an automatic mitigation method. We don't have to rely so much on human intervention to save the grid in a circumstance like that. Senator Murkowski. Thank you. Mr. McClelland. But to also answer your question directly. There's been very little, if any, hardware mitigation that's been put on to protect from say, solar magnetic disturbances on the grid. Senator Murkowski. Thank you. Mr. Cauley, you want to finish it up? Mr. Cauley. Thank you. I really think that Mr. Tedeschi's testimony hits on the issue of sorting out the key issues. We're focused at NERC and I think working with the industry to resolve the solar magnetic, geomagnetic issue. We did have a major storm in 1989 that blacked out Quebec. I think the industry learned from that. There was a lot of equipment hardening in the northern latitudes where it's more of an impact. I think as we look at the risks of a larger storm we have to ask ourselves, you know, how much further down into the continent would it extend. So we are working to upgrade notice procedures, advance warning systems and also doing engineering studies. If we did the hardening, as being suggested here, it will affect other issues like clearing of electrical faults and the dynamic behavior of the system. So we have to study it. Be very careful about changing the system in a way that does not cause harm in other ways. So we're focused now on this solar magnetic and geomagnetic disturbance issue right now. Senator Murkowski. Thank you. My time is up. I just want to ask very quickly. Is there a greater incidence of the solar magnetic, electromagnetic in the northern altitudes? Mr. Cauley. Yes. The impact, depending on the--it's a very dynamic situation. But if the pulse hits the Earth's magnetic field that the disturbances most severely affected in the northern latitudes. So the larger the pulse from the sun, the further down it can extend into the middle latitudes of the United States. Mr. McClelland. May I just quickly add to that? Our study did consider the likelihood of a solar magnetic disturbance over Winnipeg, Manitoba verses Minneapolis, Minnesota found that they were equally likely to occur. In fact if it happens over Minneapolis, Minnesota the number of bulk power system transformers that could be damaged/destroyed reaches over 1,000 rather than 368 which was on the Winnipeg, Manitoba incidents. So it can center. But it can also--it can move around. We just don't know where it will be. We don't know when it's going to happen again. We just know with certainty that it will happen again. It's inevitable. Mr. Owens. May I add to this conversation just very briefly? I do agree in what they're demonstrating is there's no perfect solution. Mr. McClelland made a reference to the potential destruction of 300 transformers as he related back to the prior major solar activity that we had in 1921. One of the things that we're seeking to do in the industry, we're working very closely with NERC is to harden our systems, create redundancy in our systems. With respect to transformers, we are making sure we have spare transformers. We have a very substantial spare transformer inventory that the industry, for several years, has been committing resources to because we recognize how critical the transformers are. If you lose a transformer it takes a while to restore service. So we're working to make sure we have this redundancy in our transformers. There are other elements, critical elements of our network as well that we're looking at. But there's no perfect solution. It's very important that you have the redundancies and the hardening of the system. But it's equally important that you're able to restore service as quickly as possible. Senator Murkowski. Thank you all. I am way over time. I apologize to my---- The Chairman [presiding]. No problem. Senator Burr. Senator Burr. Thank you, Mr. Chairman. As interesting as EMPs and solar magnetic pulse is, I'm going to try to stay away from that. As the only member here today of the Intelligence Committee, I'm going to try to focus on the realities of the threat that's out there and maybe the options that we have. Ms. Hoffman, what analytical assets does the DOE have to identify any intelligence threats? Ms. Hoffman. The intelligence cyber threats comes through the Department, Office of Intelligence shop, not through our organization, the Office of Electricity. We coordinate with our intelligence office as well as with DHS. Senator Burr. The analytical work for what the DOE receives is from multiple sources. Ms. Hoffman. Yes. Senator Burr. It comes from DOD. It comes from DHS. It comes from NSA which is part of our problem. Now Mr. Cauley, if I understood your testimony correct, NERC currently has direct contact with the intelligence community. Is that correct? Mr. Cauley. That's correct, Senator Burr, with multiple agencies. Senator Burr. So you're part of that intelligence loop right from the analyst? Mr. Cauley. Those are primary sources that we use to get information to industry to take actions. We have, myself, top secret clearance and others on staff have clearances to receive that information. Senator Burr. OK. Mr. McClelland, where does FERC currently get their intelligence from? Mr. McClelland. We get our intelligence from DOE, CIA, NSA and DHS. Senator Burr. OK. How many people have the security clearance to say, sit down with CIA to get information from them? Mr. McClelland. We have 3 people in our organization that have SCI clearance. I couldn't give you the specific number, but we have several more that have TS clearance. All of our chairman and all commissioners have TS clearance. Senator Burr. Under the joint draft, FERC would be authorized to develop standards to address cyber security vulnerabilities for utility generation, transmission and distribution. Who currently has jurisdiction over the distribution system? Mr. McClelland. The States do. Senator Burr. Under this would that then supercede the existing authority? Mr. McClelland. I think the way the legislation is written, I think the Commission would have the ability to write cyber security or non cyber standards for distribution. Senator Burr. Let me ask an open question. Why should we give FERC, who is the economic regulator of markets, jurisdiction over distribution? Mr. McClelland. Section 215 of the Federal Power Act gave FERC jurisdiction over both cyber security and reliability standards. Senator Burr. I realize we did. Understand that today. We were very early into sort of the threat---- Mr. McClelland. Right. Senator Burr. Generation that we're in now. Personally if I had it to do over again, I'd love to see the focus of this on how we remove the authority that we gave to FERC. Because I believe as a country right now, we're--we've got the authority in too many different places to be responsible for a threat stream that by the time these agencies are notified, quite frankly, it may be too late for the immediacy of a threat. I was more impressed with Mr. Owens' answer, even though it was on EMP and solar magnetic. The industry is making the advances that they need to to respond, to get back up and running. The NERC, if we need to look somewhere, I guess our question should be what additional authority to you need to do what you're currently doing verses to bring anybody else new into the process of mapping out a pathway forward for the infrastructure and its integrity? Mr. Cauley, I'm giving you an opportunity. What do you think? Mr. Cauley. If that's a question, Senator Burr. I did point out in my testimony that the one gap that I sense right now is if there is an imminent threat or vulnerability and we need industry to take action then we do not have the ability to make enforceable directives to industry. That has to be done very carefully. I'm not an operator. Mr. McClelland is not an operator. We don't want to order the industry to take an action that has risky consequences. Senator Burr. If you were to take an action or if we were to give you the authority over distribution and you made determinations under the guidance of cyber vulnerability. Who pays for it? Who pays for that? Mr. Cauley. The rate payers. Senator Burr. Rate payers. Let me just suggest to you regardless of how we move forward. Let's consider the fact that the rate payers are going to pay for this. We don't have the luxury of doing everything that one might think we should do to protect ourselves. I would only say this as a member of the committee, you can't do enough things to protect us 100 percent from the threats that are out there. So let's recognize the fact that there's got to be some consideration on cost and a big consideration on who pays for it. Mr. McClelland. Mr. McClelland. I wanted to say one other thing to revisit the point that you had before about distribution. The problem with distribution is that if there are 2 way communications between distribution and say, the bulk power system. You know from your experience that any time there's 2 way communication there's a chance for corruption. Currently there are 50, say 50, different agencies maybe looking at cyber security, maybe not. We've got wide scale deployment of smart grid equipment that depends on 2 way communication. So all I'll say is regardless of where that authority falls there is a gap in the authority. Is a significant gap that comes to cyber security. Thanks for---- Senator Burr. I appreciate that comment. This would be a personal observation with what we don't know today. I'm more encouraged to slow down the implementation of smart grid technology until we learn the things that we need to learn to implement it with a great deal of confidence. Thank you. The Chairman. Senator Udall just arrived, but he has indicated that he would like Senator Lee to go ahead with his questions before he does questioning. So go ahead. Senator Lee. Thank you, Mr. Chairman. Thanks to all of you for joining us here. The joint staff draft would give authority to DOE and FERC or a combination of the 2 of them to order electric utilities and others to take action to overt imminent danger that could stem from an imminent cyber security threat. If what we're talking about is cyber terrorism does it make sense to put that authority in any of the agencies that deal with intelligence? For example, the intelligence agencies that are gathering the information that would signal this sort of a threat or does it make more sense to put it in a Federal regulatory agency that deals specifically with energy? Ms. Hoffman. To begin with, the approach has to be comprehensive. It has to involve both FERC and DOE, in fact the whole government. The intelligence agencies do a very good job in analyzing the information. The operators are the folks that actually look at the operations of the systems will be best to help develop the mitigations and the solutions. From my perspective it's a partnership that's required. Senator Lee. Is this, following up on Senator Burr's line of questions. Is this something that necessarily needs to be Federal? Is this something that could not be done on a State by State basis with State regulators working in concert with Federal authorities? In other words from a regulatory standpoint should the regulator be Federal or should the regulator be State? Mr. Owens. I might seek to respond to that, Senator. I think you have to make a distinction between an imminent threat and a cyber vulnerable assets. With respect to an imminent threat it makes sense to me to believe that you need a Federal agency that sees that intelligent information. So you can act decisively. I spoke earlier about the need for horizontal communication. So it means that the FERC, as an example, and the Department of Energy and the Department of Homeland Security, all those agencies, those who have intelligence about the imminent threat and those who have the understanding and the authority to order a change in operations. They should be working collaboratively. When you look at the issue of a cyber vulnerability, a critical asset, that takes more time because what you want to do is you want to make sure that you've hardened the system and you've prevented a potential cyber disaster in the future. That requires coordination with the industry. It requires complete coordination with the government agencies are affected. Where it gets real controversial or difficult is if you suggest that all assets need to be looked at by one Federal agency. When we recognize that we also have State bodies that look at these issues. It seems to me a very clear way to do this is to make sure that there's that vertical dialog between the Federal Government and the State agencies, who daily deal with these issues as well. They deal with cyber threats at the distribution level. They work very closely with their local law enforcement agencies. They work closely with the FBI. They're very much aware of some of these threats that are involving their local utilities. What I believe is important to make sure is we don't have a gap. I don't believe we have a gap. I think those agencies are taking on their responsibilities very forcefully. I believe those agencies, those State agencies are working very closely with the Federal Government in trying to understand what those imminent threats are and the actions that have to be taken. So I would encourage us not to give the impression that the State agencies aren't doing their job because they are. Senator Lee. Mr. McClelland, I wanted to follow up on a different issue with you. You referred to the fact that if we had another 1921 style event that it could knock out, did you say 300 transformers? Mr. McClelland. Over 300. It could affect over 300 transformers, 368 is the exact number. Senator Lee. Potentially affecting how many customers? Mr. McClelland. 130 million customers. Senator Lee. I think I heard you say that some of those could be affected over a 10-year period is---- Mr. McClelland. No. Yes, they could be affected. There could be service interruptions for over a 10-year period. Senator Lee. That's simply because it could take that long in order to restore all the equipment that would be destroyed by the one event. Mr. McClelland. Right. The bulk power system transformers are typically about a 52-week or 1-year lead time. They're not produced in the United States anymore. We are dependent on other Nations to bring them forward. There is an existing queue of transformers that need to be built. Developing Nations such as China are using lots of those slots in the queue, the ordering queue for those transformers. Senator Lee. OK. Is there anything we could do in that circumstance to shorten that time period? I mean, I assume we could ramp up production of those. Mr. McClelland. Yes. Senator Lee. Faster, so you're presupposing that were--that our production rate would be roughly what it is now. Mr. McClelland. Right. We could attempt to attract manufacturers to the United States. We could ask for expedited delivery. Perhaps pay some fee to have expedited recovery. But there's not a lot more than that. The transformer capacity is the capacity. So other people would have to get out of the queue, stand aside, for us to have those units built. Even then the through put of those facilities is limited. Senator Lee. OK. I assume it's not pragmatically plausible. I'd say it's not possible or practicable to produce a transformer that is immune from this sort of pulse. Mr. McClelland. There are blocking devices that can be employed. The devices are not widespread though. They haven't been deployed. So there are conceptual ideas that we've seen. They need to be prototyped and tested. I'm an electrical engineer having spent almost 27 years in the business. My recommendation would be to automatically block this on the most susceptible or most critical elements of the bulk power system so we don't need to stand in line after a solar magnetic disturbance to wait for transformers. Senator Lee. OK. Mr. McClelland. One thing, if I could just revisit very quickly. FERC is more than an economic regulator. My office has about 135 employees. Most of those employees are electrical engineers with advanced degrees with vast experience in the electric utility industry. Senator Lee. OK. Mr. McClelland. So we do have expertise with---- Senator Lee. Just going to the technological expertise within your agency that could qualify you to---- Mr. McClelland. To deal with---- Senator Lee. Deal with these situations. Mr. McClelland. To deal with new section 215. That's not to minimize what DOE or what the industry does. But it is to fairly represent what we do at our agency. Senator Lee. Thank you. That's all. Mr.McClelland. Thank you. Senator Lee. Thank you, Mr. Chairman. The Chairman. Senator Udall next and then Senator Hoeven. Senator Udall. Thank you, Mr. Chairman. Good morning to all of you. This is an important and timely hearing, and I want to acknowledge the leadership of the ranking member and the chairman. I sit on the Armed Services committee. I sit on the Intelligence Committee. I sit on this committee. This is a truly complicated challenge for us. There are many entities and agencies involved. But all of that doesn't lessen the threat. I think the longer we delay obviously the more we may experience an incident that we will regret. The military is moving aggressively toward islanding some of their facilities. Because I think they see that as a necessity. So my appeal to all of you and all of us is to focus on this and truly get something done in the near, near future. In that spirit, hope there's a bit of positive thrust in that spirit. But I want to turn to the Secretary and Ms. Hoffman. In the report just last month, April 2011, MacAfee and the Center for Strategic International Studies, CSIS, stated that the ``adoption of security measures continues to grow,'' but ``unlike threats and vulnerabilities, adoption of new security measures is improving at a snail's pace.'' Do you think that characterization fairly describes our Nation's electric industry? Ms. Hoffman. The adoption of technologies is slow. First of all we have to look at the availability of new technologies to address security issues. The cyber security environment is changing on a real time basis. The capabilities of the adversary are also changing. But it takes time to deploy new technologies, and the electric industry tends to follow a longer timeline with respect to transferring out older technologies and bringing new technologies in. So there are several factors compounding an already complex issue. What we need to do is enable technologies to be upgraded in a more timely fashion. We also need to continue to test new technologies. We also need to build a stronger work force so that as we move forward we can get better adoption of the technologies into the system. Senator Udall. Do we need to call--I know we do this in this town, but a summit of all the stakeholders and look at that Gordian knot sitting in front of us and all maybe, put our hands on the sword and cut through it? My concern is that we continue to point fingers in every single direction. Nothing is really going to happen until we're forced to react. That's not the right position to be in. Ms. Hoffman. We need to continue to have dialogs to get ahead of the game. It comes down to understanding what are the priorities for the issues we need to address, analyzing are we actually complete in our strategies, and whether there are any gaps with respect to protecting the system. Then we need to make sure that there's a comprehensive look at what the impact and the costs are of implementing new strategies and solutions. Senator Udall. Mr. McClelland, if I might turn to you. Could there be circumstances where FERC ought to have the capacity to just order measures first rather than work through the ERO? Mr. McClelland. Yes. I think there could be. I really think that those circumstances should be very limited and should be emergency type circumstances. There may be a particular instance where CIA or DOE or DHS uncovers an attack vector of vulnerability that could be exploited. Something like Aurora, maybe there's not enough information to show that it's an imminent danger. But it's certainly a viable vulnerability. The facility that would be interrupted would be critical. It may not be applicable then to everyone else. But that entity may need to go to a heightened state of readiness. They may be what we would term in case of emergency break glass scenario where they disconnect remote operations at some facility for some period of time. There could be limited circumstances like that where a standard wouldn't be appropriate. But it would be very important to FERC to move quickly if it's given this authority, to order those mitigation measures to work with the affected entity to get those in place. Senator Udall. I want to give Mr. Cauley a chance to comment. But I would add this observation. I serve in the U.S. Senate. We have 50 States represented here. We can be very decentralized. We can be very focused on our own regional or State interests. So I have some sympathy for the challenges that you face. But I appreciate your comments in this regard too. Mr. Cauley. I think there is a need, Senator, for some, as Mr. McClelland is suggesting, some ability to get information and actions out to industry quickly. But I don't know of any one place or any one authority who is the smartest on the planet, who knows the right answers all the time. Can issue that order without any risk. So I would encourage whatever we end up with that there be the opportunity for consultation with those who have to be involved in that decision. I think the perception that's been painted that the industry really hasn't done anything and is slow is a false one. I'd encourage any of you in your own States to go visit your local utility control center who fall under our standards. You will have a hard time getting in. You certainly won't touch any of their computers. They'll ask you for devices that you have on you. It's like going into a government facility. So I don't think the industry likes to advertise how secure they--all the work they've done to secure our systems. But there is a lot of work going on. In our standards we've found--this number may be corrected, but at least 1,500 violations of cyber security standards. So we are actively out there beating on this day in and day out. Folks are fixing it. So it's not like we're standing still. Senator Udall. Thank you. The Chairman. Senator Hoeven. Senator Hoeven. Thank you, Mr. Chairman. I'd like to follow up on Mr. Cauley's statement. Ask each of you just--and I'm trying to get a sense of consistency or where there's differences in your opinion. How secure is our system? Is it secure? Is it very secure? Is it secure or do you think it needs significant improvement? I am looking for kind of like say, following on your statements saying that boy there's a lot of work being done. Generally I get the sense you feel the system is secure. What is everybody's opinion in that regard? Ms. Hoffman. I will first say it depends on what we're securing against--from known issues where we can share the information with the industry or unknown issues. Senator Hoeven. Let's just start with a cyber attack of some kind. Somebody trying to put in a worm or some type of, you know, software attack of some kind to disrupt the system. Ms. Hoffman. There is a level of security out there already. Yes. Senator Hoeven. That's pretty, kind of, noncommittal, so. Ms. Hoffman. OK. Senator Hoeven. So we're secure or? Ms. Hoffman. We're secure to a point. There are vulnerabilities with human interface, so that if it's a worm or some human interaction continues to perpetuate that. Senator Hoeven. Recently the Israelis developed a cyber attack on the Iranian nuclear power development system. Could that type of worm be put into our system and disrupt power supply in the United States? Ms. Hoffman. I don't have the specific details on those worms. So I can't give a very good analogy to that specific example. The issue is there's always room for improvement. What we need to do is to react quickly, be very quick on our feet, be able to deal with any sort of event that comes out. The industry needs to react quickly to the event. One of the things we need to do is to provide for information exchange so that we can act quickly. That is the capability we need to go after. Senator Hoeven. If the Secretary of Energy has the ability to intervene in that type of event or concern that that type of event occurs. How is that decision made? How do they intervene? Ms. Hoffman. With respect to the Secretary of Energy, under the Cyber Space Policy Review, there is a national incident management process under development in the Federal Government. DHS has a national cyber security control center that we all participatein within the energy sector. ISAC also participates in that. When a cyber event occurs, the information is shared. Next a coordination group is formed that identifies the potential impacts and consequences and the potential mitigation solutions. Senator Hoeven. So then if each of you would just comment in terms of what you perceive that risk to be whether it's a high risk or whether we have strong security in place that would mitigate it and our ability to react. Mr. McClelland. Really when you're talking about as many utilities as you are, you're talking about absolute worst practices up to absolute best practices. So it depends on the entity that's defending and it depends on the entity that's attacking. But with that said, if my personal level of confidence is not high. Because if the government agencies can't protect against a sophisticated Nation, State threat, advanced persistent threats that we've seen. I don't think that individual utilities will be able to. As tightly interconnected as the utility system is, it doesn't take much. It doesn't take many penetrations or many disruptions of pieces of equipment to cause profound analogies within the interconnections themselves. Senator Hoeven. Our ability to react in the event of that type of an attack? Mr. McClelland. Again, it depends on the piece of equipment that's attacked. If it's a large generator, critical size generator and if it's a simultaneous attack on several of those facilities, those generators can take years to construct and put into service. So prolonged outages or prolonged disruptions or prolonged cases of reduced output, could be possible. Mr. Cauley. Senator, the challenge you're hearing in the responses, I think the answer is both. I think systems are secure at a baseline level. I think there's the training. There's the tools, the procedures. The challenge is there are threats that exceed the normal capability and awareness of a civilian infrastructure. That's where the interplay between the Federal Government, who has intelligence of emerging threats and actors who would do things coordinated wide area attack on physical facilities, a very wide coordinated cyber attack that we're not aware of. But the practices, the normal prudent practices, I would say the industry has a handle on those. Those are things they're aware of. It's the emerging things from threats that we don't have sufficient tools at this point that we would like to make sure there's a good coordination between government and industry. What is it we're seeing? How can we be respond and react to those kinds of things? Mr. Owens. I think he said it well. It requires, as I was stressing earlier, tremendous coordination involving the government and industry. We've hardened our systems. But as was said earlier, there's no perfect system. We have to be able to restore service quickly if there's an outage. We have isolated assets that we think are very critical that provide some cyber vulnerability working very closely with NERC and with the Federal Energy Regulatory Commission. It was mentioned earlier about the new technology called modernizing the grid or the smart grid. We're making sure that the equipment that we're installing to make that grid much smarter, that they're high cyber standards that have to be met by the vendors and the manufacturers. So it's an evolutionary process. It's not a static process. Our systems are not perfect. We are building redundancies. But again, there's still a lot of work that needs to be done. But it requires complete coordination between industry and government. Senator Hoeven. Sir? Mr. Tedeschi. Senator, I am not a cyber expert. So I must defer on answering the question. Senator Hoeven. Alright. Thank you. The Chairman. Let me ask about one other issue that's come up in the testimony that some of you've presented here. That is the whole issue of authority over the distribution systems. As I understand it we've got FERC's authority is under the Power Act is over the bulk power system. We're trying to also deal with this cyber security threat in terms of the distribution systems because the whole thing is integrated. Let me just ask you, begin with you, Mr. McClelland, as to what your thought is as to what has been proposed in our draft to extend the authority to the distribution systems and what should be proposed and whether what we've got here is the right solution or whether there should be a different solution. Mr. McClelland. I can comment on what's been proposed. Then I can also comment on what might happen if there's no distribution system protection. What's been proposed, as I read it, is an emergency authority to address a vulnerability that would have a profound impact on the critical infrastructure of the United States, a strong impact. That authority would have to be used very judiciously, very infrequently. So it would not be a normal authority, but it would be an authority where say a smart grid installation is proceeding and millions of meters have the ability to provide a denial of service to some critical bulk power system facility. At least in my personal opinion, that may trigger that authority to be used. Without an authority over distribution though, it would be up to 50 States to determine their policies as to how the cyber security might or might not work. It may not be consistent. It may mean that distribution systems would have to be treated as a non trusted source. So from a verification, from a communication standpoint with cyber security, it would be placed in an outside realm. It would also mean that there would be no protection afforded to them by any sort of a Federal program, a Federal standards or a Federal jurisdictional program. The Chairman. OK. Mr. Cauley, I think you have testimony in here about concerns that we would be in this draft extending jurisdiction, the FERC jurisdiction, to the distribution systems while your organization would not be able to extend any of your activities in that area. Am I understanding that right? Mr. Cauley. Yes, Mr. Chairman. Without taking a particular position