[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
SECURING THE MODERN ELECTRIC GRID FROM PHYSICAL AND CYBER ATTACKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY,
AND SCIENCE AND TECHNOLOGY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
JULY 21, 2009
__________
Serial No. 111-30
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
53-425 PDF WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop SSOP, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California Peter T. King, New York
Jane Harman, California Lamar Smith, Texas
Peter A. DeFazio, Oregon Mark E. Souder, Indiana
Eleanor Holmes Norton, District of Daniel E. Lungren, California
Columbia Mike Rogers, Alabama
Zoe Lofgren, California Michael T. McCaul, Texas
Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania
Henry Cuellar, Texas Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania Paul C. Broun, Georgia
Yvette D. Clarke, New York Candice S. Miller, Michigan
Laura Richardson, California Pete Olson, Texas
Ann Kirkpatrick, Arizona Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy
I. Lanier Avant, Staff Director
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
------
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
Yvette D. Clarke, New York, Chairwoman
Loretta Sanchez, California Daniel E. Lungren, California
Laura Richardson, California Paul C. Broun, Georgia
Ben Ray Lujan, New Mexico Steve Austria, Ohio
Mary Jo Kilroy, Ohio Peter T. King, New York (Ex
Bennie G. Thompson, Mississippi (Ex Officio)
Officio)
Jacob Olcott, Staff Director
Dr. Chris Beck, Senior Advisor for Science and Technology
Daniel Wilkins, Clerk
Coley O'Brien, Minority Subcommittee Lead
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clark, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology............. 1
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Ranking Member, Subcommittee
on Emerging Threats, Cybersecurity, and Science and Technology. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security.............................................. 5
WITNESSES
Panel I
Dr. William R. Graham, Chairman, Commission to Assess the Threat
to the United States From Electromagnetic Pulse:
Oral Statement................................................. 8
Prepared Statement............................................. 9
Mr. Mark Fabro, President and Chief Security Scientist, Lofty
Perch:
Oral Statement................................................. 12
Prepared Statement............................................. 14
Mr. Michael J. Assante, Chief Security Officer, North American
Electric Reliability Corporation:
Oral Statement................................................. 20
Prepared Statement............................................. 23
Mr. Steven T. Naumann, Vice President, Wholesale Markets, Exelon
Corporation; Representing Edison Electric Institute and
Electric Power Supply Association:
Oral Statement................................................. 27
Prepared Statement............................................. 28
Panel II
Mr. Joseph H. McClelland, Director of Reliability, Federal Energy
Regulatory Commission:
Oral Statement................................................. 47
Prepared Statement............................................. 48
Ms. Patricia A. Hoffman, Acting Assistant Secretary, Office of
Electricity Delivery and Energy Reliability, Department of
Energy:
Oral Statement................................................. 54
Prepared Statement............................................. 56
Mr. Sean P. McGurk, Director, Control Systems Security Program,
National Cybersecurity Division, Office of Cybersecurity and
Communications, National Protection and Programs Directorate,
Department of Homeland Security:
Oral Statement................................................. 61
Prepared Statement............................................. 63
Ms. Cita M. Furlani, Director, Information Technology Laboratory,
National Institute of Standards and Technology:
Oral Statement................................................. 66
Prepared Statement............................................. 68
Appendix I
Submitted for the Record by Chairwoman Yvette D. Clarke:
Letter From Michael J. Assante, Chief Security Officer, North
American Electric Reliability Corporation.................... 85
Statement of the National Association of Regulatory Utility
Commissioners................................................ 86
Statement of William Radasky and John Kappenman................ 88
Statement of Emprimus LLC...................................... 95
Statement of the EMP Commission................................ 99
Statement of Applied Control Solutions, LLC.................... 101
Statement of Advanced Fusion Systems, LLC...................... 106
Statement of the Canadian Electricity Association.............. 108
Statement of Industrial Defender, Inc.......................... 114
Statement of Southern California Edison........................ 120
Appendix II
Questions Submitted by Chairwoman Yvette D. Clarke............... 127
SECURING THE MODERN ELECTRIC GRID FROM PHYSICAL AND CYBER ATTACKS
----------
Tuesday, July 21, 2009
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity, and
Science and Technology,
Washington, DC.
The committee met, pursuant to call, at 2:13 p.m., in Room
311, Cannon House Office Building, Hon. Yvette D. Clarke
[Chairwoman of the subcommittee] presiding.
Present: Representatives Clarke, Thompson, Richardson,
Lujan, Lungren, and Austria.
Also present: Representatives Harman, Lofgren, Langevin,
Jackson Lee, Pascrell, and Bartlett.
Ms. Clarke [presiding]. The subcommittee will come to
order.
The subcommittee is meeting today to receive testimony on
securing the modern electric grid from physical and cyber
attacks. We have been joined here today by many of my
distinguished colleagues, who don't sit on this subcommittee,
but who are an integral part of the deliberations that we do,
and I would like to acknowledge them and ask that they be given
unanimous consent to sit and participate in our hearing today.
Hearing no objection, so ordered.
I want to recognize some of our colleagues from other
committees who are participating in today's hearing, including
Mr. Bartlett. We would not have a robust road map for
addressing the EMP threat if it were not for his vision and
leadership and I thank him for that.
I also have my colleagues who serve on the full committee,
Zoe Lofgren, of California, Congresswoman Jackson Lee of Texas,
and Mr