about whether distribution should be included in the legislation or not, there are some concerns. First off, I think our standards and the programs that we have in place work well to achieve the reliability and security of the bulk power system. The question is do we want to extend now that same protection to the distribution system I think was a policy question that I won't weigh in on. But if it were the case where FERC had authority that was beyond that of NERC I think it would be at all times we could be looked at as being deficient because our standards don't extend out to the distribution area. So the point I made in the written testimony was I think to the extent we're going to cover cyber security between NERC and FERC I think the jurisdiction should be consistent between us. The Chairman. But you don't think this distinction that Mr. McClelland is making between authority over to put in place standards to guard against potential vulnerabilities, that's one set of authorities. A separate set of authorities is to take immediate action to deal with an imminent threat. You don't think it's appropriate that FERC have authority in that second area without NERC also having authority in that second area? Mr. Cauley. I think it's beneficial to have alignment with our--between the FERC and the NERC. As our process--essentially when we send out alerts or actions it goes out to the same companies. It goes out to individual companies that operate both transmission and generation and distribution. So I think we would make the situation more complex and more difficult if we had, sort of, fractured jurisdiction. The Chairman. OK. Mr. Owens. May I respond to that too, Senator? The Chairman. Sure. Go right ahead. Mr. Owens. I would again go back to a distinction. For an imminent threat that puts our national security at risk, that puts our economic security at risk, I think it's very appropriate that the government act decisively and deliberately. That means Federal Government in close coordination amongst the various agencies that have intelligence information as well as the industry. So I think that's a no brainer that we've got to act decisively to protect our society and our way of life and prevent disruptions. When we're looking at the issue of vulnerability, of potential vulnerability, of an asset that could lead to a cyber disruption that could affect our society, I think it's grey. That area gets very grey. Where it gets grey is we know that the States already are dealing with that issue. I think that's what Mr. Cauley spoke to. I would have great difficulty if we said let's give FERC that authority and let them have that authority permanently to begin to develop standards that impact the distribution level, recognizing that we already have States that are intimately involved in these activities. A standard implies that you have to make changes in investments, in your resources and so forth. There's a cost associated with that. Those State commissions have a responsibility of looking at those costs and the impact on consumers. So I'd have great difficulty suggesting that we give FERC permanent authority over distribution assets when we already recognize the States have a vital role in this area. I think it would add tremendous confusion. The Chairman. But I don't think that's what we're doing. As I understand what the draft does and what I thought I understood Mr. McClelland to say was that we would be giving FERC authority to take action to deal with imminent threats in the distribution system. Mr. Owens. I have no difficulty with that. The Chairman. OK. So that's the limited authority. We're not saying from now on FERC has authority to set standards in the distribution system. Mr. Owens. OK. The Chairman. I don't believe. Is that a correct understanding? Mr. McClelland. I think there is a distinction here that's important to point out. So and I wouldn't argue with Mr. Owens' point. But there are 2 authorities. One is for an imminent danger that goes to the DOE. One is to address a vulnerability that could provide, you know, an impact, a negative impact on a critical infrastructure. The difficult piece of this is to try define imminent danger. In a cyber security realm--I mean it's not as difficult if someone is setting up an intercontinental ballistic missile. You can look by satellites to see the launch pad. For cyber security it may be a non descript building with 100 people attempting to probe the system. So as long at the threshold isn't so high, imminent danger can be a very high threshold to prove. It may in fact mean that an attack is underway or there is already a problem that begins to materialize. So that's the distinction that I think that we would all wrestle with. The Chairman. OK. Senator Murkowski. Senator Murkowski. Let me just follow on to that. Because it was my understanding that OK, we're in agreement that when we're talking about the imminent threats it's DOE that has that authority. They don't need to wait for anyone here. But with the less time sensitive vulnerabilities this is where FERC has that jurisdiction. But you have that stakeholder process with ERO under section 215 that says the stakeholders go first. So the concern that has been expressed and I'm not quite sure whether it was intentional, whether it was drafting error, where we are. But what I understand has happened with this. With the text that we're dealing with is that we may be in a situation here where FERC is able to bypass that stakeholder process with-- which is not the intention. FERC could actually bypass and then effectively direct what the standards may be for--at this local level which I don't think is what we intended it to do. So the question then becomes do we need to clarify this within the draft language so that we do not effectively allow for that bypass. That it is clear that that stakeholder process has the authority to go first, if you will. Do we need to resolve within the language this discrepancy? Because it sounds like the chairman and I are both a little bit foggy on what it actually does. It sounds like a pretty critical piece of what we're trying to resolve here. Mr. Cauley. Mr. Cauley. I think there could be some clarification as I had suggested in my testimony. I think the Commission has authority today to direct us to do a very specific standard and achieve a very specific outcome. If similar language is sort of repeated in this new legislation I think it would be very beneficial if it did provide for the Commission to give us a specific objective, a problem we're trying to solve and give an opportunity for the process to work. One of the difficulties I see with having a vulnerability section separately is the line between what we're calling vulnerabilities and threats is a very nebulous line. Vulnerabilities can come out today. A premise be made that this is a vulnerability we need to solve in a week in the area of safety and reliability doing standards fast is not usually one of my first objectives. My first objective is to get it right and solve a problem. I think that carries over to nuclear safety, airline safety. It's not about being fast. That's where I suggest that our ability to issue a mandatory emergency directive whether it be for a vulnerability that has now just popped up or an imminent known threat coming in from an intelligence agency. I think we need to strengthen our ability to get those directives and immediate actions out and have them have teeth and have some enforceability with that. So---- Senator Murkowski. So are you suggesting that we should not have this bifurcation between the vulnerability and the imminent threat? Mr. Cauley. I think it's an artificial one to be honest. I think to the extent that a vulnerability is an enduring vulnerability like a solar magnetic disturbance is. It's here this week. It's here next week. It's going to be here 10 years from now. That should be handled through our standards process. But the emergent dynamic issues that are coming up whether you call it a threat or vulnerability need some faster mechanism to respond to. I think that would be more appropriately handled through directives and actions in a, sort of in a near term basis with consultation from the entities that have to follow those requirements. Senator Murkowski. Mr. McClelland. Mr. McClelland. There is a bifurcation in the bill between imminent danger which is a threat and then vulnerability that exposes an imminent danger. So for instance, Aurora although it was demonstrated in a laboratory there was never any intelligence that anyone planned to use it. So it would fall under a vulnerability per say. So the bifurcation once we acknowledge the bifurcation, I personally saw it as 3 levels. One would be the routine standards development process. The second would be a measure to address a vulnerability through the ERO and the stakeholder process. A third which would be an extraordinary level which would be something that needed to be done immediately that could not result in a standard. A good example would be say, distribution systems. There are no--the jurisdiction of the ERO does not extend over distribution systems. In that regard I personally thought it may be some sort of a targeted vulnerability that may be temporary in nature to address a specific issue. Without that vulnerability though, a personal perspective is that the cyber security would be extremely difficult to prove imminent danger. There would be no Federal agency that has the ability, be it FERC, DOE, DHS or anyone that would have the ability to trust but verify to compel action and make certain that that action is taken. So from, again from a perspective, the vulnerability in the manner in the layers that I represented, I thought would be adequate, somewhat extraordinary, but adequate to address any cyber security issues. Senator Murkowski. Thank you, Mr. Chairman. Mr. Owens, you're shaking your head. I actually had a question for you about the NERC alerts not being legally enforceable. It was Mr. Cauley. You recognize that as a gap. I'd like that addressed. But I recognize that Senator Udall is here. Do you mind if I just finish out my question? Senator Udall. Go right ahead. Sure. Senator Murkowski. I have been running over the clock for the past 2 hearings. The Chairman. Go right ahead. Senator Murkowski. I'm very conscious of that. Mr. Owens. Mr. Owens. I think we are making it far too complicated. Senator Murkowski. I agree. It's getting tougher instead of easier. Mr. Owens. Let me just try to be very simplistic in explaining this. One side we have imminent threats. The other side we have assets that create a vulnerability where it could lead to a cyber breach that could be very disruptive to our society. On the imminent threat side I think all the panelists agree that it requires an agency that has intelligence about the threat working with other Federal agencies and the industry to be decisive. So irrespective of jurisdictional boundaries, it's irrelevant. We're trying to do something to protect our national security. So let's do it. So that's imminent. You got to act quickly. You got to act decisively. Let's do it. But let's make sure that folks that operate the systems are involved in the decisionmaking. So we make the right decisions, not a decision that's going to lead to unwarranted circumstances. The second area are we have some assets that were evolving, that are evolving that now pose potential cyber risk. Some of those assets are critical. Some of those assets are not critical. The critical assets we want to make sure that those critical assets are identified. We want to make sure that the government agencies and industry can work closely together. To make sure that we continue to have those assets secure so they remove that potential cyber risk. The question becomes who has that responsibility. Should the Federal Energy Regulatory Commission have that responsibility exclusively on over all these critical cyber assets or should it be acknowledged that the States have a vital role too? What I'm saying is the States have a vital role to the degree that some of those critical assets are suggesting that they can lead to an imminent threat. The question becomes should the Federal Government act decisively to deal with that. I don't have a difficulty with that. The difficulty I have is if the Federal Government, FERC, decides they have the solution only and they seek to operate and deal with that solution without having States involved and without having the industry involved. That's what the problem is. No single Federal agency has the wherewithal to know all aspects of the system and how to correct it. It requires vertical and horizontal communication and coordination. That's where I have the difficulty with what Mr. McClelland was saying. Senator Murkowski. I appreciate that. I think you've laid it out cleanly. I wish it was that neat. Can you comment on the enforceability of the alerts and whether or not that is a gap that needs to be addressed? Mr. Owens. I think Mr. Cauley is correct that NERC has a series of alerts. There are alerts that are advisory. There are alerts that require immediate action by the industry. He said, and I would agree with him to the degree that there is an action that needs to be taken he needs to be able to be decisive in that. But he also said you need to have industry inputs. So I wouldn't quarrel with him on that. As long as industry is involved we understand what he sees. We share his corrective actions then I think it is appropriate that we respond appropriately. Senator Murkowski. Thank you, Mr. Chairman. Thank you all. The Chairman. Senator Udall. Senator Udall. This is getting interesting. I decline to defer to the Senator from Alaska for continued line of questions and answers here. [Laughter.] Senator Udall. But this is, I think, why we're holding this hearing. This is very helpful. I appreciate the passion that's being displayed. I did want to make a comment. I know Senator Burr talked at some length about the smart grid. I don't want to take all of my time. But I would ask for answers now. But I would ask the panelists if you would in your follow on answers to questions. Define the smart grid for us. I think we all talk about the smart grid, but I think it's in the eye of the beholder, and we need to do a better job explaining to the public what the smart grid is. We need to know as policymakers what we mean by the term, the smart grid. [The information referred to follows:] The digital computing, communications, and information technologies that are transforming other areas of the economy are now being applied to the electric system to improve performance and create a ``smarter'' grid. As described in the 2009 Smart Grid System Report prepared by DOE, a smart grid uses digital technology to improve the reliability, security, and efficiency of the electric system. New smart grid functions can be implemented throughout the system, from generation through the transmission and distribution systems and all the way to consumers. System operations will be enhanced as a growing number of distributed generation and storage resources are deployed and participating customers are able to adjust their load in response to system operating signals. Smart grid technologies provide a secure and reliable electricity infrastructure with the following characteristics\1\: --------------------------------------------------------------------------- \1\ Energy Independence and Security Act of 2007, Section XIII (1) Increased use of digital information and controls technology to improve reliability, security, and efficiency of the electric grid. (2) Dynamic optimization of grid operations and resources, with full cyber-security. (3) Deployment and integration of distributed resources and generation, including renewable resources. (4) Development and incorporation of demand response, demand- side resources, and energy-efficiency resources. (5) Deployment of ``smart'' technologies (real-time, automated, interactive technologies that optimize the physical operation of appliances and consumer devices) for metering, communications concerning grid operations and status, and distribution automation. (6) Integration of ``smart'' appliances and consumer devices. (7) Deployment and integration of advanced electricity storage and peak-shaving technologies, including plug-in electric and hybrid electric vehicles, and thermal-storage air conditioning. (8) Provision to consumers of timely information and control options. (9) Development of standards for communication and interoperability of appliances and equipment connected to the electric grid, including the infrastructure serving the grid. (10) Identification and lowering of unreasonable or unnecessary barriers to adoption of smart grid technologies, practices, and services. Senator Udall. Secretary Hoffman, maybe I can turn to you again. We've talked a lot about cyber threats here today. There's certainly physical threats to the grid. Do you agree that that's a vulnerability we have to consider? Could the draft bill be improved to address the potential of physical threats to the grid? Ms. Hoffman. The physical threats exists, and I think they've always existed. Because they are more familiar we have processes in place to address them. I think the higher urgency is trying to find a method for addressing the cyber threats. So from my perspective the more urgent issue is actually finding a compromise among interested parties on cyber legislation so that we can better address the cyber issues that are out there. Senator Udall. Anybody else care to comment? Mr. McClelland. Yes. Actually I can tie that to your smart grid question too, Senator, in that as the smart grid is deployed, smart grids become all things to all people. But assuming that it's a 2 way communication from the meters at the lowest level through perhaps communication back to the generators and central dispatch, the physical vulnerabilities also increase with the smart grid. Good old fashioned electromechanical meters are impervious to EMP strikes or EMP events. However, intentional electromagnetic interference device, a hand held device would have a profound effect, could have a profound effect on smart grid meters. So physical also plays into where the grid is going and how the grid is evolving. Senator Udall. Anybody else care to comment? Mr. Cauley. I would just say I am concerned about physical security as well from a real world sense of what could happen bad to the grid. I think to Senator Murkowski's view. The more comprehensive and holistically we can look at this. I think the more effective legislation will be. Because we have to deal with what are the priorities. What's the next most important thing we can invest in? So I think to have things where we can balance between physical and cyber and say, what are the real world things that can happen? What would the consequences be? I would prefer a, sort of, a more comprehensive and more holistic view. Mr. Owens. I would echo what Mr. Cauley just said. I would just expand it just a little bit. We're modernizing the grid. I don't know what smart grid is either. Even though I have responsibility for the industry for dealing with that it's an evolutionary, modernization of the overall grid or another way to say it we're digitizing the grid. If we're digitizing the grid it suggests that there are a tremendous set of new challenges with respect to cyber security. It also says we've got a lot of new players. We're going to put in a lot of different kinds of equipment. So it suggests that we need a high standard for that equipment. That equipment must be authenticated that it is cyber secure. It seems to me and this whole area is evolving so vendors, manufacturers, utilities, regulators. Those who have the responsibility for protecting the integrity of the grid, we all have to understand the language. We all have to make cyber security a top priority. Senator Udall. Mr. Tedeschi, do you--would you have any comments? You're the wise man at the table as the scientist among us. Mr. Tedeschi. I would just offer up, Senator, that there's a broad spectrum of threats out there that are real that should be considered. Cyber is certainly at the top of the list. The probability from a risk perspective is 1.0 that those threats are happening every day. But it would be wise to consider a broader set of threats, not just EMP, but also physical attack threats, car bombs, standoff weapons, that sort of thing. There is--there are security systems around a lot of these facilities. There's standoffs. There are inherent security hardness levels to them. But I think the owners of the utilities, Mr. Cauley, got it just right. That they understand their operations, the effects that can occur from the variety of threats and there are links into those who have additional intelligence information, if you will, that could be brought to bear that they can be aware of to factor into decisions on where to provide security, etcetera. So there's a good link, I think, into this world. But don't forget about the other threats especially car bombs, explosive type threats, electromagnetic pulse. We haven't really touched on even unintentional electromagnetic interference from other high frequency sources like cell phones, TV transmissions, radars, that can have an adverse effect on the operation of some of the smart grid technology. It is new technology. It can be sensitive to a broad variety of electromagnetic threats not just handheld devices or nuclear EMP. So understanding how that technology will operate in today's broad threat space within America would pay dividends long term in terms of any hardness that might be invoked. Senator Udall. If the chairman would indulge me, I'll just throw out a final question. Maybe a couple of you could comment and then the rest could comment for the record. I think Senator Hoeven talked a bit about Stuxnet. There's also the Aurora event. I'm curious if some of you would briefly respond to the significance of those 2 events that we're aware of among others. Mr. Cauley. I would just say they're both very real. They're very real risks. Aurora, we recognized a couple years ago has the risk of damaging equipment. One thing that we were able to do a little over a year ago is to work with the intelligence community to grasp the details of what the actual threat is, what the vulnerability is and how to fix it. So we were able to translate that into information out to industry. So I think we've got, at this point, a very high response rate in terms of addressing it. It was real. But I think the awareness level in the last 12 months has really increased. I think the actions that have taken place. The Stuxnet is similar. It wasn't there if you look beyond a year ago it wasn't there. Now all of sudden it's here. It's real. I think we got the information out to the industry. They took the actions to install the patches and blocks to keep that from penetrating our control systems. So the answer is, I think, they're very real. They're very scary. They can each do damage to our grid. But I think we just have to take the protective measures that we've been doing to make sure it doesn't happen. But that really describes the nature of this business. Because next week, there's going to be another one that we don't know about yet. We have to keep--it's more about having the mechanisms in process to adapt and keep fixing and learning then it is to have solved this problem once. Senator Udall. The rest of you respond for the record. I do not want to abuse the chairman's forbearance. So thank you again for being here. [The information referred to follows:] The significance of Aurora and Stuxnet includes the demonstrated ability to target industrial control systems, the difficulty in identifying the attacker, the difficulty in defending against zero-day attacks, and the demonstrated ability to conduct cyber-physical, or blended attacks. The risk to the power system has become more acute over the past 15 years as digital communicating equipment has introduced cyber vulnerability to the system, and cost-saving requirements have allowed some inherent physical redundancy within the system to be reduced. The specific concern with respect to these threats is the targeting of multiple key nodes on the system that, if damaged, destroyed, or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria. Such an attack would behave very differently than traditional risks to the system in that an intelligent attacker could mount an attack, as in the case of Aurora or Stuxnet, that would manipulate assets, provide misleading information to system operators attempting to address the issue, or destroy equipment. While no such attack has occurred on the North American electric systems infrastructure to date, Stuxnet demonstrated the ability and desire to target specific components of an industrial control system. The attack was so specific in its use of industrial control systems, that any remaining skeptics should be convinced of the abilities and intent of intelligent attackers to target industrial control systems. As in most cyber attacks, timely attribution remains difficult. The ability to mask the real identity of the attacker is often a concern, and it often takes an extended period of time to make a final determination and prosecute or take other appropriate action. The originators of Stuxnet remain unknown, while a similar case could be made for attackers that might choose to exploit an Aurora-type vulnerability. Most of the developed world uses commercial software to prevent cyber attacks. The use of zero-day vulnerabilities and the USB drive delivery method for Stuxnet showed the inadequacy of current anti-virus, intrusion detection, and firewall applications to prevent unauthorized access to networks. Finally both Aurora and Stuxnet demonstrated the ability of cyber attacks to cause physical effects. Such an attack, although never experienced in North America, could damage or destroy key system components, significantly degrade system operating conditions, and, in extreme cases, result in prolonged outages to large parts of the system. The interconnected and interdependent nature of the electric systems infrastructure requires that risk management actions be consistently and systematically applied across the entire system to be effective. The magnitude of such an effort should not be underestimated. The North American bulk power system is comprised of more than 200,000 miles of high-voltage transmission lines, thousands of generation plants, and millions of digital controls. More than 1,800 entities own and operate portions of the system, with thousands more involved in the operation of distribution networks across North America. These entities range in size from large investor-owned utilities with over 20,000 employees to small cooperatives with only ten. The systems and facilities comprising the larger system have differing configurations, design schemes, and operational concerns. Any mitigation on such a system is complex and expensive, and should be carefully planned and coordinated between the stakeholders and asset owners and operators. The Department has supported the North American Electricity Reliability Corporation (NERC), the energy sector and other sectors, and other government departments and agencies Department of Defense efforts to mitigate the Aurora vulnerability and Stuxnet and other threats through information sharing and technology development. In addition, recognizing that Aurora and Stuxnet are just two examples in a larger threat environment, DOE, in coordination with the National Institute for Standards and Technology, NERC, and the Department of Homeland Security, is leading a public-private collaboration to develop a risk management process guideline to provide a consistent, repeatable, and adaptable process for the electric sector, and enable organizations to proactively manage cybersecurity risk. This collaboration will build upon existing guidance and requirements to develop a flexible risk management process tuned to the diverse missions, equipment, and business needs of the electric sector and to bridge the divide between security for industrial control systems and information technology. The Chairman. Let me just ask one final issue here, Mr. Cauley. Your organization, NERC, is a private membership organization. I'm right about that, am I not? Mr. Cauley. That's correct. The Chairman. If we were to give NERC jurisdiction over distribution facilities would, in your view, should that include the ability to levy fines or penalties on companies that are not members of your organization? Mr. Cauley. Mr. Chairman, we actually can enforce standards and levy fines today on entities who are not members of our organization. So membership only gives us, gives a company the ability to participate in the governance. Vote on our directors and so on. But our authority for our mandatory standards applies to 1,900 companies whether they're members or not. That authority came from--legislation. The Chairman. You levy those fines? FERC doesn't. Mr. Cauley. We levy them. But the FERC approves them in all cases. So they have the oversight. They're the final approval authority. But we have the operatives in the field that do the investigations and determine appropriate penalties and submit them to the Commission for approval. The Chairman. Did you have any thought on this? Mr. Cauley. But the question--your first question was whether--if it includes distribution would that work? I'm very hopeful that if the legislation does include distribution, that it would be very limited to issues of national level interest and security. Not totally usurp the right of the States to manage and the distribution level. But to the extent that that authority was granted to FERC I think it would be--make sense since NERC also is a national-- looking at the national interest to have a similar alignment with that authority. The Chairman. Mr. McClelland, did you have a thought? Mr. McClelland. Yes. The Commission has a full range of authority. It has a review of the standards. It has enforcement. Then it also has it's delegated the fee authority to the ERO to be able to levy those fines. Although they still come back to the Commission for approval. In addition we have ALJs and we have settlement processes. Then if someone doesn't like a Commission decision they could always take us to court. So there is an iterative process with the Commission on every order that it issues. The ability to enforce a Commission rule is something that, as a regulator, that the Commission is completely comfortable with. The Chairman. OK. Senator Murkowski, did you have additional questions? Senator Murkowski. I do not, Mr. Chairman. The Chairman. Thank you all. This has been a useful hearing. I appreciate it. [Whereupon, at 11:24 a.m., the hearing was adjourned.] APPENDIX Responses to Additional Questions ---------- Responses of Gerry Cauley to Questions From Senator Bingaman Question 1. In February, the Department of Energy launched an open collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation to ``develop a cyber security risk management process guideline for the electric sector.'' Could you describe the objectives of this collaboration and how its work will filter into the NERC standards development and approval processes? Answer. The Risk Management Process (RMP) is a public-private collaboration to develop a cybersecurity risk management guideline that enables organizations to proactively manage risk in the diverse electrical environment that exists in North America. The evolution of smart grid technology increases the electricity sector's cybersecurity risk exposure, emphasizing the need for owners and operators to employ consistent, measurable, and adaptable processes for electricity generation, transmission, distribution, retail operations, energy service providers, as well as situation awareness. Additionally, the differing jurisdictions--NERC for the North American bulk power system (BPS), States and municipalities for the distribution grid, working with the owners and operators of the grid--require a comprehensive yet flexible approach to managing risk. This effort is led by the Department of Energy (DOE) in coordination with the National Institute of Standards and Technology (NIST) and NERC, and with the collaboration of subject matter expert representatives from across the public and private sectors. DOE plans to publish these industry-wide risk management guidelines in 2011, which are intended to complement, but not replace or supersede, the current Critical Infrastructure Protection (CIP) Standards. Objectives for this collaboration include: Support the unique needs of the diverse utilities and other stakeholders participating in the North American electric grid with an end-to-end perspective that includes generation, transmission, distribution, retail, energy service providers and wide area situation awareness (e.g., Phasor Measurement Unit or PMU networks). Provide guidance in applying cybersecurity measures to the control systems and information technologies used throughout the electric grid. Provide guidance for an integrated organization-wide approach to managing those cybersecurity risks pertinent to operations, assets, data, personnel, and the Nation as the existing electric grid is transitioned to a smart grid. Leverage risk management and cybersecurity experiences and practices among the electric grid stakeholders including the risk management guidelines (NIST Special Publications, i.e., NIST 800-39; and NERC CIP Standards) and lessons learned within the Federal Government. Recommend implementation guidelines that apply the RMP to electric grid domains and to unique electric grid components, such as control systems. NERC expects there will be a phased implementation of the guidelines, starting with host utilities and vendors. NERC expects to refine the practices through these demonstration projects. As the practices are demonstrated to be effective, NERC will consider whether some subsets of the practices are appropriate for inclusion in the reliability standards. Question 2. The Discussion Draft creates a process to address cyber security vulnerabilities affecting critical electric infrastructure. The Discussion Draft left open the question of the maximum number of days FERC should have to determine whether the existing set of reliability standards are adequate to protect this infrastructure from cyber security vulnerabilities. Assuming that FERC identified a specific deficiency in the existing set of reliability standards, do you have an opinion as to how long, in days, FERC should have to make this determination? How long should NERC have, in days, to develop standards in response to a FERC directive to address specifically- identified cyber security vulnerabilities? Answer. As noted in my testimony, NERC does not believe the vulnerabilities section is needed. In response to this question concerning the discussion draft, NERC would defer to FERC with respect to the timeframe for FERC's determination whether existing reliability standards are adequate to protect critical electric infrastructure from cybersecurity vulnerabilities, except that the timeframe must be sufficient to allow for notice to and consultation with stakeholders, including Canadian authorities. Such consultation is essential to provide a basis for a finding that reliability standards, or other actions taken by the electric reliability organization (ERO), are inadequate or that a specific deficiency exists. The appropriate timeframe for NERC to respond to a FERC directive to address specifically identified cybersecurity vulnerabilities will vary depending on whether specific actionable information about the vulnerability is made available to NERC and stakeholders. It will also vary depending on the approach determined by NERC to be the most effective in responding to such a directive. As discussed during the hearing, not all vulnerabilities can or should be addressed by a reliability standard. NERC has other tools at its disposal through its Alert system to address cybersecurity vulnerabilities. In addition, the legislation should authorize a mandatory and enforceable means for NERC to address cybersecurity vulnerabilities identified by FERC in addition to the use of reliability standards. One way to do this would be to authorize NERC to issue ``Mandatory Directives,'' as discussed in response to Q. 7 below. In the case where a reliability standard is required to address an identified vulnerability, NERC should have 180 days to develop a response. The Mandatory Directives could be issued in much shorter time frame, measured in days or weeks. Question 3. NERC submitted eight proposed cybersecurity standards, known as the Critical Infrastructure Protection (CIP) standards, to FERC for approval under section 215. FERC approved those standards in 2008 but directed NERC to make certain revisions. As I understand it, NERC continues to work on those revisions and plans to submit them to FERC somewhere in 2012. If submitted in 2012, development and approval of the first set of cybersecurity standards will have lasted around 6 years. Why has this process lasted this long? Answer. The Reliability Standards development process is an iterative process of continuing improvement. NERC's first set of CIP standards was approved by FERC in January 2008. NERC has worked with industry, consumer representatives and regulators to strengthen the CIP Reliability Standards, and also to respond to specific directives from FERC. While this process is occurring, mandatory and enforceable cybersecurity standards have been in place and have provided important protections for the bulk power system. The need to respond to FERC directives has necessarily influenced the direction and timing of the CIP standards development process. The second set of CIP standards addressed certain high-priority directives from FERC; FERC approved that second set in September 2009. FERC's September 2009 order included new directives and gave NERC 90 days to comply. NERC filed the third version of the CIP standards in December 2009, and FERC approved that third set in March 2010. The most recent revision to the CIP Reliability Standards--CIP-002 Version 4--was approved by the NERC stakeholders on December 31st, 2010; approved by the NERC Board of Trustees on January 24, 2011 and submitted to the Commission for approval on February 10, 2011. Work continues on further improvements to the standards, including responses to remaining Commission directives, and it is these further enhanced standards that will be submitted to the Commission in 2012. Question 4. Can you describe how NERC's newly-approved procedures for developing a reliability standard on an expedited basis differ from the existing development procedures? How would expedited procedures make it easier for NERC to address cyber security vulnerabilities? Answer. The new procedures approved by FERC in September 2010 provide for developing a reliability standard on an expedited basis. Key differences from the traditional standards development procedures are in the areas of confidentiality of information; use of pre- identified technical experts for standards drafting; and process streamlining. Confidentiality The expedited process contains procedures that provide protection of sensitive information affecting national security. The traditional procedures do not contain similar protections. The new procedures limit the individuals who may serve on drafting teams to those who have been pre-screened for their expertise and willingness to work under strict security and confidentiality rules, and require drafting teams to work under strict security and confidentiality rules. Sensitive information is further protected by limiting distribution of draft standards. In contrast to the general procedures, the new procedures do not require public posting of draft standards. Technical expertise The new procedures require formation of a Standard Drafting Team from a list of pre-identified technical experts. This provides for the necessary diversity of expertise and industry perspectives to develop a technically sound standard that can quickly be finalized and approved. Cybersecurity involves every owner, operator and user of the bulk power system--having a diverse view when crafting the language of a standard is essential. The expedited procedures assure that the Standard Drafting Team will have the collective knowledge and expertise to develop a standard that reflects an understanding of the diverse utilities and their associated equipment configurations in the North American bulk power system. Process streamlining The new procedures allow the Standards Committee authority to approve a wide range of process deviations, enabling a standard to be developed in a shorter period of time. The general procedures allowed some latitude in shortening the duration of only certain process steps. These expedited processes will enable NERC to address cybersecurity vulnerabilities through a reliability standard on a timely basis--when that is the most appropriate approach. Question 5. In your statement, you stated that NERC was concerned that the Discussion Draft contained no requirement that FERC indentify any deficiency in existing reliability standards or a cybersecurity vulnerability for NERC to address. The Administrative Procedures Act requires agencies to give notice of either the terms or substance of the proposed rule or a description of the subjects and issues involved. Is that requirement sufficient to address this concern? If not, how would NERC propose to revise Section 224(b) of the Discussion Draft to address this concern? Answer. The Administrative Procedure Act (APA), 5 U.S.C. 553(b), which requires publication for comment of a general notice of proposed rulemaking that includes ``either the terms or substance of the proposed rule or a description of the subjects and issues involved,'' does not resolve NERC's concern. Proposed Section 224(b) (2) requires FERC to issue an ``initial order,'' not a proposed rule. There is nothing in the legislative text that requires FERC in its order to advise the ERO of the specific vulnerability in sufficient detail so that the ERO can respond appropriately. Moreover, proposed Section 224(b)(6)(B) authorizes FERC to issue an interim final rule ``without prior notice or hearing.'' In contrast, the provisions of Federal Power Act Section 215(d) authorize FERC to order the ERO to submit a proposed reliability standard ``that addresses a specific matter.'' NERC recommends that proposed Section 224(b)(2) be revised to include at the end the following: The Commission's order shall specify the vulnerabilities against which such standards or directives must protect, and shall appropriately balance the risks to the critical electric infrastructure associated with such cybersecurity vulnerabilities, including any regional variation in such risks, and the costs of mitigating such risks. Note: with respect to the inclusion of ``or directives'' in the above language, see the discussion in response to question 7, below. Question 6. Your testimony states that NERC is not sure that a section to address cybersecurity vulnerabilities (section 224(b)) is needed in the Discussion Draft. Does NERC believe that there should be a means of addressing cybersecurity vulnerabilities? Should this means be mandatory and enforceable? If not, how can compliance be assured and measured? Answer. NERC believes not only that there should be a means of addressing cybersecurity vulnerabilities, but that such means already exist. NERC addresses cybersecurity vulnerabilities today through reliability standards and through its Alert system of Industry Advisories, Recommendations to Industry, and Essential Actions. Since January 2010, NERC has issued 14 critical infrastructure protection- related Alerts; these Alerts covered matters including Stuxnet and Night Dragon. FERC also already has authority under FPA Section 215(d)(5) to order the ERO to ``submit to the Commission a proposed reliability standard or a modification to a reliability standard that addresses a specific matter if the Commission considers such a new or modified reliability standard appropriate to carry out [section 215].'' ``Cybersecurity protection'' is expressly included within the definition of ``reliability standard'' in section 215(a)(3). There should be a mandatory and enforceable means in addition to the use of reliability standards for NERC to address cybersecurity vulnerabilities identified by FERC. One way to do this would be to authorize NERC to issue ``Mandatory Directives,'' as discussed in response to Q. 7 below. Question 7. Your testimony states that making ``other NERC directives'' legally enforceable would significantly enhance cyber security. Can you identify these ``other NERC directives''? Please describe how NERC envisions using these other directives? Does NERC envision the process of enforcing these directives being overseen by FERC? Does NERC contemplate using these enforceable NERC directives to address cyber security or other reliability vulnerabilities? What due process does NERC envisions for those entities subject to these directives? Answer. The other NERC directives referenced in my testimony would be a new category of directives that could be called ``Mandatory Directives.'' NERC envisions using a Mandatory Directive to address cybersecurity vulnerabilities that are not appropriate to address through reliability standards. The draft legislation should be modified to include this authority. Provision should be made for expedited FERC approval of these Mandatory Directives. As is the case with reliability standards, FERC approval would be an essential step in making these Mandatory Directives enforceable. Enforcement of these Mandatory Directives should be overseen by FERC, just as the enforcement of reliability rules by NERC today is overseen by FERC. The same due process that applies to the enforcement of reliability standards under FPA Section 215(e) should apply to the enforcement of NERC Mandatory Directives. Question 8a. Your testimony states that NERC has issued 14 cyber security alerts since January 2010. How do these alerts differ from NERC standards? Was the alerts process filed with and approved by FERC? Can you describe, generally, the level of compliance NERC has observed with respect to these alerts? Have any users, owners, or operators of the bulk power system that failed to comply with any of the alerts? How did NERC respond to these users, owners, and operators? Answer. Alerts differ from NERC reliability standards in that, unlike standards, the Alerts are not enforceable. Alerts are used when NERC has a need to place industry participants on formal notice of particular matters related to the reliability and security of the electric system. The Alerts are targeted, can be developed much more quickly than standards, do not involve an industry ballot, and can reach a broader audience than just those subject to reliability standards. NERC's alerts process is set out in Rule 810 of NERC's Rules of Procedure, which FERC approved in February 2008. Alerts and Notifications are created and deployed from NERC in its role as the Electric Sector Information and Analysis Center (ES-ISAC). The ES-ISAC coordinates electric industry activities to promote critical infrastructure protection of the bulk power system in North America, as called for by Rule 1003.1 of NERC's Rules of Procedure, which FERC approved in July 2006. NERC has had significant interaction with registered entities, most recently in response to the Aurora and Stuxnet ``Recommendation to Industry'' Alerts. Following the Aurora Alert, NERC hosted four informational webinars and a technical conference with more than 1,000 people participating. NERC continues to follow-up and meet directly with entity representatives, through both outreach and personal follow- up activities. A progress check webinar was held in early May that attracted more than 400 participants and another is scheduled for June. Similarly, following the Stuxnet Alert in September 2010, NERC made contact with industry entities to confirm acknowledgement of receipt of the Alert. While the present Alerts and Notifications are neither mandatory nor legally enforceable, the Rules of Procedure do require NERC registered entities to report on the status of activities related to any Level 2 (Recommendation to Industry) or Level 3 (Essential Action) Alert. This obligatory reporting requirement for NERC Alerts and Notifications is unique among all of the other Computer Emergency Response Teams (CERT) and critical infrastructure Information Sharing and Analysis Centers (ISAC) that do not impose a required response component. Question 8b. Can you describe, generally, the level of compliance NERC has observed with respect to these alerts? Answer. The responses to the Aurora and Stuxnet alerts have been very high. Regarding United States entities that were sent the Stuxnet recommendation, as of November 2010 99% of industry acknowledged receipt of the recommendation, more than 98% have developed a response to the recommendation and routed that response to their management for approval and more than 94% have received approval from management on the response they developed. Regarding the Aurora recommendation, as of January 2011, 99% of industry acknowledged receipt, 98% have responded to NERC and 96% have received management approval for their response they developed. Implementation plans are at various levels of completion. Every six months entities must update NERC on the status of their implementation plan until the implementation is complete. The next update to this status is June 13th 2011. Question 8c. Have any users, owners, or operators of the bulk power system that failed to comply with any of the alerts? Answer. For those entities that have been non-responsive, NERC staff follows up with phone calls discussing the recommendation, answering questions and clarifying uncertainties. In NERC's discussions with nonresponsive entities, interaction is maintained until a response is developed and all concerns are resolved and all questions are answered. In addition to phone calls and personal interaction, NERC continues to follow-up and meet directly with entity representatives, through both outreach and personal follow-up activities such as webinars and technical conferences. Question 8d. How did NERC respond to these users, owners, and operators? Answer. NERC entities that do not fulfill their obligation under the Rules of Procedure will receive heightened levels of NERC attention up to and including direct senior level interaction from NERC, Regional and industry leadership. NERC, the industry including CEO's, and the Regions take the NERC Alert process seriously. Question 9. Level Three alerts are characterized as ``essential action.'' Has NERC ever issued a Level Three alert? How does NERC compel action consistent with these alerts from among users, owners, and operators of the bulk power system? Answer. NERC has not yet issued an ``Essential Action'' Alert. Although NERC cannot compel action to implement an Essential Action, NERC has every expectation that if its Board of Trustees makes a determination that certain actions are ``essential to protect the reliability of the bulk power system'', then users, owners and operators of the bulk power system will take appropriate actions. NERC would follow up as necessary. Essential Actions do carry a mandatory reporting obligation. A failure to report would constitute a violation of a rule adopted under the authority of FPA section 215 and could be enforced by FERC. Question 10. You indicated that following the 1989 geomagnetic disturbance that affected Quebec the industry learned lessons and hardened a lot of equipment hardened at northern latitudes. Can you describe the lessons the industry learned after that event? How was equipment hardened? Given that the risks of geomagnetic disturbances are not a new threat to the electric sector, have utilities in other geographic areas hardened their equipment and systems against the affects of geomagnetic disturbances? Answer. The potential impact of geomagnetic disturbance events have gained renewed attention as recent studies\1\ have suggested the severity of solar storms may be greater and reach lower geographic latitudes than formerly expected. NERC and the U.S. Department of Energy identified this as a High Impact, Low Frequency event risk to bulk power system reliability in a joint report issued in April 2010.\2\ Geomagnetic disturbances (GMD) can impact bulk power system reliability. The most well-known recent experience in North America was the March 13-14, 1989 geomagnetic disturbance, which led to the collapse of the Hydro Quebec system in the early morning hours of March 13, 1989, lasting approximately nine hours. --------------------------------------------------------------------------- \1\ The U.S. Federal Energy Regulation Commission and Oak Ridge National Labs issued a number of reports on Geomagnetic Storms and their impact on the bulk power system in November 2010: http:// www.ornl.gov/sci/ees/etsd/pes/ferc_emp_gic.shtml \2\ The High-Impact, Low -Frequency Report can be found here: http://www.nerc.com/files/hilf.pdf --------------------------------------------------------------------------- System and equipment modifications that occurred in the Hydro- Quebec TransEnergie (HQT) system following the 1989 geomagnetic storm included adding series compensation elements on long-distance AC transmission lines, rebalancing their protection systems, monitoring geomagnetic induced currents (GICs) on key pathways on their system and testing the addition of blocking capacitors to transformer neutrals. Additionally, HQT developed new analyses on how GICs impact the Quebec interconnection and employed new operating and planning procedures to observe GIC impacts in voltage. One of the characteristics of transformers experiencing high levels of GICs is increased requirements for reactive power. The bulk power system, when faced with the need for large amounts of reactive power, as Hydro Quebec faced with their 480 nanotesla per minute storm in 1989,\3\ may react in an unplanned or unexpected manner, including break-up, islanding, or collapse. Industry investigation is needed to determine the amount and extent of disruptions that might occur. This analysis includes determination of transformer characteristics to identify the most affected designs as well as the most, static, dynamic and transient simulations which model the non-linear behavior of each of the interconnections in North America. Once these analyses are complete, appropriate and jurisdictionally acceptable solutions, including grid hardening, relaying, operational procedures and spare equipment could be determined to maintain an acceptable level of reliability, given the relative risk from GMD events. --------------------------------------------------------------------------- \3\ http://www.nerc.com/files/1989-Quebec-Disturbance.pdf --------------------------------------------------------------------------- NERC's GMD Task Force recently held a workshop focused on potential mitigation approaches. A major outcome of the workshop was the realization that significant work is still required by industry and governmental organizations to improve not only solar storm forecasting and but also in developing robust modeling methods to understand how GMD events impact bulk power system equipment. Once impacts have been determined, suitable actions can then be taken by both planners and operators of the bulk power system in North America to ensure reliability of the grid. The primary deliverable from the workshop, an Industry Advisory NERC Alert on GMD\4\ provides industry with suitable guidance for operational and planning actions given the knowledge available today to prepare for the effects of severe GMD on the bulk power system. NERC expects to provide incremental information as it become available. --------------------------------------------------------------------------- \4\ http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011- 05-10-01_GMD_FINAL.pdf\4\ --------------------------------------------------------------------------- Question 11. NERC's High Impact, Low Frequency Event Risk to the North American Bulk Power System report contemplates ``re-launching'' NERC's spare equipment database? Why is the spare equipment database not operational today? When was it stopped? Answer. NERC maintains a database of spare transformers, called the Spare Equipment Database (SED), which is voluntarily populated by industry stakeholders. SED is operational today. It is being re-launched in 2012 as a revitalized tool to provide increased coverage and give it increased visibility among stakeholders--in direct response to NERC's High Impact, Low Frequency (HILF) report\5\ developed in collaboration with the Department of Energy. In 2010, based on the results of HILF roadmap developed by the Electricity Subsector Coordinating Council\6\ and technical committees strategic coordinated action plan,\7\ NERC initiated its SED revitalization efforts and will fund the development of an on-line data collection tool. SED will initially focus on bulk power transformers; however, other critical long-lead time equipment may be added in the future. --------------------------------------------------------------------------- \5\ Joint NERC and U.S. DOE report, High Impact, Low Frequency Event Risk to the North American Bulk Power System: http:// www.nerc.com/files/HILF.pdf \6\ Electricity Subsector Coordinating Council report, Critical Infrastructure Strategic Roadmap: http://www.nerc.com/docs/escc/ ESCC_Critical_Infrastructure_Strategic_Roadmap.pdf \7\ Technical Committee Report, Critical Infrastructure Strategic Initiatives Coordinated Action Plan: http://www.nerc.com/docs/ciscap/ Critical_Infrastructure_Strategic_Initiatives_Coordinated_Action_Plan_BO T_Apprd_11-2010.pdf --------------------------------------------------------------------------- Responses of Gerry Cauley to Questions From Senator Murkowski Question 1. Through the definition of ``critical electric infrastructure,'' the discussion draft legislation extends FERC's jurisdiction beyond the Bulk Power System to the distribution level as long as those systems or assets are ``vital'' to the nation's security, economy, public health or safety. In your testimony, you point out that NERC's authority as the ERO does not extend to the distribution level. In the text, we were trying to respect the Section 215 stakeholder process--the idea being that if FERC directed the ERO to develop or modify a cyber standard to protect ``critical electric infrastructure'' that standard would be developed through the existing stakeholder process. It was certainly not my intent to allow FERC sole discretion to dictate standards at the local level or bypass the Section 215 process altogether. Please comment. Can you provide the Committee with clarifying language? Answer. NERC appreciates the effort to respect the Section 215 standards development process. As I indicated in my testimony, under the current discussion draft structure, unless FERC and NERC have the same jurisdictional reach, it will be difficult to achieve the necessary collaboration and coordination that must take place if requirements applicable to the bulk power system and the distribution systems are to work together to achieve the desired outcomes. This issue arises because the definition of ``critical electric infrastructure'' in the discussion draft includes distribution facilities and the definition of bulk power system in section 215 does not. As I stated during the hearing, NERC is not seeking jurisdiction over distribution, but is concerned about the language in the discussion draft that leads to a mismatch in NERC and FERC jurisdiction. If FERC is given jurisdiction over certain distribution facilities for purposes of addressing cyber vulnerabilities, then NERC believes it should have equivalent jurisdiction. NERC does not believe it is workable to try to address cyber vulnerabilities in two different places at the same time. NERC has proposed amendments to various aspects of the discussion draft in response to question 2, below, and the provisions dealing with the jurisdictional mismatch are included in those proposed amendments. Question 2. You testified that given the constantly changing nature of vulnerabilities, not all vulnerabilities can or should be addressed by a standard. I understand that for the Aurora, Stuxnet, and Night Dragon attacks, NERC issued Alerts. Moreover, the Commission, which has the authority to order NERC to produce reliability standards, has never ordered NERC to take such action--is that correct? Can you provide the Committee with language to make these NERC Alerts legally enforceable? Answer. It is correct that to date, FERC has not exercised its authority under FPA Section 215(d)(5) to direct NERC to produce a reliability standard to address a specific matter, although FERC has exercised that authority hundreds of times to direct NERC to make modifications to standards that NERC had filed for FERC approval. NERC suggests the following changes to the discussion draft to enable the ERO to promulgate Mandatory Directives in response to a Commission order under proposed Section 224(b) that will be mandatory and enforceable. The changes below also address NERC's concerns that, as written, proposed Section 224(b) does not expressly require FERC to identify the specific cyber securities vulnerabilities to be addressed by the ERO. In addition, these proposed changes address the mismatch in FERC and NERC jurisdiction that I discussed in response to the prior question. (Language to be added is underlined; language to be deleted is stricken through): [Note: For printing purposes, italic represents underlined language and bold represents stricken through language.] I. Add a new definition of ``Mandatory Directive'' as FPA Section 224(a)(8), to read as follows: ``(8) MANDATORY DIRECTIVE--An enforceable order issued by the Electric Reliability Organization to users, owners and operators of Critical Electric Infrastructure and approved by the Commission to address critical electric infrastructure cybersecurity vulnerabilities in response to a Commission order issued pursuant to subsection (b) of this section.'' II. Modify proposed Section 224(b)(2) to include Mandatory Directives, as follows: ``(2) INITIAL ORDER--Unless If the Commission determines that the reliability standards and alerts, advisories or other actions taken by the Electric Reliability Organization established pursuant to section 215 are not adequate to protect critical electric infrastructure from specified cybersecurity vulnerabilities within------days after the date of enactment of this section, the Commission shall order the Electric Reliability Organization to submit to the Commission, not later than------days after the date of enactment of this section such Commission Order, a proposed reliability standard, or a modification to a reliability standard, or a Mandatory Directive that will address the cybersecurity vulnerabilities identified by the Commission and provide adequate protection of protect critical electric infrastructure from cybersecurity vulnerabilities. The Commission's order shall specify the vulnerabilities against which such standards or directives must protect, and shall appropriately balance the risks to the critical electric infrastructure associated with such cybersecurity vulnerabilities, including any regional variation in such risks, and the costs of mitigating such risks.'' III. Modify proposed section 224(b)(3) to include Mandatory Directives, as follows: ``(3) SUBSEQUENT DETERMINATIONS AND ORDERS--If at any time following the issuance of the initial order under paragraph (2) the Commission determines that the reliability standards, alerts, advisories or other actions taken by the Electric Reliability Organization established pursuant to section 215 or Mandatory Directives issued by the Electric Reliability Organization pursuant to this section are inadequate to protect critical electric infrastructure from an identified cybersecurity vulnerability, the Commission shall order the Electric Reliability Organization to submit to the Commission, not later than 180 days after the date of the determination, a proposed reliability standard, or a modification to a reliability standard, or a Mandatory Directive that will provide adequate address the cybersecurity vulnerabilities identified by the Commission and protect protection of critical electric infrastructure from the cybersecurity vulnerability vulnerabilities. The Commission's order shall specify the vulnerabilities against which such standards or directives must protect, and shall appropriately balance the risks to the critical electric infrastructure associated with such cybersecurity vulnerabilities, including any regional variation in such risks, and the costs of mitigating such risks. IV. Add a new section 224(b)(5) to provide for the development and approval of Mandatory Directives (and renumber succeeding subsections accordingly): ``(5) MANDATORY DIRECTIVES--A Mandatory Directive submitted by the Electric Reliability Organization pursuant to paragraph (2) or (3) shall be developed by the Electric Reliability Organization pursuant to procedures approved by the Commission, may apply to all users, owners and operators of Critical Electric Infrastructure as defined in this section, and shall be mandatory and enforceable as to such entities upon approval by the Commission, which shall act upon proposed Mandatory Directives on an expedited basis.'' V. Add a new section 224(b)(7) to provide for enforcement of Mandatory Directives and reliability standards issued in response to Commission orders under Sections 224(b)(2) and (3) (and renumber succeeding subsections accordingly): ``(7) ENFORCEMENT---- (A) Mandatory Directives.--A Mandatory Directive approved by the Commission under this section may be enforced in the same manner as is provided for in section 215(e) for the enforcement of reliability standards approved under section 215. (B) Certain Reliability Standards.--Reliability standards developed by the Electric Reliability Organization in response to a Commission order issued under paragraphs (b)(2) or (b)(3) of this section to protect critical electric infrastructure from an identified cybersecurity vulnerability, including reliability standards that replace an Interim Final Rule issued by the Commission under paragraph (b)(6) of this section, and approved by the Commission may be enforced in the same manner as is provided for in section 215(e) for the enforcement of reliability standards approved under section 215. VI. Conforming changes would be made to include Mandatory Directives in the provisions regarding Interim Final Rules. Question 3. In the vulnerabilities section of the discussion draft, we have yet to specify the timeframes for FERC's initial determination on the adequacy of reliability standards and for NERC's response to any Commission directive. In NERC's opinion, what is the appropriate amount of time for these actions? Answer. NERC would defer to FERC with respect to the timeframe for FERC's determination whether existing reliability standards are adequate to protect critical electric infrastructure from cybersecurity vulnerabilities, except that the timeframe must be sufficient to allow for notice to and consultation with stakeholders, including Canadian authorities. The appropriate timeframe for NERC to respond to a FERC directive to address specifically identified cybersecurity vulnerabilities will vary depending on whether specific actionable information about the vulnerability is made available to NERC and stakeholders. It will also vary depending on the nature of the approach determined by NERC to be the most effective in responding to such a directive. As discussed during the hearing, given the constantly changing nature of cybersecurity vulnerabilities, not all vulnerabilities can or should be addressed by a reliability standard. NERC has other tools at its disposal through its Alert system in addition to reliability standards to address cybersecurity vulnerabilities. The legislation should expressly recognize that the response to a cybersecurity vulnerability identified by the Commission may take the form of an alert, advisory or other action by the ERO. Such NERC directives can be issued very quickly, in some cases in as little as a day to several weeks, depending on the specific nature of the vulnerability. In the case where a reliability standard is required to address a vulnerability, NERC should have 180 days to develop a response. Question 4. Do you read the discussion draft as allowing both FERC and DOE to develop different lists of critical assets? If so, can you provide clarifying language to the Committee? Answer. The composition of the list of critical assets is vital to assuring that the appropriate owners, operators and users of critical electric infrastructure are able to receive communications affecting their assets and are aware of their obligations. NERC has itemized ``bright line'' criteria for the identification of critical assets as part of the most recent revision to the CIP Reliability Standards, which was submitted to the Commission for approval in February. Because the discussion draft does not require consultation or coordination between FERC and DOE in the identification of critical electric infrastructure, there is the potential that different lists of critical assets could be identified. At a minimum, DOE and FERC should coordinate in the preparation of assets lists and use common criteria in defining critical electric infrastructure. Suggested language to accomplish this follows: Amend the definition of critical electric infrastructure in proposed FPA Section 224(a)(1) to add the following at the end: The Commission and the Secretary shall coordinate in the identification of critical electric infrastructure systems and assets. Question 5. What is the nature of NERC? Is your organization a purely private entity? How does your membership work? How many entities are on your Compliance Registry and are they all NERC members? Finally, please specify your enforcement/penalty authority. Answer. NERC is a private, non-profit corporation governed by an independent board of trustees. By statute and NERC's bylaws, the independent trustees can have no financial or business interest in the users, owners, and operators of the bulk power system who are subject to NERC's standards. NERC's membership includes large and small electricity consumers, government representatives, municipalities, cooperatives, independent power producers, investor owned utilities, independent transmission system operators and federal power marketing agencies, such as TVA and Bonneville Power Administration and the eight regional entities. Due to the international nature and electrical properties of the bulk power system, NERC's membership also includes Canadian entities. NERC is a non-governmental entity that has been certified by the Federal Energy Regulatory Commission as the ``electric reliability organization'' for the U.S. and has been delegated certain powers pursuant to FPA section 215(c)(2). Membership in NERC is open to all entities with an interest in the reliability of the bulk power system of North America. Membership in NERC is free of charge. As of May 16, 2011, NERC has 729 members. NERC's members fall into the following sectors: Investor-owned utility State or municipal utility Cooperative utility Federal or provincial utility/power marketing administrator Transmission-dependent utility Merchant electricity generator Electricity marketer Large end-use electricity customer Small end-use electricity customer Independent system operator/regional transmission organization Regional Entity Government representative The NERC Compliance Registry is separate from the NERC membership list and consists of users, owners and operators of the bulk power system. The entities included on the compliance registry are the ones obligated to comply with NERC's mandatory reliability standards. Entities included on the NERC Compliance Registry in many cases are, but are not required to be, members of NERC. As of May 16, 2011, 1,923 entities were listed on the NERC Compliance Registry. NERC's authority as the ERO to enforce reliability standards is established in FPA section 215(e). Section 400 of NERC's Rules of Procedure, which have been approved by FERC, set forth the NERC Compliance Enforcement Program.\8\ NERC has the authority to impose financial penalties for violation of Reliability Standards, but those penalties cannot take effect until they have been filed with FERC, with an opportunity for FERC review. FERC has ruled that NERC may impose penalties of up to $1,000,000 per violation. FPA section 215(e)(6) requires that any penalty must bear a reasonable relation to the seriousness of the violation and must take into consideration the efforts of the user, owner, or operator to remedy the violation in a timely manner. --------------------------------------------------------------------------- \8\ NERC's Rules of Procedure are available at: http:// www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf. --------------------------------------------------------------------------- Question 6. In your testimony, you describe several alternative methods for approving standards, including an expedited stakeholder process and a process by which the NERC Board of Trustees can approve a standard directed by FERC if there is no consensus among your members. Do you think these processes adequately address the concerns raised by the January 2011 GAO Inspector General Audit regarding the timeliness of the stakeholder process? When did these new processes become effective and have they been used to date? Answer. The expedited stakeholder process and the process by which the NERC Board of Trustees may propose and adopt a standard in response to a FERC directive if the Board determines that the regular standards process is not being sufficiently responsive to the Commission (Rule 321 of NERC's Rules of Procedure) are, we believe, responsive to the concerns raised in the GAO Inspector General Audit. FERC approved NERC's expedited stakeholder process on February 5, 2010; it approved new Rule 321 on March 17, 2011. To date NERC has not had the occasion to use either process. Question 7. The discussion draft defines the term ``Critical Electric Infrastructure'' as follows: . . .means systems and assets, whether physical or virtual, used for the generation, transmission, or distribution of electric energy affecting interstate commerce that, as determined by the Commission or the Secretary (as appropriate), are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. To what extent are distribution assets captured in this definition? Answer. Distribution assets are expressly captured to the extent that they are determined by DOE or FERC to meet the statutory definition of ``Critical Electric Infrastructure,'' i.e., to the extent they are ``so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety.'' With no clear indication of how the criteria will be applied by FERC and/or DOE in determining what distribution assets meet the statutory definition, NERC is unable to comment on the scope or magnitude of distribution assets that may be covered. If the definition is intended to cover national defense facilities or government facilities, that should be made express. I am concerned that reading the definition to cover major metropolitan areas could lead to potential conflicts with existing State and local jurisdiction and authorities. Question 8. You have stated that you seek to transition to risk- based assessments for not just cybersecurity standards but all standard-setting. Please update the Committee on the transition. When do you expect to base cyber security standards upon risk-based assessments? In what ways will standards change after implementing risk-based assessments? Answer. NERC is incorporating the concept of risk into all of its standards development activities. A new project prioritization process is being used to develop the Reliability Standards Development Plan. This process evaluates several different factors, but gives considerable weight to the ``reliability risk'' that a project is intended to address. This risk is evaluated in both qualitative and quantitative terms--what kind of risk NERC is trying to manage, and how effectively will the proposed project manage that risk. Other areas considered in the prioritization include regulatory drivers, coordination and logistics, and general experiences with the current set of standards. Each project is evaluated relative to these areas and prioritized to help NERC allocate its resources. The risk analysis drives NERC's three-year work plan for Standards Development. Additionally, NERC is implementing our ``Results-Based Standards'' initiative. This effort uses best-practices from product development to improve the quality and effectiveness of our standards. In the ``Results-Based'' approach, NERC develops requirements in its standards to address specific outcomes: ensuring adequate performance, managing risk, and verifying competency. NERC requires, particularly in the CIP standards, that entities take actions to mitigate risks or to demonstrate competency prior to an event occurring. In this way, we not only evaluate how well an entity performs, but also whether they are well-prepared. By requiring specific risk-mitigation measures, we protect against the ``known'' risks, and by verifying competency, we ensure that the industry has the tools and skills to make informed decisions when facing unknown risks. In the CIP field, not all contingencies can be anticipated. Resilience is required. Responses of Gerry Cauley to Questions From Senator Udall Question 1. Has the Aurora vulnerability been effectively mitigated, and how is this verified? What is the factual basis for your answer? Answer. NERC believes that registered entities now understand the Aurora vulnerability and are taking steps to mitigate that vulnerability within their systems. The basis for this belief is as follows: From 2007 through 2010 NERC worked closely with federal partners on information controls which finally resulted in NERC's receiving authorization to share with industry an extensive technical library designated ``For Official Use Only'' on NERC's various protected portals. The availability of this technical library allowed NERC to develop and issue an Aurora ``Recommendation to Industry'' Alert on October 13, 2010 with more explicit information on the vulnerability and recommendations for detailed mitigation measures than was made available when the Aurora vulnerability first surfaced in 2007. This NERC Level 2 ``Recommendation to Industry'' carried mandatory reporting obligations in accordance with NERC Rules of Procedure (ROP) Section 810, Information Exchange and Issuance of NERC Advisories, Recommendations and Essential Actions, which outlines the requirements. The goal of the Aurora Recommendation was to disseminate vulnerability information, discuss generally-recommended mitigation measures, and gather situational awareness data critical to an industry-wide Aurora risk assessment. Work toward this goal has reduced reliability risks to the bulk power system from exposure to the Aurora vulnerability. Through the implementation of recommended actions, based on the confidential reports received, NERC believes that the potential impact on the bulk power system from an Aurora event has been significantly reduced. Mitigation plans either have been or are in the process of being implemented, and as this process continues, the potential impact to the power system will be further reduced. Additionally, the provisioning of the technical library helped establish enhanced communication channels between NERC and the users, owners, and operators of the bulk power system and is facilitating general industry-wide awareness regarding the Aurora vulnerability. The status of entities' continuing actions in implementing Aurora mitigation will be updated every six months in accordance with the reporting obligations in the Aurora Recommendation. The October 2010, NERC Aurora ``Recommendation to Industry'' included the following questions, which NERC developed in consultation with FERC and industry subject matter experts: 1. Does your organization fully understand Aurora, especially given the new information? If not, contact NERC for assistance. 2. Has your organization assembled a project team to assess Aurora susceptibility, and/or develop Aurora mitigation recommendations based on the new information? 3. What is your plan to respond to customer inquiries regarding Aurora? 4. Has your organization taken steps to mitigate the risk of an Aurora event or attack, as both a consumer and provider of electric power? 5. Is your project plan for mitigation complete? If not, when do you expect it to be complete? Please indicate within the mitigation plan what types of assets were considered for inclusion. 6. Are your mitigation efforts complete? If not, when do you expect them to be complete? The response to the Aurora alert has been very high. As of January 2011, 99% of industry acknowledged receipt, 98% have responded to NERC and 96% have received management approval for their response they developed. Implementation plans are at various levels of completion. Every six months entities have to update NERC on the status of their implementation plan until the implementation is complete. The next update to this status is June 13, 2011. For those entities that have been non-responsive, NERC staff follows up with phone calls discussing the recommendation, answering questions and clarifying uncertainties. In NERC's discussions with nonresponsive entities, interaction is maintained until a response is developed and all concerns are resolved and all questions are answered. . In addition to phone calls and personal interaction, NERC continues to follow-up and meet directly with entity representatives, through both outreach and personal follow-up activities such as webinars and technical conferences. NERC entities that do not fulfill their obligation under the Rules of Procedure will receive heightened levels of NERC attention up to and including direct senior level interaction from NERC, Regional and industry leadership. NERC, the industry including CEO's, and the Regions take the NERC Alert process seriously. NERC will monitor the progress of entities as they update their status every six months as required until complete. In addition NERC will execute its plans for continually closing the mitigation gap by implementing a continuous improvement action plan. NERC's action plan includes: Establishing a series of periodic webinars for entities to share information that will continuously inform bulk power system entities of lessons learned from continuing reviews. Continue to review the submitted responses and communicate with entities to solicit feedback and close gaps identified in response areas. As entities indicate that they have completed implementation of their mitigation plans by updating the Aurora Recommendation responses, NERC will place these entities into a category for a potential Sufficiency Review, the purpose of which is to conduct a risk-based assessment that determines an entity's ability to ensure the safe, reliable operation of the bulk power system. This review will provide additional assurance of adequate Aurora mitigation efforts. Continue to maintain and update the Aurora Technical Library and provide periodic updates to industry to include documents pertaining to lessons-learned, best practices and areas of concern. Continue to communicate with the industrial control system vendor community regarding issues and concerns discovered through Aurora mitigation activities. Continue to contact entities who stated that they have no Aurora-vulnerable assets to ensure adequacy of their activities. Maintain examples of well-designed customer outreach packages and other resources that entities make available based on the needs expressed by entities to further facilitate the sharing of information. Question 2. Are the current spare transformer resources, including the EEI STEP program, sufficient to mitigate the transformer loss scenario presented in the Oak Ridge National Laboratory report from a 1921-level solar storm (over 300 transformers)? What is the factual basis for your answer? Answer. NERC is studying common mode failures, such as potential increases in failure rates from geomagnetic disturbances (GMD). The number of transformers that might be required to respond to a 1921-like GMD event has yet to be determined. A detailed study of the bulk power system reaction to vulnerable transformer failures must be completed, with suitable modeling and appropriate scenarios, to understand the resulting resiliency from operational procedures and spare equipment requirements. The electric sector has a long history of successfully managing day-to-day risk to the reliability of the bulk power system. Mitigation efforts at threatened assets, NERC's Spare Equipment Database (SED), EEI's STEP, and the many pooling/bilateral agreements that exist will support utilities in responding to and managing bulk power system reliability in the event of a significant GMD. Generally there are a limited number of replacement spares available. Spares are typically determined by assessing the likely failure risk and balancing that against prudent, regulatory review, allocation of investment funds. Individual failure rates of bulk power system transformers (transmission auto-transformers and generation start-up) typically are low (1-1.5%). As high voltage transformers, depending on size, can range in cost from $1M to $10M+ dollars and have replacement manufacturing times of 6 to 18 months, programs such as SED, STEP and equipment pooling arrangements support industry goals to address individual failures and allow for sharing of high-cost and long lead-time electric transmission assets. NERC would like to offer the Committee some context regarding the ORNL study.\9\ FERC sponsored the study to evaluate the impacts from GMD that can cause the flow of geomagnetic induced currents (GIC) into high voltage transformers (345 kV, 500 kV and 765 kV), leading to their projected failure. A simplified bulk power system model was used to simulate GIC. Further, based on information gathered from measurements, descriptions of local geology, and validation from past observed GMDs, a zonal ground model was developed to represent the ground impedances.\10\ A set of GMD homogenous intensities and orientations was developed, the resulting GICs were modeled, and quasi-direct current (DC) injections into transformer ground neutrals were calculated. --------------------------------------------------------------------------- \9\ FERC sponsored ORNL report Meta-R-319 http://www.ornl.gov/sci/ ees/etsd/pes/ferc_emp_gic.shtml. \10\ Ground impedances form part of the circuit that determines GIC flows. GIC results from changes in Earth's magnetic field caused by GMD --------------------------------------------------------------------------- Based on the results of the study, when the intensity of a homogenously modeled GMD reach 4,800 nanotesla per minute (projected as the intensity of the 1921 solar storm) at the 50 degree geomagnetic latitude in the Northern Hemisphere, nearly 1,000 high voltage transformers experienced GICs greater than 30 amps per phase and over 300 high voltage transformers experienced greater than 90 amps per phase. In these scenarios, all bulk power system lines were assumed to be in-service, a single system dispatch and loading was assumed, and the transformers experiencing the specified GIC neutral amperage were assumed to irreparably fail. The assumption depicted in the study, and reflected in FERC's testimony at the hearing, is that all transformers with GIC at or above 90 amps per phase in their neutrals, would catastrophically and simultaneously fail, causing an unrecoverable blackout for more than six months. More work is needed before one can draw that, or any, conclusion. The contention that all high voltage transformers will catastrophically fail simultaneously for the 4,800 nanotesla/minute scenario affecting 130 million people is a simplistic view, which ignores the dynamic and system operational character of the bulk power system. This forecast assumes the dynamic characteristics of the bulk power system and its resiliency are irrelevant parameters, all transformers are equally sensitive to GIC flows, and the system will neither act nor respond when transformers experience high levels of GIC. Further, it is unclear if the intensity of the field strengths, in reality, is homogenous. Rather, the fields can be made up of a variety of structures creating local GIC flows, resulting in narrow concentrated impacts, rather than broad-scale affects. There is a danger in overreacting to worst-case scenarios. Industry organizations do take these issues seriously, but resources are limited. Over- commitment of resources to address the worst-case scenario will take resources away from addressing other, more probable risks. NERC's current work is focused on performing a realistic and responsible assessment of the impacts and priorities for mitigation, so that it is possible to balance the real risks and the costs of appropriate mitigation. The appropriate use of the FERC study is as a screening assessment to identify those transformers that may be most vulnerable from GIC effects. The prudent next step is for additional detailed simulation of bulk power system behavior. For example, when the injected DC entering a transformer neutral reaches significant levels (e.g. 90 amps per phase), the resulting core saturation acts as a large reactor, and, therefore, demands large amounts of reactive power from the bulk power system. The reactive demand would result in voltage profile variations triggering automatic action in some cases, and operator action in others. High levels of GIC would also cause conventional current transformers to saturate, providing unreliable signals used to support system protection. Further, large quantities of harmonics would emanate from the saturated transformers, also interfering with system protection objectives. The affects of these characteristics on the bulk power system under multiple credible scenarios, loadings and system conditions must be simulated to ensure a full understanding of potential impacts. The bulk power system, when faced with the need for large amounts of reactive power, as when Hydro Quebec was faced with their 480 nanotesla per minute storm in 1989,\11\ may react in an unplanned or unexpected manner, including break-up, islanding, or collapse. Industry investigation is needed to determine the amount and extent of disruptions that might occur. This analysis would include static, dynamic and transient simulations which model the non-linear behavior of each of the interconnections in North America. Once these analyses are complete, appropriate and jurisdictionally acceptable solutions, including grid hardening, relaying and spare equipment could be determined to maintain an acceptable level of reliability, given the relative risk from the GMD event. --------------------------------------------------------------------------- \11\ http://www.nerc.com/files/1989-Quebec-Disturbance.pdf --------------------------------------------------------------------------- Finally, the study was developed by FERC without industry vetting of the modeling approaches, simulation algorithms or basic data supporting the results. More assessment of the algorithms and simulation approaches with industry input is a vital next step, as addressed in testimony of Dr. William Tedeschi, Senior Scientist, Sandia National Laboratories. Question 3. How effective has the current standards development process been in protecting against cyber and other non-cyber threats and vulnerabilities to the grid? Is it possible to use this process supplemented with NERC's emergency standards process and the Alerts process to get the job done? Answer. NERC's mandatory and enforceable standards have resulted in unprecedented industry-wide focus and attention to protecting the grid against cyber and non-cyber threats. It may be possible to get the job done using standards and NERC's alert and advisory system, especially if NERC's proposal for Mandatory Directives is accepted. However, some agency in the federal government should be given authority to respond to a genuine cyber emergency, because such an emergency may demand swift and widespread action of a sort not achievable by the ERO, particularly given the challenge of translating classified information to industry in a useable form. Response of Gerry Cauley to Question From Senator Portman Question 1. Multiple levels of protection on the electric system have significant, additional costs, and may not be the most cost- effective means of mitigating known vulnerabilities or combating known threats. How would you recommend that determinations be made about additional security requirements that are ordered to be put in to place? Should there be a risk assessment required to determine cost- effectiveness? Answer. Yes, there should be. I believe the reliability investment that we are promoting every day through our standards, compliance program, alerts, and other initiatives, should be driven primarily by overall value to customers and ratepayers. It is important to achieve reliability risk mitigation in a manner that balances affordability of electricity in a competitive global market with the need to ensure the reliability and security of our North American electricity infrastructure. Additional security requirements should be identified through priorities and must be driven by a clear understanding of risks and consequences, as well as the costs and benefits associated with addressing them. In February, FERC held a technical conference to begin the discussion on the identification of priorities. The setting of priorities for NERC has to take into consideration the need to be responsive to regulatory directives from the Commission as well as priorities identified by Congress. Beyond simply discussing priorities there must be a systematic approach for analyzing risks and setting priorities going forward. Responses of Gerry Cauley to Questions From Senator Shaheen Question 1. There is wide agreement that our goal needs to be to prevent a cyber attack from ever being successful. But we also can't ignore the possibility that we will one day see some disruption in our infrastructure due to this kind of threat. If there was a successful attack on U.S. electrical infrastructure, how widespread could the effects be? How much would this cost the economy? Answer. The resilience of the bulk power system in North America is well documented and while we occasionally experience isolated outages due to weather or other natural disasters, those outages are generally limited in geographic areas and rarely last for a long period of time. Coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures differ from conventional risks in that they result from intentional actions by adversaries and are not simply random failures or acts of nature. Damage experienced during a cyber attack on a critical infrastructure like the electrical sector is difficult to quantify because there are too many variables, every potential attack is unique and most importantly, it has never happened before. However, it is difficult to imagine a scenario with the electric sector infrastructure in place today that would result in widespread outages for any significant length of time. There are several major factors that could contribute to the cost of a cyber event: actual damage to equipment, economic losses due to lack of electricity; and perhaps most importantly, the human suffering that could ensue. Damage to equipment is manageable from a cyber perspective but physical attacks on equipment such as transformers, if methodically orchestrated by a determined adversary, could result in extended outages until replacement equipment was identified, transported and installed. Any extended outage, depending upon geographic location, could result in significant economic costs and impact on the safety and well-being of citizens. Question 2. Is there anything that can be done to limit how much damage can result from a single attack? Answer. Yes. Critical Cyber Assets (CCA) are required to be segmented both from other system assets and each other. CCAs are incorporated into the larger Electronic Security Perimeter (ESP) that controls and identifies all access points within utilities. As a result of this segmentation, if one ESP is compromised, other ESPs are not necessarily compromised, thus limiting any attack damage. Limiting damage and the potential effects of a cascading environment is important to NERC and the electricity industry. Current CIP Standards contain requirements for response and recovery planning for cybersecurity incidents. For example, NERC Reliability Standard CIP-008, Incident Reporting and Response Planning, requires that the Responsible Entity develop and maintain a cybersecurity incident response plan and implement the plan in response to cybersecurity incidents. At a minimum, the cybersecurity incident response plan must address: Procedures to characterize and classify events as reportable cybersecurity incidents. Response actions, including roles and responsibilities of cybersecurity incident response teams, cybersecurity incident handling procedures, and communications plans. A process for reporting cybersecurity incidents to the ES- ISAC. The Responsible Entity must ensure that all reportable cybersecurity incidents are reported to the ES-ISAC either directly or through an intermediary. A process for updating the cybersecurity incident response plan within 30 calendar days of any changes. A process for ensuring that the cybersecurity incident response plan is reviewed at least annually. A process for ensuring the cybersecurity incident response plan is tested at least annually. Testing the cybersecurity incident response plan can range from a conducting a paper drill, to holding a full operational exercise, to responding to an actual incident. NERC Reliability Standard CIP-009, Recovery Plans for Critical Cyber Assets, requires that the Responsible Entity create and annually review recovery plans for CCAs. At a minimum, the recovery plans must address the following: A definition of severity that would activate incident recovery plans. An annual review of exercise recovery plans. A process and procedure for the backup and storage of information required to successfully restore CCAs. Annual testing of information essential to recovery that is stored on backup media. This testing is to ensure that the information is available. The bulk power system is highly redundant and planned with sufficient resources to accommodate unexpected loads, including a contingency/reserve margins to meet balancing and regulation needs. Redundancy plays an important role for reliability and it implies that more than one means should exist to perform a given function. In the case of a targeted attack, it is this system redundancy that will mitigate system failure and cascading effects. Question 3. Are the possible results of a successful cyber attack incorporated into broader reliability planning? Answer. Yes. Establishment and continued refinement of NERC's enterprise risk-based programs, policies and processes to prepare for, react to, and recover from cybersecurity vulnerabilities continue to be a high priority. NERC's Reliability Assessments and Performance Analysis Division (RAPA) is dedicated to annually assessing the adequacy of the bulk electric system in the United States and Canada and produces special assessments to assist with planning purposes. In 2010, DOE and NERC produced the High Impact, Low Frequency (HILF) Event Risk to the North American Bulk Power System report which focused on a class of rare risks with the potential to cause long-term catastrophic damage to the bulk power system. The HILF report looked at pandemic illness, coordinated cyber, physical, or blended attacks on the system, geomagnetic disturbances (GMD) caused by extreme solar weather, and the high-altitude detonation of a nuclear weapon. While some of these events have never occurred and the probability of future occurrence and impact is difficult to measure, the report identified nineteen proposals for action for government and industry to evaluate and where necessary, enhance current planning and operating practices to address these risks. Following release of the HILF report, the Electricity Sub-Sector Coordinating Council (ESCC) developed the Critical Infrastructure Strategic Roadmap which provided a framework to address severe-impact risks, including those identified in the report. NERC staff and the leadership of the NERC technical committees (Planning, Operating, and Critical Infrastructure Protection Committees) have developed the Critical Infrastructure Strategic Initiatives (Coordinated Action Plan) to address these severe impact scenarios. The following task forces have been created to further develop this plan: 1. The Cyber Attack Task Force (CATF) is charged with considering the impact of a coordinated cyber attack on the reliable operation of the bulk power system and also identifying opportunities to enhance existing protection, resilience and recovery capabilities. 2. Physical attack scenarios are addressed in two task forces--the Severe Impact Resiliency Task Force (SIRTF) and the Spare Equipment Data Base Task Force (SEDTF). The SIRTF was formed to provide guidance and options to enhance the resilience of the bulk power system to withstand and recover from coordinated cyber and physical attacks as well as GMD. 3. The SEDTF was assigned to vet and redesign the SED, including policies and protocols for its deployment across North America. NERC has for many years (early 1980's) operated an informal transformer-based Spare Equipment Database (SED) for assisting utilities following events that exceed planned contingencies. NERC is currently reorganizing and formalizing SED to provide wider coverage among the many NERC participants and provide broader coverage of the spare transformers to be reported to the program. 4. The Geo-Magnetic Disturbance Task Force (GMDTF) was formed to identify the current capabilities, potential impacts and resiliency to GMD. The GMDTF will also identify modeling requirements to support the requisite screening and detailed study of vulnerable transformers to understand bulk power system behavior and appropriate hardening and operational requirements. In April 2011, NERC sponsored an industry workshop on responding to geo-magnetic disturbances.\12\On May 10, 2011, NERC issued an Advisory Alert to industry on the operational preparatory actions and bulk power system planning activities.\13\ --------------------------------------------------------------------------- \12\ See agenda at http://www.nerc.com/docs/pc/gmdtf/ GMD_Workshop_rev6_04.19.2011.pdf \13\ Industry Advisory, Preparing for Geo-Magnetic Disturbances, issued on May 10, 2011, http://www.nerc.com/fileUploads/File/ Events%20Analysis/A-2011-05-10-01_GMD_FINAL.pdf --------------------------------------------------------------------------- ______ Responses of David K. Owens to Questions From Senator Bingaman Question 1. At the 2009 Committee hearing on electric cyber security, you testified that 1) consultation with industry was critical to improving cyber security and that 2) legislation should complement, not supplant, the existing reliability processes. Do you believe that the changes in today's Discussion Draft respond to your comments from last Congress? With which federal and state agencies do you coordinate on cyber security threats and vulnerabilities? Answer. We appreciate the Committee's continued efforts on this critical issue. The Committee's ``Discussion Draft'' still provides significant latitude for the Federal Energy Regulatory Commission (FERC) to act unilaterally in mitigating cyber vulnerabilities. Unintended consequences of mitigation are a concern absent input from the stakeholder-driven, Electric Reliability Organization (ERO) process contemplated in Sec. 215 of the Federal Power Act. The industry currently coordinates with law enforcement at both the state and federal level, as well as with state and Federal regulatory bodies, including FERC and the various state public utility commissions. At the Federal level we also continue to develop relationships and work with the Department of Defense, Department of Homeland Security, Department of Energy, as well as the intelligence community, senior Administration leadership, and standards bodies like the National Institute of Standards and Technology. Question 2. Your testimony states that vulnerabilities, by their nature, offer some time to determine the best response. Do you believe that the process for addressing cyber security vulnerabilities in the Discussion Draft can be completed in sufficient time to address vulnerabilities? Answer. Yes. In fact, we would encourage more coordination and stakeholder input, such as that outlined in Sec. 215 of the Federal Power Act. Question 3. Your testimony highlights information sharing between government agencies and utilities as an important issue. Do you believe that this bill meets the needs of the industry in that area? Answer. We appreciate the language in the ``Discussion Draft'' that requires procedures be set up for information sharing that enables the industry to implement rules or orders stemming from the legislation. While we would prefer a very explicit mandate for sharing, as well as public-private coordination and consultation in all situations that time allows, we believe the Committee took an important step by addressing information sharing in its draft. Question 4. You testified that industry is working with NERC to harden systems against and create redundancy in the systems to protect against the affects of solar disturbances. Can you provide an update on the general course of progress that members of your coalition are making? Does EEI believe that the power grid in the United States, or regions within it, hardened against solar-magnetic disturbances or electromagnetic pulse from man-made events? Answer. EEI has not performed a formal survey of its members, but we are aware that a number of EEI member companies have started to purchase transformers with features that provide protections against ground induced current like those caused by solar disturbances. In addition, EEI member companies are working with NERC to develop operational practices to mitigate risks associated with solar disturbances through its Geomagnetic Disturbance Task Force (GMDTF). In fact, on May 10, 2011, NERC issued an Industry Advisory on Preparing for Geo-Magnetic Disturbances. http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-05- 10-01_GMD_FINAL.pdf NERC is actively addressing a range of high-impact, low-frequency (HILF) risks to the bulk power system. These efforts are coordinated through several task forces on which EEI and EEI member companies participate, including: the GMDTF, the Spare Equipment Database Task Force, the Cyber and Physical Attack Task Force, and the Severe Impact Resilience Task Force. The goal of these efforts is to develop models to better understand the nature and effects of Coronal Mass Ejections (CME), the vulnerabilities of equipment, bulk power system design considerations, ability to reduce the operational and real time impacts of geo-magnetic disturbances (GMD) on the bulk power system, inventory long-lead time equipment, and restoration methods. Additional information will be issued as findings from this assessment are completed. EEI believes that efforts underway to mitigate risks associated with solar disturbances do, in fact, reduce risk. We believe, consistent with the testimony of Dr. William Tedeschi, more research is needed in this area to better understand potential impacts and identify additional effective risk mitigation strategies. EEI believes there are residual risks associated with solar- magnetic disturbances, and that there may not be 100% protection possible against the most severe events. Regarding electromagnetic pulse events from man-made activities, we think that it is useful to differentiate between localized effects that might be created from a portable device to create disruptive electromagnetic energy vs. potential EMP from a high-altitude nuclear weapon. A localized disruption would be handled similarly to how electric utilities currently handle significant natural disasters. For example, in the event that a tornado, flood, hurricane, or wild-fire were to cause a particular facility to be non-operational, the electric utility would initiate restoration activities and, as appropriate, migrate operations to backup facilities. Regarding potential EMP effects resulting from the detonation of a high-altitude nuclear weapon, electric utilities rely on national defense to prevent such events from occurring. Question 5. NERC's High Impact, Low Frequency Event Risk to the North American Bulk Power System report states that the interconnected nature of the bulk power system requires that risk management actions be consistently and systematically applied across the entire system to be effective. If there are distribution-level systems and assets that are so vital that their loss would have a debilitating impact on national security, national economic security, or national public health or safety, why shouldn't we apply risk management processes consistently and systematically to this limited set of systems and assets? Do you think each state has adequate cyber expertise and has already taken the steps needed to protect distribution facilities? Answer. To the degree there are distribution-level systems and assets that are so vital that their loss would have a debilitating impact on national security, national economic security, or national public health or safety, they could be protected in a manner consistent with the recently released Administration proposal for critical infrastructure protection. Given the interests of the States concerning distribution-level systems, it is important to coordinate protection strategies with them. Question 6. NERC has stated that not all vulnerabilities can or should be addressed by a standard. Do you agree? If yes, what would be the appropriate means of addressing some of these vulnerabilities? Would you support making NERC directives other than standards mandatory and enforceable? Answer. Cyber threats and vulnerabilities evolve very quickly and oftentimes are specific to a particular entity or type of asset, but standards are designed to ``standardize'' procedures or processes in a more long-term, broadly applicable way. Instead, patches and alerts are the preferred approach for addressing rapidly-evolving, targeted threats and vulnerabilities. In limited circumstances and with stakeholder input designed to meet a very short deadline, it could make sense for NERC alerts or directives to be mandatory and enforceable. With respect to the limited circumstances, I would suggest classifying a fourth level of alert-- currently, there are three--which would provide NERC with this authority under circumstances where failure to patch the vulnerability could have particularly devastating effects. With respect to industry input, we continue to make the case that, to the best of everyone's ability, unintended consequences from mitigation need to be avoided, and having grid engineers suggesting mitigation is the most prudent way to accomplish this. Responses of David K. Owens to Questions From Senator Murkowski Question 1. You note that the distinction between imminent threats and less time sensitive vulnerabilities is important. I understand that EEI, along with the rest of the industry, supports new federal authority to deal with emergency threats. However, you believe vulnerabilities are already covered through the Section 215 process so additional FERC authority in this area is not necessary. Is that correct? Do you support NERC's request to make their Alerts legally enforceable? Answer. EEI supports new federal authority to deal with emergency threats; however vulnerabilities are already covered through the Section 215 process so additional FERC authority in this area is not necessary. Cyber threats and vulnerabilities evolve very quickly and oftentimes are specific to a particular entity or type of asset, but standards are designed to ``standardize'' procedures or processes in a more long-term, broadly applicable way. Instead, patches and alerts are the preferred approach for addressing rapidly-evolving, targeted threats and vulnerabilities. In limited circumstances and with stakeholder input designed to meet a very short deadline, it could make sense for NERC alerts or directives to be mandatory and enforceable. With respect to the limited circumstances, I would suggest classifying a fourth level of alert-- currently, there are three--which would provide NERC with this authority under circumstances where failure to patch the vulnerability could have particularly devastating effects. With respect to industry input, we continue to make the case that, to the best of everyone's ability, unintended consequences from mitigation need to be avoided, and having grid engineers suggesting mitigation is the most prudent way to accomplish this. Question 2. You testified that any new government authority should be limited to covering truly critical assets--that over-inclusion of electric utility infrastructure would be counterproductive. Are you talking about allowing FERC to get down to the distribution level, even for ``vital'' assets? If we do allow FERC this additional authority, do you agree with NERC that the discussion draft should be amended to make sure the ERO, and the Section 215 stakeholder process, can cover this local level as well? Answer. To the degree there are distribution-level systems and assets that are so vital that their loss would have a debilitating impact on national security, national economic security, or national public health or safety, they could be protected in a manner consistent with the recently released Administration proposal for critical infrastructure protection. Given the interests of the States concerning distribution-level systems, it is important to coordinate protection strategies with them. And, given the value of the ERO process, it is important that any FERC authority be buttressed by stakeholder input. Question 3. In the vulnerabilities section of the discussion draft, we have yet to specify the timeframes for FERC's initial determination on the adequacy of reliability standards and for NERC's response to any Commission directive. In EEI's opinion, what is the appropriate amount of time for these actions? Answer. It is important to balance the need for FERC to have sufficient time to review the current standards in light of known potential vulnerabilities with the need to identify those potential vulnerabilities in an expeditious manner so that NERC can begin its standards development process. Given that FERC is already familiar with the existing body of standards, having previously approved them, a period of around 120 days may be appropriate. Similarly, the time for NERC to respond must also be a balance of the need to respond to potential vulnerabilities in a prompt manner while giving the NERC standards development process a sufficient time to complete the task. Given that NERC has adopted procedures that provide for faster action in certain cases, a similar 120 period may be appropriate. FERC and NERC may have views on this issue. Question 4. You note in your testimony that the new proposed authority for FERC to issue an ``Interim Final Rule'' could be done with no hearing or prior notice. The provision was written this way because the intent was for a NERC developed standard to eventually supplant the FERC Interim Rule. If the Committee fixes the discrepancy problem with NERC's ability to reach the distribution level do you still have due process concerns? Answer. Since NERC does not have authority to develop standards for facilities used in local distribution, this effectively means FERC would be writing standards or directing operational changes for distribution facilities. Giving FERC this jurisdiction over local distribution facilities is contrary to both Section 215 and the Federal Power Act as a whole, which excludes from federal jurisdiction facilities used in the local distribution of electric energy. However, EEI remains concerned with the provision even if distribution facilities were removed. As I pointed out in my written and oral testimony, utilities understand how their complex systems are designed and operated and ``are in a unique position to understand the consequences of a potential malicious act as well as proposed actions to prevent such exploitation, including ensuring against unintended consequences of remedial actions. It is critically important to establish a workable structure that enables the government and the private sector to work together in order to provide a more secure system for our customers.'' This is why it is vitally important that there be consultation and an opportunity for comment, even if expedited, before FERC could develop an ``interim final'' rule. An interim final rule is, in effect, ``final'' until replaced with another rule. Industry consultation is imperative in order to develop a solution that protects utility systems and customers. This is an integral part of the public-private partnership that the majority of witnesses at the hearing endorsed. Question 5. The potential threat from an EMP attack or geomagnetic disturbances is not new. Given the existing knowledge of the potential for these types of disruptions, what steps have been taken to protect our grid from EMP and geomagnetic-related events? Are hardening standards in place for new products being placed onto the grid? Answer. Although the threats posed by potential EMP effects resulting from the detonation of a high-altitude nuclear weapon are not new, the discussion of the potential for a rogue nation to launch and detonate a small number of high-altitude nuclear weapons is relatively new, and significantly different than a ``cold war'' discussion of ``mutually assured destruction.'' The industry is not in the position to evaluate the threats posed by potential rogue nation(s) in this regard. A number of electric utilities and regional transmission operators have developed operational procedures to reduce the risk to the system during elevated periods of solar disturbance activities. In addition, entities receive and evaluate solar magnetic event predictions generated by National Oceanic and Atmospheric Administration (NOAA) Space Weather Prediction Center (SWPC). There are no uniform (standard) specifications for new transformers to mitigate ground induced currents associated with solar magnetic disturbances. Moreover, there are a number of installation specific attributes to be factored into potential designs including the characteristics of the energy to be transformed (e.g. voltage, impedance, etc.) as well as the relative resistance/conductivity or underground rock formation of the installation site. EEI has not performed a formal survey of its members, but we are aware that a number of EEI member companies have started to purchase transformers with features that provide protections against ground induced current like those caused by solar disturbances. Although entities purchasing new transformers can designate product characteristics that may mitigate the risk of geomagnetic disturbances, they are not required to do so. Question 6. Please describe the industry's existing Spare Transformer Sharing program. What more can be done in this area? Answer. Please see attached STEP Overview document.* --------------------------------------------------------------------------- * Document has been retained in committee files. --------------------------------------------------------------------------- Responses of David K. Owens to Questions From Senator Udall Question 1. Has the Aurora vulnerability been effectively mitigated, and how is this verified? What is the factual basis for your answer? Answer. On October 13, 2010, NERC issued an Alert titled:'' AURORA Mitigation--Protection and Control Engineering Practices and Electronic and Physical Security Mitigation Measures.'' NERC required registered entities to respond to NERC regarding their mitigation status. Those entities that have not completed mitigation are required to report their status to NERC every six months until they are complete. NERC is best able to provide an answer to your question. Question 2. Are the current spare transformer resources, including the EEI STEP program, sufficient to mitigate the transformer loss scenario presented in the Oak Ridge National Laboratory report from a 1921-level solar storm (over 300 transformers)? What is the factual basis for your answer? Answer. The EEI STEP program is currently structured to address responding to a terrorist attack on substations and transformers, rather than a geomagnetic disturbance. Although there are spare transformers available, it is not known with certainty whether the available spares would adequately respond to the scenario envisioned in the Metatech report. We don't have access to the assumptions, methodology or selection criteria used by Metatech, or how the conclusion regarding transformer failure was arrived at. It is our understanding that the report was not subject to scientific or industry peer review. Question 3. How effective has the current standards development process been in protecting against cyber and other non-cyber threats and vulnerabilities to the grid? Is it possible to use this process supplemented with NERC's emergency standards process and the Alerts process to get the job done? Answer. It's effective and improving. Yes, it's possible to get the job done as you suggest, and given the complexity of the bulk power system, it is critical to continue to actively engage owners and operators of the system as well as industry stakeholders in the development of mandatory and enforceable standards. Response of David K. Owens to Question From Senator Portman Question 1. Multiple levels of protection on the electric system have significant, additional costs, and may not be the most cost- effective means of mitigating known vulnerabilities or combating known threats. How would you recommend that determinations be made about additional security requirements that are ordered to be put in to place? Should there be a risk assessment required to determine cost- effectiveness? Answer. Risk assessments should be used to prioritize threats and vulnerabilities and evaluate potential risk mitigation strategies. In a resource-constrained environment, choices will have to be made about which risks to address, and to what degree. It is appropriate to recognize that it is simply not possible to prevent all failures. In addition to prevention, the electric utilities have demonstrated a significant resilience in response to various local and regional disasters. ______ Responses of Joseph McClelland to Questions From Senator Bingaman Question 1. The Discussion Draft creates a process to address cyber security vulnerabilities affecting critical electric infrastructure. The Discussion Draft left open the following question: what is the maximum number of days the Federal Energy Regulatory Commission (FERC) should be granted to determine whether the existing set of reliability standards are adequate to protect this infrastructure from cyber security vulnerabilities. Can you estimate how long, in days, it might take FERC to make this determination? Answer. I believe 120 days would be adequate for FERC to make this determination. This would include time for the Commission to issue a proposed determination, seek and consider public comments and then issue its determination. Question 2. How long NERC should have, in days, to develop standards in response to a FERC directive to address cyber security vulnerabilities? Answer. I believe 60 days would be adequate for NERC to develop standards in response to a FERC directive. Question 3. Your testimony states that NERC submitted eight proposed cyber security standards, known as the Critical Infrastructure Protection (CIP) standards, to FERC for approval under section 215. Your testimony further states that FERC approved those standards in 2008 but directed NERC to make certain revisions. As I understand it, NERC continues to work on those revisions and plans to submit them to FERC somewhere in 2012. If submitted in 2012, development and approval of the first set of cyber security standards will have lasted around 6 years. Why has this process lasted this long? Answer. The length of time it has taken for the CIP standards to be developed and implemented illustrates the potential limitations of NERC's standards development process. Under section 215 of the Federal Power Act, the ERO's standards development process must provide for reasonable notice and opportunity for public comment, due process, openness, and balance of interests in developing reliability standards. Accordingly, NERC's standards development procedures, under which the CIP standards must be developed, allows for extensive opportunity for stakeholder participation. The NERC standards development process is intended to develop consensus on both the need for, and the substance of, the proposed standard. This results in a relatively slow process. Question 4. Can FERC describe the advantages of having a definition of ``Critical Electric Infrastructure'' that is slightly more expansive than the current definition of ``Bulk Power System''? Answer. The ERO's current interpretation of the definition of bulk- power system excludes virtually all of the grid facilities in certain large cities such as New York. Moreover, the bulk-power system is statutorily defined as excluding facilities used in local distribution. Thus, the advantage of having a definition of ``Critical Electric Infrastructure,'' as set forth in the Discussion Draft that is more expansive than the current definition of ``bulk-power system,'' as defined in section 215(a)(1) of the Federal Power Act, is the Commission would be, for the first time, authorized to take action to mitigate cyber security vulnerabilities that involve certain critical distribution facilities and certain critical transmission facilities located in major population areas. However, the Discussion Draft includes these facilities only if their incapacity or destruction ``would have a debilitating impact on national security, national economic security, or national public health or safety.'' Question 5. Your testimony states that the Federal Power Act allows for some degree of discretion in defining elements of the Bulk Power System. (Your 2009 testimony made the same point.) From FERC's perspective, has progress been made to the processes of identifying critical assets? Do users, owners, and operators have the same level of discretion some two years later? Answer. In February 2011, NERC filed a petition seeking approval of Version 4 of the CIP standards. Version 4 includes new proposed criteria to identify ``critical assets'' for purposes of the CIP reliability standards. This filing is currently under review by the Commission. Thus, I cannot address its merits at this time. In order to better understand the NERC Version 4 petition, particularly the number of critical cyber assets that will be identified under this revision, the Commission issued data requests to NERC, with responses due on July 11, 2011, which reflects an extension of time requested by NERC. Currently, users, owners and operators essentially have the same discretion as to whether their facilities fall under the CIP standards because there has been no change in method of identifying critical cyber assets in the CIP Standards that are currently in-effect. Question 6. Do you think every State has adequate cyber expertise to protect distribution-level systems and assets that that are so vital that their loss would have a debilitating impact on national security, national economic security, or national public health or safety? Answer. I do not know whether every State has adequate cyber expertise to protect these distribution-level systems and assets. However, expertise and coordination at the state level would have to include the knowledge of how cyber security vulnerabilities on the distribution-level systems and assets, along with their associated connectivity, could have a debilitating impact on the bulk-power system as well as on national security, national economic security, or national public health or safety. Question 7. NERC indicated that industry learned lessons and hardened a lot of equipment following the 1989 geomagnetic disturbance that affected Quebec. Does FERC believe that the power grid in the United States, or regions within it, hardened against solar-magnetic disturbances or electromagnetic pulse from man-made events? Answer. I am not aware of information showing that the power grid has been hardened to withstand a geomagnetic disturbance or an EMP event. Steps taken after the 1989 geomagnetic event are principally operational in nature. Further, according to the NERC--DOE High Impact, Low Frequency Event Risk to the North American Bulk Power System Summary Report (June 2010), the procedures put in place after the 1989 geomagnetic event were not designed for the extreme geomagnetically induced current (GIC) levels considered in the NERC-DOE study. The recommended actions in the NERC-DOE study include monitoring of NOAA alerts, reducing loading on critical transmission facilities, increasing generation reserves, and deferring or discontinuing maintenance. Some utilities have readjusted protection systems to be more tolerant of harmonic currents in order to reduce the probability of undesirable operation under GIC conditions. However, none of these actions reduce or prohibit the flow of GIC on the system and are not considered to be hardening of equipment to protect against an EMP event. Although we have received information about a few utilities that have attempted to harden some individual elements within their systems against either a solar magnetic disturbance or an EMP event, overall, the U.S. power grid has not been hardened against either. Question 8. NERC stated that legislation that provided for both standards and other NERC directives to be legally enforceable would significantly enhance cyber security. NERC's alerts process is contained within the NERC Rules of Procedure. Did NERC file these rules with FERC? If yes, what was the stated intent of the alerts program in the NERC filing? Did FERC formally approve these rules? What role, if any, does FERC play in the NERC alerts process? Answer. Yes, the ERO is required by section 215(f) of the Federal Power Act to file with the Commission for approval any proposed rule or proposed rule change. A proposed rule or change to the rules of the ERO (NERC) may not take effect until the Commission approves the rule. NERC's ``alert process'' is set forth in section 810 of its Rules of Procedure, ``Information Exchange and Issuance of NERC Advisories, Recommendations and Essential Actions.'' NERC has stated that the purpose of section 810 is to allow NERC to disseminate findings and recommendations from its analyses of major events and information on other events and on potential bulk-power system vulnerabilities. The Commission formally approved section 810 of NERC's Rules of Procedure by order dated February 6, 2008. See North American Electric Reliability Corp., 122 FERC 61,105 (2008). The Commission's role with respect any NERC advisory, recommendation, or essential action notice is set forth in section 810(5) of the Rules of Procedure. Specifically, NERC is required to give the Commission at least five days prior notice, or less if necessary due to extraordinary circumstances, of NERC's intention to issue an advisory, recommendation or essential action notice This provides the Commission an opportunity to provide input regarding the content of the advisory, recommendation or essential action notice. However, neither the NERC Rules of Procedure nor the Commission's regulations require NERC to accept any Commission input. Further, none of the Alerts are mandatory for the industry to follow. Responses of Joseph McClelland to Questions From Senator Murkowski Question 1. Through the definition of ``critical electric infrastructure,'' the discussion draft legislation extends FERC's jurisdiction beyond the Bulk Power System to the distribution level as long as those systems or assets are ``vital'' to the nation's security, economy, public health or safety. However, as discussed at the May 5th hearing, NERC's authority as the ERO does not extend to the distribution level. In the discussion draft text, we were trying to respect the Section 215 stakeholder process--the idea being that if FERC directed the ERO to develop or modify a cyber standard to protect ``critical electric infrastructure'' that standard would be developed through the existing stakeholder process. If FERC found that standard to be inadequate, only then would the Commission be authorized to develop an interim back-stop standard. And that FERC standard would eventually be supplanted by an acceptable NERC produced standard. It was not my intent to allow FERC sole discretion to dictate standards at the local level or bypass the Section 215 process altogether. Please comment. Answer. I agree that the discussion draft does not eliminate the ERO's standards development role. However, if the ERO fails to submit a timely and adequate standard or modification, the discussion draft would allow the Commission to issue an interim final rule. The discussion draft is unclear on whether the Commission may take such action in other circumstances but, as I stated in my testimony, FERC should be able to require mitigation even before or while NERC and its stakeholders develop a standard, when circumstances require urgent action. Should the Commission require an action on the distribution system, the Commission could rescind the action when no longer necessary. If your intention is to allow the ERO to develop reliability standards to address distribution level cyber vulnerabilities, the discussion draft may need to be modified. Question 2. The discussion draft defines the term ``Critical Electric Infrastructure'' as follows: . . .means systems and assets, whether physical or virtual, used for the generation, transmission, or distribution of electric energy affecting interstate commerce that, as determined by the Commission or the Secretary (as appropriate), are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. To what extent are distribution assets captured in this definition? Answer. Distribution systems and assets are captured by the proposed Critical Electric Infrastructure definition in the discussion draft, if their incapacity or destruction would have a debilitating impact on national security, national economic security or national public health or safety. Question 3. Do you read the discussion draft as allowing both FERC and DOE to develop different lists of critical assets? If so, can you provide clarifying language to the Committee? Answer. Yes. The discussion draft authorizes the Commission or DOE to identify critical electric infrastructure systems and assets. If this approach is deemed inappropriate, the definition of Critical Electric Infrastructure could be clarified as follows: The term `critical electric infrastructure' means systems and assets, whether physical or virtual, used for the generation, transmission, or distribution of electric energy affecting interstate commerce that, as determined by the Commission in consultation with the Secretary or the Secretary (as appropriate), are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. [Note: For printing purposes, in the above text, italic represents double underlined language and bold represents strike through language.] Question 4. Currently, how do FERC and DOE work together to assess threats and vulnerabilities? Have there been any problems with this working relationship? How do the two agencies coordinate with the government's intelligence agencies? How does FERC coordinate with NERC on these issues? Answer. FERC, DOE, DHS, DOD, NRC, FBI, NSA and CIA share information about vulnerabilities to the electric grid. That interaction includes ad hoc meetings on specific topics (such as Stuxnet) and participation in established forums. FERC participates in and supports the Government Coordinating Council for the Energy Sector (for which DOE is the sector-specific agency), the Industrial Control Systems Joint Working Group (organized by DHS) and the Roadmap to Secure Control Systems in the Energy Sector (sponsored by DOE and DHS). FERC also receives technical information and daily reports on threats and vulnerabilities from DHS, the U.S. CERT (Cyber Emergency Response Team), the ICS CERT (Industrial Control Systems CERT) and the SCADA Test Bed. To date, I have not seen any problems with this working relationship. FERC and NERC coordinate in a number of ways. These include FERC briefing NERC and the industry on threats and vulnerabilities and receiving information through the Electric Sector Information Sharing and Analysis Center (operated by NERC). In addition, FERC works with NERC on every Alert issued to the Electric Sector by NERC. FERC provides technical analysis and input to the Alerts. Question 5. In your testimony, you note that the Commission has existing authority to direct NERC to develop a reliability standard to address a particular issue, including a cyber security matter, pursuant to Section 215(d)(5) of the Federal Power Act. To date, FERC has not used this authority, which is noted in the DOE/IG report you reference. Why not? Are you aware of any current vulnerabilities that NERC is not addressing? Answer. The Commission has used its FPA section 215(d)(5) authority to direct the ERO to address cyber security matters. Specifically, on January 18, 2008, in Order No. 706, the Commission directed the ERO, pursuant to section 215(d)(5) of the FPA, to develop significant modifications to the CIP standards the ERO submitted to the Commission for approval to address vulnerabilities identified by the Commission. To date, the majority of the Order No. 706 directed modifications to the CIP standards have not been completed by NERC. Until they are addressed, there are significant gaps in protection such as inadequate identification of critical cyber assets. NERC is in various stages of its standards development process to address these directed modifications. Section 215 of the FPA does not allow the Commission to write or modify the standards, therefore the Commission must rely on the ERO's standards development process to answer the Commission's directives such as those in Order No. 706. This authority is inadequate to address cyber threats and vulnerabilities on the power grid. The DOE-IG report also concluded that this authority was inadequate and recommended the Commission seek additional authority from Congress. Question 6. You note that the existing reliability standards do not address EMP vulnerabilities. Can't FERC order NERC to produce EMP- related standards pursuant to Section 215? If so, why hasn't the Commission taken such action? Answer. Yes. The Commission can order the ERO to address EMP vulnerabilities under Section 215. However, to date, the Commission has focused on cyber security issues identified in Order No. 706 which remain largely unaddressed, as explained in question #5 above. In order to better understand the EMP issue and inform our actions, the Commission initiated a joint study with DOE and DHS through the Oak Ridge National Laboratory. This study was just completed September 20, 2010 and was released for peer review at that time. From that time, the Commission has been considering possible options to address this matter including use of its FPA 215 authority. However, the Commission has found the standards development process to be too slow, too open and too undependable to protect the grid from vulnerabilities and threats that can imperil national security. Physical or non-cyber events or attacks, such as an EMP attack, can damage the grid as much as, or more than, cyber attacks. These events might vary significantly and range from natural causes such as solar-magnetic storms to deliberate and coordinated attacks on specific equipment such as bulk power transformers. Legislation including non-cyber vulnerabilities would authorize regulatory requirements, quickly if necessary, to install and actuate protection measures against a solar storm (or threat of an electromagnetic pulse attack) or the stockpiling and sharing of costs for spare transformers. Question 7. You state that NERC's inclusive stakeholder process, while appropriate for developing routine reliability standards, can serve as an impediment when immediate measures need to be taken to address threats to national security. However, the discussion draft bifurcates federal authority--it tasks DOE with responding to immediate threats and FERC, through the NERC process, with responding to less time-sensitive vulnerabilities. What is FERC's position on this proposed bifurcation? Does the additional authority granted in the discussion draft to the Energy Department for imminent threats address your concerns? Answer. The discussion draft allows for protection of critical electric infrastructure against all cyber security vulnerabilities and threats. The legislation directs FERC to address cyber security vulnerabilities of the Nation's critical electric infrastructure. These vulnerabilities may sometimes be urgent even if an ``imminent danger'' of a threat has not yet been adequately documented. To this extent, the discussion draft's authorization for the Department of Energy to address imminent threats is not, by itself, an adequate solution. The discussion draft places the responsibility and authority to address cyber security vulnerabilities of the electric grid with the agency that is already charged with regulating reliability and cyber security of the bulk-power system and is therefore experienced and expert in regulating these matters. Should the discussion draft retain the separation of FERC and DOE responsibilities, FERC expects to coordinate with DOE in order to prevent overlap of our actions regarding FERC's responsibility to address ``vulnerabilities'' and DOE's responsibility to address ``threats.'' FERC already coordinates with and has an excellent working relationship with many other agencies such as DOE, DHS, DOD, NRC, FBI, NSA and CIA to avoid duplicative or conflicting actions. Question 8. What is FERC's position on making NERC's Alerts legally enforceable? Answer. Allowing NERC to issue legally enforceable ``Alerts'' would vest too much authority in a non-government organization. Question 9. It appears from your testimony that FERC has been frustrated with NERC's process and timeliness in identifying critical assets. However, NERC's revised ``bright-line'' proposal for identifying these assets has been pending with the Commission since February. Why hasn't the Commission acted on this proposal to fill in this gap? Couldn't FERC accept this standard and, at the same time, request additional information if needed? Answer. In February 2011, NERC filed a petition seeking approval of Version 4 of the CIP standards. Version 4 includes new proposed criteria to identify ``critical assets'' for purposes of the CIP reliability standards. This filing is currently under review by the Commission. Thus, I cannot address its merits at this time. In order to better understand the NERC Version 4 petition, particularly the number of critical cyber assets that will be identified under this revision, the Commission issued data requests to NERC, with responses due on July 11, 2011, which reflects an extension of time requested by NERC. Currently, users, owners and operators essentially have the same discretion as to whether their facilities fall under the CIP standards because there has been no change in method of identifying critical cyber assets in the CIP Standards that are currently in-effect. Question 10. In the vulnerabilities section of the discussion draft, we have yet to specify the timeframes for FERC's initial determination on the adequacy of reliability standards and for NERC's response to any Commission directive. In FERC's opinion, what is the appropriate amount of time for these actions? Answer. See the responses to Senator Bingaman's Question Nos. 1 and 2. Question 11. In the 2007 Energy Independence and Security Act (EISA), Congress directed NIST and FERC to work on interoperability standards for smart grid devices, including cyber security standards. What is the status of this effort? Do the discussion draft's provisions build on or supersede EISA's efforts to improve the cyber security of smart grid devices? Answer. The most recent Commission action regarding interoperability standards for smart grid devices was a technical conference held on January 31, 2011 to obtain further information to aid the Commission's determination of whether there is ``sufficient consensus'' that certain smart grid interoperability standards are ready for Commission consideration in a rulemaking proceeding. By notice issued February 16, 2011 the Commission sought industry comments. Comments were filed April 8, 2011 and reply comments were filed April 22, 2011. The discussion draft's provisions complement EISA's efforts to address cyber security of smart grid devices. EISA requires the Director of the National Institute of Standards and Technology (NIST) to coordinate the development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems. When the Commission finds that NIST's work has led to sufficient consensus, the Commission's task is to institute a rulemaking to adopt such standards and protocols as may be necessary to insure smart grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets. Because the smart grid interoperability standards are developed using a consensus approach, similar to NERC's development of reliability standards, the process can be slow. Thus the discussion draft provisions would allow the Commission, if necessary, to move quickly and effectively to address cyber security vulnerabilities that may arise from the implementation of smart grid technology. Question 12. You testified that you support ``clarifications that might better ensure recovery of costs incurred under this legislation.'' Can the Commission provide proposed text? Answer. As I stated in my testimony, ``it is important that entities be able to recover costs they incur to mitigate vulnerabilities and threats.'' However, ensuring cost recovery is complex because the affected utilities include not only public utilities regulated under sections 205 and 206 of the Federal Power Act but also non-public utilities. Also, some utilities charge cost-based rates while others charge market-based rates. Given these complexities and others, I do not have specific text to suggest at this time, but the affected utilities may have considered this issue in more depth. Question 13. At the May 5th hearing, you testified that FERC should only get out in front of the ERO in ``limited circumstances.'' Please elaborate. Can FERC provide the Committee with language to capture only these limited circumstances? Answer. The discussion draft would authorize the Commission to take immediate action to address a cyber security vulnerability, i.e., get out in front of the ERO by issuing an interim final rule, only if the Commission determines immediate action is necessary. The discussion draft language, in subsection (b)(6)(B), appropriately frames these ``limited circumstances'' as those of immediacy. To clarify this point, however, this subsection could be modified by adding the following at the beginning of subsection (b)(6)(B): ``Notwithstanding paragraph (A). . ..'' Question 14. The Energy Committee's discussion draft is an electricity-sector only cyber piece. Does FERC prefer a comprehensive, government-wide approach to cyber security issues? Answer. FERC has no preference, but if a government-wide course is pursued, care should be taken to ensure that the two approaches complement each other, preserving or even enhancing FERC's ability to regulate effectively under legislation such as the discussion draft. The discussion draft would authorize FERC to address cyber security vulnerabilities of the Nation's critical electric infrastructure. By doing so, the legislation places the responsibility and authority to address cyber security vulnerabilities of the electric grid with the agency that is already charged with regulating reliability and cyber security of the bulk-power system and is therefore experienced and expert in theses matters. The discussion draft does not preclude or discourage FERC from working with other agencies or even a central authority (if Congress or the President elects to establish one) to address and mitigate these issues. In fact, in order to be most effective, the Commission would need to coordinate closely with other agencies and bring all resources and expertise to bear on the particular vulnerability or threat presented. FERC already works closely with agencies such as DOE, DOD, DHS, NSA, FBI, NRC, CIA in these matters and expects to continue to do so if the proposed legislation is passed; even in combination with other cyber security legislative efforts affecting other industries and agencies. Responses of Joseph McClelland to Questions From Senator Udall Question 1. Has the Aurora vulnerability been effectively mitigated, and how is this verified? What is the factual basis for your answer? Answer. No, I am not aware of any information showing that it has been effectively mitigated. The latest effort to further mitigate the Aurora vulnerability involved NERC and several federal agencies. This mitigation effort included the controlled release to industry of a significant body of technical information about the vulnerability and NERC's issuance of a Level 2 Recommendation in October 2010. The Level 2 Recommendation set forth mitigation steps that asset owners could take voluntarily and required feedback on six related questions. Other than responding to the questions, no actions described in the Recommendation were mandatory. The responses indicated that the majority of the companies had not completed their mitigation plans, their mitigation efforts or even whether the plans would be effective. Question 2. Are the current spare transformer resources, including the EEI STEP program, sufficient to mitigate the transformer loss scenario presented in the Oak Ridge National Laboratory report from a 1921-level solar storm (over 300 transformers)? What is the factual basis for your answer? Answer. I do not have any information to substantiate that current spare transformer resources from the EEI STEP program are sufficient to mitigate the projected losses from such a storm--up to 368 transformers. Moreover, the EEI STEP program was designed as a transformer asset sharing program which assists a participating utility in the restoration of electric service in the event of an act of deliberate destruction of utility substations. This program is designed to reduce the acquisition of transformers by aggregating the needs, in a particular voltage class, among utilities that participate in that program class. While this program may assist any one utility in restoration under a large scale destructive event, it is not designed to mitigate the multiple utility losses as in the case scenario presented in the Oak Ridge Study. Question 3. How effective has the current standards development process been in protecting against cyber and other non-cyber threats and vulnerabilities to the grid? Is it possible to use this process supplemented with NERC's emergency standards process and the Alerts process to get the job done? Answer. The current standards development process has not resulted in cyber security standards that adequately protect the grid against cyber vulnerabilities or threats. More than three years has passed since the Commission issued Order No. 706 directing significant modifications to the eight Critical Infrastructure Protection reliability standards. Most of the directed modifications have not been made yet. In addition, the level of sophistication of cyber and other national security threats has increased and more hacker attention is being focused on control systems. NERC's emergency standards process and its ``Alerts process'' are not enough to bridge the gap in protection. NERC's Alerts are voluntary and are subject to the same limitations as the standards such as open disclosure and unpredictable results. Further, NERC's emergency standards process calls for an urgent action standard to be developed within 60 days and submitted to the Commission for approval or remand (which could be further expedited by a written finding by the NERC board of trustees that an extraordinary and immediate threat exists to bulk-power system reliability or national security). Should the Commission approve the standard, it becomes mandatory for two years and must be replaced, requiring the standards development process to produce a replacement standard. Moreover, while it is untested and unclear, NERC's urgent action procedures could widely publicize both the vulnerability and the proposed solutions before they are even deployed, thereby negating their effectiveness. If faced with a national security risk to reliability, there may be a need for an order by the Commission to act directly; expeditiously, within hours or days, rather than weeks or months; and confidentially, in a manner that protects certain information from public disclosure. Thus, even with NERC's emergency standards process and Alerts process there is a continued need for a process to mandate immediate and confidential security measures. The best method for adopting and implementing mandatory and confidential security measures quickly is through direct federal agency action. Responses of Joseph McClelland to Questions From Senator Portman Question 1. Is it your understanding that the joint discussion draft pertaining to cyber-security of critical electric infrastructure would extend the jurisdiction of the Federal Regulatory Commission to include distribution of assets for purposes of ensuring reliability standards are adequate to protect Critical Electric Infrastructure? Answer. Yes, see my response to Senator Murkowski's Question No. 2. Distribution systems and assets would be included only if their incapacity or destruction would ``have a debilitating impact on national security, national economic security, or national public health or safety.'' Question 2. Since distribution assets are generally under the jurisdiction of the states where they are located, do you anticipate conflicts with various state laws and regulations or, perhaps, other federal initiatives such as interoperability standards for Smart Grid? Answer. No. The discussion draft would expand the Commission's jurisdiction over certain critical distribution assets for the limited purpose of protecting such assets from cyber vulnerabilities. Thus, this limited expansion of the Commission's jurisdiction would preempt state authority in this discrete area, thereby avoiding any potential conflict. With respect to other federal initiatives, the Commission would coordinate with other agencies, as necessary, to prevent overlap of orders or enforcement actions regarding FERC's responsibility to address cyber vulnerabilities. FERC already coordinates with many other agencies such as DOE, DOD, DHS, NRC, NSA, FBI and CIA to avoid duplicative or conflicting actions. Question 3. Should conflicts arise, how do you envision these conflicts will be resolved? Answer. See above response to your Question No. 2. Question 4. Do you believe that FERC jurisdiction over distribution of assets is necessary? Answer. Without FERC jurisdiction over distribution assets that fit the definition of critical electric infrastructure, cyber vulnerabilities and threats would not be not be mitigated as proposed by this legislation. Similar to how a compromise at the bulk-power system level could impact the nation, this subset of distribution facilities needs the same level of protection that would be applicable to the bulk-power system to deter against having a debilitating impact on national security, national economic security, or national public health or safety. Question 5. What do you think will be accomplished that is not already being accomplished? Answer. With FERC's experience and expertise of the mandatory security requirements to protect the bulk-power system from compromise, FERC can provide an effective protection effort. For example, FERC will be able to address the protection of distribution-level systems and assets, along with their associated physical and virtual connectivity, to protect the reliability or operability of the bulk-power system. This would translate into having the necessary protection measures for certain distribution facilities in concert with measures required for the bulk-power system for national security, national economic security, or national public health or safety. Question 6. The discussion draft permits FERC to issue an interim rule if the Electric Reliability Organization fails to meet deadlines established by FERC. What do you envision will be the role of the Electric Industry in helping FERC to get an interim rule right? Answer. FERC's orders and appeals allow the affected industry members to participate whenever practical to help ensure that the measures contained within an interim FERC rule are appropriate for expeditious and effective implementation for security of the bulk-power system. FERC's processes allow the affected utilities the option to engage in the process and provide their perspective and any alternative ideas before they are implemented. Question 7. Multiple levels of protection on the electric system have significant, additional costs, and may not be the most cost- effective means of mitigating known vulnerabilities or combating known threats. How would you recommend that determinations be made about additional security requirements that are ordered to be put in to place? Should there be a risk assessment required to determine cost- effectiveness? Answer. The consequences of an entity having an ineffective security posture can be catastrophic, reaching far beyond that entity. Coordinated and simultaneous cyber attacks meant to cause physical damage to large electrical equipment with long lead times for replacement can cause prolonged outages for specific areas of the country. For this reason, considerations regarding cost effectiveness in the cyber security realm are different from the typical cost effectiveness that has been considered for more traditional scenarios. In most scenarios, the limitations and risks are known and quantifiable or at least capable of being estimated based on prior experiences such as severe weather. With cyber security, cost considerations should consider both the known risks as well as ones that have not yet been discovered. In light of these complexities, considerations such as the life-cycle of equipment based on its upgradeability and the consequences of successfully exploiting any cyber vulnerabilities must be considered in addition to more traditional procurement and operational cost measures. For example, according to public reports, the recent Stuxnet malware exploited several zero-day (previously not widely known) software vulnerabilities. Control system owners were not even aware of these vulnerabilities until months after Stuxnet was launched but their emergence required prompt mitigation regardless of the associated costs. Although this threat was mitigated, cyber security is not a one-time event. It is a continuing process involving technology, security processes and human interaction. Therefore the appropriate showing of cost effectiveness is that the measures taken fit into a comprehensive security program that involves prevention, detection and recovery from a security breach. Responses of Joseph McClelland to Questions From Senator Shaheen Question 1. I've heard from the NH electric co-operative about their concerns in granting FERC authority to regulate at the distribution level of our electric system. Regulation at this level is traditionally handled by the state. What authority, if any, does FERC have right now to regulate distribution facilities in the U.S.? Answer. Section 215 of the Federal Power Act expressly does not apply to local distribution facilities. These facilities are also generally exempt from FERC's rate regulation, although limited exceptions apply if the facilities are used in providing FERC- jurisdictional services. The additional authority over distribution facilities proposed in the discussion draft would be very limited in nature. It would only allow the Commission to regulate distribution facilities that are ``so vital to the United States that the incapacity or destruction of the systems and as sets would have a debilitating impact on national security, national economic security, or national public health or safety.'' In addition, the current proposal would only allow the Commission to regulate that discrete set of facilities for the purpose of addressing cyber security vulnerabilities. Question 2. The current NERC standard development process is a ``bottoms up'' approach that works with electricity sector experts in the U.S. and Canada to develop technical standards that take into account the different among more than 3000 individual North American utilities. Why does FERC think this should be replaced with a standards process that would emanate from Washington, DC? Answer. FERC does not think that the current NERC standards development process should be replaced. And the discussion draft does not eliminate or replace the NERC standards development role. The standards development process will continue to be performed by the ERO and industry unless there is a need for immediate action. The discussion draft would only allow the Commission in very limited defined circumstances to directly, quickly and confidentially address cyber security vulnerabilities that threaten national security through the power grid. ______ Responses of William Tedeschi to Questions From Senator Bingaman Question 1. Your testimony states that it may be possible to mitigate electromagnetic threats to the power grid through selective hardening. Could you describe some of the ways in which utilities could selectively harden their systems? Answer. The utilities have available two primary opportunities for selectively hardening the power grid. (1) They can wait until new technologies or planned system upgrades are to be introduced to the grid, and then apply some form of EMP hardening requirements that can be incorporated in the acquisition process for those new/upgraded features to be procured and introduced to the grid. (2) The other major possibility is that they can choose to retroactively harden key elements of the current grid, by procuring electronics hardware with specifically designed hardening features incorporated into the hardware design. The former approach is recommended, as adding hardening after a system has been fielded is typically more expensive. However, if a particular grid element or node is critically important and susceptible to EMP threats, then one may wish to retroactively add hardening to the existing design and make it more robust to EMP threats. There are specific hardening approaches that can be selectively employed at the hardware, box, and device levels. The principle that applies is to define, anticipate, and plan to harden against select EMP threat environments. For highfrequency EMP threats, such as unintentional electromagnetic interference or malevolent microwave devices, in the many megahertz to gigahertz frequency range, one can require new electronics have existing electromagnetic compatibility and interference (EMC/EMI) standards incorporated into their design. Such standards are published by both national and international organizations, based on subject matter expert inputs and endorsed by industry, governments, and academia. Hardening features can include the following: properly shielded and grounded enclosures; fast-acting over- current shunts or blocks at points of entry; spark gaps and other over- voltage protection; better internal design robustness against over- current and over-voltage conditions, and direct-current or slowly varying offsets (such as better design features inside highvoltage transformers); and electronic filters that are highly selective in the frequencies of electronic transmissions around and into critical grid elements or nodes with operating electronics inside. Hardening can also include creating a more-robust control system for real-time and near real time monitoring and adjusting the actual operation of power flow into, over, and out of the grid, to effectively sense, understand, and respond to a greater range of off-normal conditions during grid operation. Many of these same hardening approaches, and other related techniques not mentioned, can also be considered for the low-and medium-frequency EMP threats, in the many hertz to megahertz frequency range. The type of hardening one might consider employing and at what point in the grid's life cycle should be based on a good understanding of the EMP threat spectrum, what hardware, device, or electronics box is susceptible to EMP attack, and the identified trade-offs in cost, benefit, and risk reduction for the various types of possible hardening approaches. Question 2. Your testimony states that more work is required before fully informed decisions can be made about where and to what extent the grid should be hardened solely against nuclear electromagnetic pulse threats. What kind of information would additional work on electromagnetic pulse threats seek to produce? How long would you estimate that this study may take? Answer. The additional information we recommend to be generated is to determine an appropriate set of EMP threat scenarios that could adversely affect the power grid, determine if and how the grid is susceptible/vulnerable to the established EMP threats, and identify appropriate threat mitigation and hardening strategies. This set of work (see next paragraph for details) is estimated to require from 2 to 3 years to accomplish, depending on the number of EMP threat classes selected and the amount of technical resolution in the results required to reduce existing uncertainties to an acceptable level and provide a level of riskbased confidence in the current and projected resilience of the power grid. The full spectrum of possible nuclear high-altitude EMP threats should be examined and characterized, beyond what has been considered to date, namely, only the postulated worst-case nuclear EMP threats. The resulting over-current and over-voltage insults to the grid will be of lesser magnitude and total energy content than the worst-case assumptions that have been made to date, but the worst-case system response may not always be driven by the largest magnitude EMP conditions. The spectrum of possible conventional EMP threats, both malevolent and unintentional, should also be examined and characterized. In particular, what are the technical characteristics of all the postulated EMP threats in terms of their waveforms, frequency content, and electric field strengths? These EMP threat waveforms, along with those postulated from solar-induced geomagnetic storms, should be peer reviewed and validated by a panel of knowledgeable subject matter experts. Next, these EMP threat waveforms can be projected onto selected key elements of the U.S. power grid, and the induced over-current/over-voltage insult estimated by using a combination of computerbased modeling and simulation, along with experimental testing. Threatened key elements of the grid, given a particular EMP threat scenario, can be identified from our knowledge of the grid's network topology and unique design features. Once the electrical insults for the key grid elements are determined, one would ascertain if the element is susceptible to upset or burnout, or other possible adverse effects. Thresholds for upset and burnout would be determined through a combination of computational and experimental modeling and simulation, and by using a somewhat different set of tools and subject matter experts. Given a projected set of upset and/or burnout conditions, one would finally estimate the net cumulative effect (or consequence) on the power grid given the particular EMP threat waveform that was projected against a particular set of grid elements. Once the complete set of risks to the power grid is characterized and better understood--given the full spectrum of possible EMP threats and resultant possible damage responses and ultimately consequences to the grid's continued operability--one can make more informed decisions on whether, where, and to what extent to harden the grid against certain classes of EMP threats. All the work results should be peer reviewed and validated by appropriate subject matter experts, and relevant work conducted in the past should be utilized to the maximum extent possible. Responses of William Tedeschi to Questions From Senator Murkowski Question 1. Your testimony notes that more study is needed to characterize and simulate the susceptibility of the power grid to EMP attacks, and that existing EMP reports should not be the basis for any short-term national decisions. Is it premature to develop hardening standards to mitigate an EMP attack? Answer. Yes, today it is premature to develop hardening standards for the power grid against EMP threats, both malevolent and non- malevolent (i.e., unintentional and naturally occurring geomagnetic threats). The spectrum of possible EMP threats has not been defined and characterized, and neither has the susceptibility of key grid elements to EMP-induced over-current/over-voltage insults, along with the possible resultant damage and consequences to the continued reliable operation of the grid. For example, the 2010 FERC-sponsored study on EMP threats to the power grid suggests that over 300 high-voltage (HV) transformers would be at risk for damage or failure by a 1-in-100 year geomagnetic storm. This damage estimate appears to have been based primarily on one data point, an estimated 90-amp over-current insult to an HV transformer that failed at the Salem Nuclear Plant during the 1989 geomagnetic storm. Applying that particular over-current damage threshold, based on little analysis and no experimental testing, to all HV transformers in a large-area geomagnetic storm results in great uncertainty about the total number of at-risk HV transformers. We assess that this is a worst-case approach to predicting when HV transformers could fail due to over-current insults. The Salem Nuclear Plant HV transformer could have failed for a number of reasons. We recommend that the specific reasons for that failure, as well as consideration of the suite of other possible failure thresholds and conditions, should be better understood so that, ultimately, a more- balanced damage criteria can be established, which will result in a better estimate of the potential damage and consequences to the grid, not only from geomagnetic EMP threats, but also from other EMP threats. We recommend more analysis, experimentation, and assessment be performed to determine how and why HV transformers can fail, along with other key elements of the grid. There simply is not enough data and understanding at this time on how and why key power grid elements can fail to the spectrum of possible EMP threats. Once the additional data and understanding are derived, a defensible technical basis exists for developing and implementing a national hardening strategy. Question 2. Do parts of the power grid, and particularly transformers, based on age and design, react differently to an EMP attack? Do we need to treat all of them in the same manner? Answer. Yes, every element in the power grid when exposed to EMP attack will react differently to the over-current/over-voltage insult caused by the EMP attack. How each grid element will react depends on a number of factors: the element's design, as-manufactured configuration, current configuration if it has been changed or modified, age and location within the grid topology; installation details; how the EMP threat irradiates and couples electrical energy into the exposed element; how that electrical energy insult flows within the element and deposits its energy along the way; and the strength of the element to withstand the flowing and deposited electrical energy. The full range of possible outcomes of the exposed grid element to the EMP attack include temporary damage or upset, permanent damage, and possibly even no damage or adverse effect. One must also factor in the interplay of how one element's response to the EMP attack will affect the operation of other elements that are connected to it. As far as treating each element in the same manner, one must demonstrate a sufficient understanding of the differences between each element of the grid, and how they will respond to the EMP insult both in their own unique way and synergistically together, if one is to have confidence in estimates of how an EMP attack might affect the grid. EMP effects researchers use analysis, modeling, and experimental testing to conduct detailed characterizations of the design and key operational functioning aspects of all the elements making up a network and of how the element (and ultimately the grid) will react to the deposited electrical energy from the EMP attack. Even within a population of similar grid elements, for example 300 HV transformers, there are enough differences in the design and constituent materials that go into the element and how the element was manufactured that the element's response to the EMP insult can vary by more than an order of magnitude, and sometimes the failure distribution follows well-established statistical distributions; at other times, it does not. The result is that for the same EMP attack, anywhere from a small fraction (or none) to a large percentage of the element's population can be adversely affected. The predicted damage depends very heavily on when and how the transformer (or element) might fail, and more than one data point and significant analysis and modeling are required to get a level of confidence in the expected damage prediction. It is this analytical and experimental modeling and simulation phase of characterizing the grid element and interconnected network that takes a while and a certain amount of resources to establish a level of understanding and confidence in the result. In the absence of data and understanding, and given limited time and resources, researchers typically employ a worst-case approach that unfortunately can lead to a higher cost impact and dire predictions that are not technically defensible, and should not be the basis for important national decisions of this type. Question 3. You mentioned that the U.S. electric power grid contains some level of inherent hardness against an EMP impact, and that the grid is already somewhat hardened against the E2 and E3 components (similar to lightning strikes (E2) and solarinduced geomagnetic storms (E3)). However, since the E1 frequency strikes first, how vulnerable is the grid to the E2 and E3 impacts if it has been disabled by the E1 component? Should our focus be on the E1 frequency? Or should it be on the E3 component since you believe a solar-induced geomagnetic storm is more likely than a nuclear-induced EMP attack? Answer. Yes, for nuclear-detonation-generated EMP, the early-time E1 component, if strong enough, could do damage first to some grid elements or control systems, potentially resulting in the later-in-time E2 and E3 components doing additional damage to the grid. In other cases, the E1 component may not be strong enough to do any damage, but the E2 and E3 components will insult the grid, potentially doing damage. Again, details of the nuclear detonation will affect the extent and strength of the EMP effects and are relevant to whether damage might occur. In some nuclear scenarios, none of the E1, E2, and E3 components would be expected to do damage on the power grid. In general, the E3-like component that results from geomagnetic storms occurs naturally and with an established periodicity. It is just a question of when the storm will occur, how strong it may be, and how long the created electromagnetic field strengths would last, and then whether the power grid is susceptible to them and what might be the possible damage effects. The nuclear E1, E2, and E3 components are human-made, and are assessed to be of low likelihood of occurrence, as compared with geomagnetic storms and some of the electromagnetic interference threats. We should also consider human-made malevolent EMP-generating devices, which can be used to exacerbate a particular frequency range, or multiple ranges. You are exactly right: The combination of imposed reduction of capability from one frequency range and imposition of a different frequency range is another topical area that should be included in studies of system response. Question 4. What different types of protection are needed and available for the various types of potential EMP attacks or geomagnetic disturbances? Answer. As noted above in the answer to Senator Bingaman's first question, there are many hardening approaches, both passive and active that could be considered and applied to the power grid that would add an elevated level of resilience against EMP threats. Once the EMP threats have been sufficiently characterized and an assessment made with at least a moderate level of confidence of the grid's susceptibility and resultant damage to such threats, then costeffective risk-based decisions can be made regarding a national hardening strategy and specific hardening measures to employ. Our recommended approach is to characterize the full spectrum of EMP threats, both intentional (nuclear and nonnuclear) and unintentional (electromagnetic interference) human-made and naturally occurring (geomagnetic). Next, we should more fully characterize the grid's susceptibility to potential damage by those classes of EMP threats (through analytical and experimental modeling and simulation), and identify possible techniques to harden against the identified threats. At a minimum, we should ensure that we are hard against unintentional human-made interference (which is a threat now) and have an acceptable level of resilience against geomagnetic EMP threats (which is a work in progress). Next, we should establish how resilient or susceptible/ vulnerable the grid is to the human-made EMP threats, and then finally make risk-based national and/or industry-level decisions on whether and to what extent to harden certain elements of the power grid against the broader set of EMP threats. That said, risk-based analysis and assessment approaches should continue to be applied looking for key grid elements and nodes that might be vulnerable to specific EMP threats and which might need to be hardened sooner rather than later. Question 5. Are smart grid technologies that are currently being distributed across the country and placed into service required to have hardened features to protect against EMP attacks? Answer. Our understanding is that smart grid technologies that are currently being considered and possibly distributed across the country and placed into service are not required to have hardening features to protect against EMP attacks. The smart grid technologies at a minimum should have a level of hardening against lightning and unintentional electromagnetic interference (EMI) based on some combination of national and international EMI and electromagnetic compatibility (EMC) standards. If EMI and EMC standards are being considered and included in new smart-grid technologies, then they will have some level of resilience against E1-type EMP effects. How much resilience there is or might be can be determined through a combination of analytical and experimental modeling and simulation. Because possible smart-grid technologies are still under development, are generally small and likely will be mass-produced and therefore lower in per unit cost than, for example, HV transformers, there is an excellent opportunity here to consider and possibly include some form of costeffective, EMP hardening features to protect against E1-and E2-like EMP threats. ______ Responses of Patricia Hoffman to Questions From Senator Bingaman Question 1. Last year, Secretary Chu announced funding for the National Electric Sector Cyber Security Organization. What is the role of this organization vis-a-vis North American Electric Reliability Corporation (NERC), NERC's standards development process, and the Federal Energy Regulatory Commission? Answer. The Energy and Water Development Appropriations and Related Agencies Appropriations Act, 2010 (P.L. 11-85) directed that ``...the Secretary shall establish an independent national energy sector cyber security organization...'' In response, the Department of Energy issued a Funding Opportunity Announcement on March 31, 2010. Two organizations received awards: EnergySec was selected to form the National Electric Sector Cybersecurity Organization (NESCO). The Electric Power Research Institute (EPRI) was selected as a research and analysis resource to this organization, and is referred to as the National Electric Sector Cybersecurity Organization Resource (NESCOR). The purpose of the award was to ``establish a National Electric Sector Cyber Security Organization that has the knowledge, capabilities, and experience to protect the electric grid and enhance integration of smart grid technologies that are adequately protected against cyber attacks.'' In addition, the organization ``will serve as a focal point to bring together domestic and international experts, developers, and users who will assess and test the security of novel technology, architectures, and applications.'' When fully operational, NESCO/NESCOR will provide early warnings to and share best practices with, all parts of the sector (generation, transmission, distribution), not just the bulk power system. NESCO/NESCOR will provide comments to the North American Electric Reliability Organization (NERC) standards development process as appropriate and share compliance information in the sector, but does not enforce or regulate the standards. NERC's mission is to ensure the reliability of the North American bulk power system. NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission (FERC) to establish and enforce reliability standards for the bulk-power system. NERC develops and enforces (following approval by FERC) reliability standards, including cyber security standards; monitors the bulk power system; and educates, trains and certifies industry personnel. NERC is an authoritative body and can mandate actions by the registered entities. NESCO/NESCOR is a voluntary body that can provide guidance. Question 2. In February, the Department of Energy launched an open collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation to ``develop a cyber security risk management process guideline for the electric sector.'' Could you describe the objectives of this collaboration and how its work will filter into the NERC standards development and approval processes? Answer. DOE, in coordination with the National Institute for Standards and Technology (NIST) and NERC, is leading a public and private sector collaboration to develop a risk management process guideline to provide a consistent, repeatable, and adaptable process for the electric sector, and enable organizations to proactively manage cyber security risk. The objective of this collaboration is to build upon existing guidance and requirements to develop a flexible risk management process tuned to the diverse missions, equipment, and business needs of the electric sector for application throughout the sector, and to bridge the divide between security for industrial control systems and information technology. The risk management process guideline is currently in the drafting stage. Representatives from the NERC standards development team are participating in drafting of the risk management guideline. As this effort gets further along we will better be able to assess how it may factor into the NERC standards development and approval processes. Question 3. Your testimony states that the Department of Energy and the Department of Defense have signed a memorandum of understanding that is intended to enhance national energy security. The Discussion Draft directs the Secretary of Defense to prepare a plan to protect power supplies to national defense facilities. How will this memorandum help the Secretary of Defense in creating this plan? Answer. The Department of Energy and the Department of Defense (DOD) energy security Memorandum of Understanding (MOU) provides for collaboration between the two agencies on energy security research and development, and energy assurance. This may include projects on power electronics, microgrids, cyber security, electromagnetic pulse, smart grid, and storage which will benefit from DOE's energy related expertise. An Executive Committee has been formed to oversee all activities, including energy security. The Executive Committee is chaired by me, as the Assistant Secretary for Electricity Delivery and Energy Reliability, DOD's Assistant Secretary of Defense for Operational Energy Plans and Programs, and DOD's Deputy Under Secretary of Defense for Installations and Environment. The remainder of the Executive Committee is comprised of key energy decision makers from both departments. While this MOU is not focused on cyber security for the grid, it provides a structure to collaborate on a comprehensive proactive approach that reduces the impact of power loss to defense critical assets, considering both mitigation and response measures to ensure vital defense capabilities are not disrupted. Question 4. Do you think each state has adequate cyber expertise to protect distribution-level systems and assets that are so vital that their loss would have a debilitating impact on national security, national economic security, or national public health or safety? Answer. Local distribution companies, and the Public Utility Commissions (PUCs) that regulate them, are the entities at the State level that are responsible for reliable electric service within states, including protection from service disruptions caused by cyber attacks. It is DOE's understanding that the utilities and PUCs understand, and are addressing cyber security concerns. States, similar to the Federal government and the private sector, are challenged by the increasing sophistication of the threat to maintain a level of cyber security expertise adequate to manage cyber security risks. State and local governments are very concerned about the impacts of cyber attacks and are taking steps to address such risks. The Department also recognizes the need to mature and increase the level of cyber security expertise within the states and the electric sector. The Department's Office of Electric Delivery and Energy Reliability (OE) works closely with organizations, such as the National Association of Regulatory Utility Commissioners (NARUC), the National Association of State Energy Officials, the National Conference of State Legislatures, the National Governor's Association, and Public Technology Institute that are helping State and local agencies to address cyber security issues. These organizations have worked with OE to develop technical briefs, education forums, workshops, and exercises on cyber security and other concerns related to grid modernization. OE has been working with these organizations to support and sponsor activities such as the NARUC security boot camp provided for PUCs and their staff at the 2011 NARUC winter meeting, and providing technical assistance to PUCs related to cyber security for the smart grid. Through the American Recovery and Reinvestment Act, OE provided funds to forty-eight states and territories plus forty-three cities to prepare energy assurance plans to better respond to energy emergencies, including addressing cyber security. States have recently completed draft emergency assurance plans all of which address cyber security. Recovery Act funds are also assisting state public utility commissions directly, providing funds to hire new staff and retrain existing employees to ensure they have the capacity to quickly and effectively review proposed electricity projects, including the cyber security aspects of those projects. Responses of Patricia Hoffman to Questions From Senator Murkowski Question 1. Currently, how do DOE and FERC work together to assess threats and vulnerabilities? Have there been any problems with this working relationship? How do the two agencies coordinate with the government's intelligence agencies? Answer. DOE and the Federal Energy Regulatory Commission (FERC) coordinate on an ongoing basis depending upon the specific nature of the critical infrastructure protection activity. Most recently, DOE, FERC, and the Department of Homeland Security (DHS) sponsored a set of reports\1\ which provided a technical threat assessment of geomagnetic disturbances and electromagnetic pulse, providing a more comprehensive understanding of the issues. FERC is also participating in the effort led by DOE, along with the National Institute of Standards and Technology (KIST), DHS, and North American Reliability Corporation (NERC), to develop a risk management process for the electricity sector specifically aimed at providing the sector with a common and repeatable cyber security risk management process. --------------------------------------------------------------------------- \1\ Prepared by Metatech Corporation under the direction of Oak Ridge National Laboratory. Available at http://www.orni.govisci/ees/ etsd/pes/ferc_ernp_gic.shtml --------------------------------------------------------------------------- Threats to the electricity sector are an operational issue and thus should principally be handled by DOE as the Sector Specific Agency (SSA) under Homeland Security Presidential Directive 7 and the National Infrastructure Protection Plan (NIPP). Effectively responding to potential threats to the sector requires an operationally-oriented organization with established coordination mechanisms with DHS and the intelligence community to properly assess and respond to a threat. DOE is able to draw from a variety of resources, including its Office of Intelligence and the resources of the National Laboratories to effectively assess and respond to emerging threats to the sector. This is all done in close coordination and collaboration with DHS, FERC, and other Federal partners under the National Cyber Incident Response Plan and most importantly, in coordination with the electricity sector. To be effective in its roles as the SSA, DOE depends upon and constantly works to build and strengthen its relationships with utilities and the broader electricity sector stakeholder community. DOE fosters collaboration and voluntary initiatives to further its goal of a reliable and resilient power grid. Given FERC's role as an independent regulator, DOE has found that discussions with industry can sometimes be more open and frank if FERC is not present. This is consistent with the philosophy of the NIPP which sought to facilitate open and candid conversations on infrastructure security issues under the public-private partnership. Question 2. The Energy Committee's discussion draft is an electricity-sector only cyber piece. Does the Department prefer a comprehensive, government-wide approach to cyber security issues? Answer. Yes, recognizing the interdependencies between different sectors it is important to have a comprehensive, government-wide approach to cyber security. The Administration has proposed comprehensive cyber security legislation (http://www.whitehouse.gov/ ombilegislative_letters). Question 3. Recently, Howard Schmidt, the White House cyber security coordinator, made headlines when he said that the risks of cyber attacks is often overblown and that cyber attacks are the ``risk of doing business.'' In light of these statements, does the Administration believe additional Federal authority is needed in the cyber security arena? Answer. We often associate high profile events with the term ``cyber attack,'' but the reality is our networks face a spectrum of risks, many of which are less spectacular yet more pervasive. Our federal networks, as well as many of those that support our critical infrastructure are probed thousands of times per day. Managing and responding to these risks has become a core element of how we as a nation do business, and an important aspect of ensuring the reliability of the grid. Cyber security standards can provide an effective baseline to address known vulnerabilities. Managing the risk from unknown vulnerabilities and dynamic threats are best addressed by timely sharing of relevant and actionable threat information, the use of risk management, and effective incident management and response. The electricity sector must have the ability to assess, respond, and mitigate the impacts of an event in a timely manner. Question 4. I understand that DOE is working on the need for domestic manufacturing of transformers. Please elaborate on the problem and what is being done on this issue. Answer. The U.S. is heavily dependent on imports for large transformers above 345kV. In addition, limited manufacturing capacity results in long lead times for delivery of high voltage transformers, often over 12 months. This situation is of concern to the Department. Import dependency is of concern to the utility industry, as well as DHS/FEMA and DOD. DOE has held discussions with several transformer manufacturers, including ABB, Efacec, Waukesha and Areva, and additional discussions are planned. The DOE-North American Electric Reliability Corporation (NERC) workshop report on High-Impact, Low- Frequency Event Risk to the North American Bulk Power System (June 2009) identified this as an important concern. Large transformer concerns were also identified in both the 2007 and 2010 Energy Sector Specific Plans. Even with the successful start up of new manufacturing facilities, only a small portion of U.S. utility annual demand is likely to be rnet. Additionally, a significant national level disaster impacting a large number of transformers would certainly exceed domestic manufacturing capability and would likely require the global market to significantly ramp up production to meet the demand. In 2009 a new plant was opened in Georgia by Efacec and two other companies (Mitsubishi and Hyundai) have announced new plants to be built in the U.S. A domestic manufacturer Waukesha Electric Systems has begun to expand their production capacity to 500kV and 765kV units in their Waukesha Wisconsin facility. DOE has also partnered with the Department of Homeland Security to develop and test a lighter weight and more transportable, temporary transformer that could be used in emergencies. Question 5. What is the Administration's position on the bifurcation of federal authority set forth in the discussion draft? Do you believe FERC needs additional authority to address vulnerabilities or is the existing Section 215 stakeholder process adequate? Answer. The Administration does not have a position on this particular discussion draft, but has proposed comprehensive cyber security legislation (http://vvww.whitehouse.gov/ ombilegislative_letters). With respect to emergency authority, when the Department of Energy and FERC were established by the Department of Energy Organization Act, the Secretary was given the authority to issue orders during an emergency for the interconnection of facilities, generation, delivery, interchange, or transmission of electric energy. FERC was given Federal Power Act (FPA) authority to establish, review and enforce rates and charges for the transmission and sale of electricity. DOE believes that these divisions of FPA authority properly place the regulatory rate making responsibilities of the FPA with FERC, and the authority to make national emergency determinations with DOE. We believe that emergency authority is appropriately placed with the head of a cabinet department who is fully accountable to the President. DOE and DHS have the capability to develop or obtain knowledge with respect to threats or vulnerabilities that might give rise to the need for an emergency order. Question 6. Do you agree with Mr. Tedeschi from Sandia National Laboratory that the susceptibility of the power grid to EMP attacks is not well characterized and should be further addressed with computer- based simulations and experimental testing? Answer. Yes, we absolutely agree with the concerns raised in Dr. Tedeschi's testimony. As he noted ``Assumptions about age, design, and failure thresholds of transformers introduce additional uncertainty and are based on limited samplings of transformers of a particular type and from a clear source. All assumptions point to large uncertainties in the output results and interpretations from the model; therefore, statements on the number of 'at-risk' transformers and the severity of the regional damage should be viewed as illustrative only.'' Computer-based simulations are needed to support electric utility adoption of technological approaches to reduce the threat of electro- magnetic pulse (EMP) attacks and solar storms. These will assist utilities to develop an understanding of the potential impact of EMP on the power grid and its components. Utilities run computer simulations to help optimize power production and transmission and to avoid failures. Ultimately, technological solutions will require research and development and careful testing and evaluation to ensure their effectiveness. Responses of Patricia Hoffman to Questions From Senator Udall Question 1. Has the Aurora vulnerability been effectively mitigated, and how is this verified? What is the factual basis for your answer? Answer. The Aurora vulnerability has been effectively studied and analyzed. The fundamental principles behind the Aurora vulnerability are well understood by experienced and practicing utility engineers and operators. Assessment of the effectiveness of the mitigations is currently underway. In early 2011, the ES-ISAC issued an Essential Action Advisory to all NERC registered entities to provide the additional technical details that described the nature of the vulnerability and assess the current status of mitigating actions implemented by registered entities through this action. NERC will also use the information to determine what additional actions may need to be taken. The Department anticipates the Aurora vulnerability will be addressed by NERC entities and verified. In 2007, DHS, DOE, other Federal agencies, and NERC' s Electric Sector Information Sharing and Analysis Center (ES-ISAC) became aware the Aurora vulnerability which, if exploited by an attack, could cause significant physical damage. The ES-ISAC issued an advisory to describe the mitigation measures that electric sector owners and operators needed to implement to reduce the risks associated with the Aurora vulnerability. Unfortunately at that time, the supporting technical documents could not be released to the owners and operators due to the documents' classification level. The Department has supported NERC and the sector through the development of the 2011 Essential Action Advisory and its accompanying documents. The Department continues to support Department of Defense efforts to mitigate the Aurora vulnerability and protect its military installations. Question 2. Are the current spare transformer resources, including the EEI STEP program, sufficient to mitigate the transformer loss scenario presented in the Oak Ridge National Laboratory report from a 1921-level solar storm (over 300 transformers)? What is the factual basis for your answer? Answer. The EEI STEP program is focused on sharing of spare transformers to assist recovery from a terrorist attack. EEI reports that some 50 utilities representing approximately 70 percent of the electricity customers are participating in this program. The vast majority of smaller utilities including municipals and coops are not participating. The adequacy of existing spares to address major transformer outages will depend on many factors including the geographic impact, the type of transformers, the age and health of the transformers. But, it is clear that major transformer losses from a solar storm of historic magnitude would present an enormous challenge to the sector's ability to respond to and recover from such an event. The North American Electric Reliability Corporation (NERC) is addressing the spare transformer issue and has created a Spare Equipment Database Task Force, as well as, a Task Force on Geomagnetic Disturbances. NERC will seek information from all of its member companies. Several transformer manufacturers including ABB and Siemens are participating on the NERC task forces as well. There are limited modeling studies to provide a factual basis to estimate possible electricity grid impacts to a 1921 magnitude solar storm. Utilities in Canada, the United States and Europe have begun to take steps to reduce the potential impact of such large solar storms. The North American Electric Reliability Cooperation has recently issued an alert to its members on steps that they may take to reduce potential impacts on their equipment and the grid. [See: http://www.nerc.com/ fileUploads/File/Events%20Analysis/A-2011-05-10- 01_GMD_F1NAL.pdf]. The alert was the result of a 2-day NERC workshop in April 2011 to discuss utility approaches to address the issue. DOE is working with electricity industry partners to increase attention and to encourage the use of best practices. Question 3. How effective has the current standards development process been in protecting against cyber and other non-cyber threats and vulnerabilities to the grid? Is it possible to use this process supplemented with NERC's emergency standards process and the Alerts process to get the job done? Answer. What is most important is that a structure exists to support an ``electric sector incident response plan'' to respond to events. A combination of the NERC standards and Alerts process, timely and actionable information sharing, and emergency authority will provide a comprehensive approach to managing cyber security threats and vulnerabilities. Standards ensure a level of quality, compatibility, safety, and connectivity with other equipment and processes. Standards must be widely accepted and commonly trusted to be effective. They also provide the foundation for further innovation, or as in the case of security or safety, a minimum level of requirements. As a result, standards development is often a time-consuming process. Development of security standards relies on awareness and consensus of the threat environment. This is a challenge to the electric sector due to the dynamic nature and speed of cyber threats that necessitates access to timely and actionable threat information. This challenge makes it difficult to adequately assess impact to inform risk decisions on investment in cyber security improvements beyond what is needed for compliance. Responses of Patricia Hoffman to Questions From Senator Portman Question 1. It is my understanding that the discussion draft grants the Secretary of Energy the authority to require others to take actions if 'the Secretary determines that immediate action is necessary to protect critical electric infrastructure from a cyber security threat.'' The Secretary may then follow a procedure to make these requirements permanent. In your opinion, what sort of event would trigger such an action by the Secretary? Answer. The discussion draft grants the Secretary of Energy the authority to require others to take actions if the Secretary determines that immediate action is necessary to protect critical electric infrastructure from a cyber security threat.'' The type of event that would trigger such action by the Secretary would be an event that poses a significant risk to the operation of critical electric infrastructure, such as high altitude electromagnetic pulse, or a cyber attack. The determination of whether to use emergency authority would be based on analysis of the threat, evaluation of risk and consequences, and the potential for impact to electric sector and potential other sectors of the economy. Additionally, use emergency authority would be determined in consultation with other sector specific agencies that could be potentially impacted. Question 2. Why would the Secretary make a requirement permanent? Answer. It is DOE's understanding of the discussion draft that cyber security mitigation actions required by an emergency order would not be permanent, but limited to 90 days unless renewed. However, where appropriate these actions could be incorporated through the accelerated standards or NERC Alerts process. Question 3. Multiple levels of protection on the electric system have significant, additional costs, and may not be the most cost- effective means of mitigating known vulnerabilities or combating known threats. How would you recommend that determinations be made about additional security requirements that are ordered to be put in to place? Should there be a risk assessment required to determine cost- effectiveness? Answer. Risk assessments should be used to determine cost effectiveness of security requirements. The NERC-CIP security requirements were developed through an industry-led collaborative effort that considered risk assessments and the cost-effectiveness of these requirements. Additionally, the NIST ``Cyber Security Guidelines for the Smart Grid'' NISTIR 7628 provides guidance on defense-indepth strategies and risk assessments. Federal (FERC) and State regulators should consider cost and assessment of risk, including impact, when determining additional security requirements. Responses of Patricia Hoffman to Questions From Senator Shaheen Question 1. As the witnesses have noted, the electrical grid is a very tempting target for cyber attacks in the United States. According to the U.S. Computer Emergency Readiness Team, cyber security incidents involving government computers have gone up by a factor of 10 in the past five years. Are electrical utilities and the grid seeing the same sort of rapid growth in the cyber security threat to their facilities? Answer. In general, the utilities like government agencies face thousands of scans and probes every week. For example, during periods of heightened awareness, a large utility may have to analyze millions of log entries in a day to ensure that their defenses have not been breached. The spectrum of cyber security incidents ranges from reconnaissance-type scans and probes of corporate networks to an attack such as Stuxnet that reaches into more isolated control systems networks. The number of cyber security incidents is not necessarily an indication of intent or likelihood of a significant attack. The Department, DHS, NERC, and FERC all receive different levels of specificity in reporting on cyber incidents based upon their different responsibilities. In addition, larger utilities have security operations center that monitor and track cyber incidents. For example, DOE funded an effort to develop a cyber security operations center for a major utility. This effort has been successful in bringing together trusted entities outside of the utility's region to share information about cyber incidents. The lesson learned is the large investment in time, resources, and relationship-building is necessary to develop enough trust to share the information. In addition to building trust, consistently defining cyber security incidents and sharing threat information between utilities is a challenge. Currently, there is no collective, consensus-based cyber threat assessment. DOE works with several entities to determine and assess the cyber security threats to the sector. Internal DOE resources provide expertise and information including the Office of the Chief Information Officer which provides cyber security expertise and threat information; the Office of Intelligence which provides early warnings and indicators, and intelligence reports directly related to the energy sector; and the National Laboratories which provide both cyber security expertise and threat information. DOE also partners with NESCO/NESCOR, DHS, NERC, the intelligence community, law enforcement, electric utilities, and cyber security consultants to determine and assess the threats, and share that information with the sector. Question 2. Given that we haven't had a major disruption of electrical service due to a cyber attack, does this mean the current standards process is working? Answer. Standards are effective in providing baseline levels of performance, but standards alone are not effective in facilitating or encouraging an adaptable and agile cyber security organization. They can also lock organizations into making cyber security decisions that may not be optimal for their system in order to comply with the prescriptive nature of a standard. The standards development process under section 215, because of its need to reflect multiple stakeholders with different cyber security issues and concerns, is an inherently slow process and thus will never be able to fully counter the threats posed to the sector. In this dynamic threat environment, new threats emerge without warning utilizing new attack vectors. Thus, organizations must be vigilant and adaptable in monitoring their systems and implementing proper controls in response to current threats. A standard cannot achieve this outcome. A combination of NERC standards and Alerts process, timely and actionable information sharing, and DOE emergency authority would provide a more comprehensive approach to managing cyber security threats and vulnerabilities. As we have seen from the Stuxnet malicious code, the capability and intent to launch targeted cyber attacks on critical infrastructure and other information technology exists. Public facing information systems are constantly under attack across all critical infrastructures. The absence of a successful attack on our Nation's electricity infrastructure may mean that electric power providers have been vigilant in protecting their systems, or it may be that adversaries have chosen not to attack at this time. Because of the dynamic nature of the threat environment and the variety of threat actors, it is challenging to know if and when an attack may occur on the grid. Thus, the electricity sector must be equipped to constantly adapt and defend their systems from this evolving threat. DOE, in coordination with the National Institute for Standards and Technology (KIST), Department of Homeland Security (DHS), and NERC, is leading a public and private sector collaboration to develop a risk management process guideline to provide a consistent, repeatable, and adaptable process for the electric sector, and enable organizations to proactively manage cyber security risk. This guideline is an important step towards moving all organizations within the electricity sector towards a common risk management process. It incorporates risk assessments with ongoing monitoring, enabling organizations to quickly and effectively respond to cyber security threats and vulnerabilities. Question 3. In previous hearings on cyber security in this Committee, we've heard about the efforts being made to work with our neighbors in Canada to ensure consistency in practices and procedure across the bulk power system. This cross-border collaboration is important to me since my state, New Hampshire, shares a border with Canada. Do the effects of cyber attacks cross boundaries? Would a successful attack on the Canadian power system have an effect in New Hampshire? Answer. Yes, the effects of a cyber attack can cross boundaries. Eastern Canada and the eastern United States are electrically interconnected and thus the operations of power companies north of the border directly impact the operations of US power companies. Even though the control systems of the power companies run independently using different hardware architectures and different software, what happens to the grid on one side of the border can potentially impact the other side of the border. Power systems are designed and have safeguards to limit the impacts of any disruption. As an example of how these grids are operationally interconnected, in February of 2008, portions of the power grid in southeastern Florida shut down due to a fault at a single substation. This event in Florida was ``felt'' in Canada by way of frequency deviations in Canada. Question 4. Could you elaborate about existing cooperation with Canada on protecting against vulnerabilities in the electric system? Answer. The Department of Energy is partnering on a Department of Homeland Security led initiative with private, State and other Federal agencies to conduct a Cross Border Regional Resiliency Assessment Program (RRAP) focused on energy and transportation for Maine and New Brunswick, Canada. The RRAP is a cooperative, DHS-led assessment of specific critical infrastructure and regional analysis of the surrounding infrastructure to examine vulnerabilities, threats, and potential consequences from an all-hazards perspective to identify dependencies, interdependencies, cascading effects, resiliency characteristics, and gaps. The focus of this RRAP is on the critical regional and cross-border energy systems and assets, and their interdependencies, specifically with the Transportation Sector. International energy dependencies and impacts are being examined as well. The RRAP began in May 2011, with vulnerability assessments on Energy and Transportation assets scheduled to begin in July 2011. The final report is projected to be delivered in April 2012. Power companies in the United States and in Canada are very active members of NERC and serve on the Critical Infrastructure Protection Committee. This committee is involved with many efforts to improve the reliability and security of the interconnected power grid through standards development, compliance enforcement, assessments of risk and preparedness. Canadian companies are active on several NERC task forces following up on the 2009 High Impact Low Frequency Event Risk to the North American Bulk Power System Workshop cosponsored by NERC and DOE. Question 5. Are there procedures currently in place to share information about imminent threats across the border? Answer. NERC currently disseminates critical information including threat information to power companies on both sides of the border. DHS and Public Safety Canada constantly monitor the threat landscape and provide NERC with threat information related to the electricity sector.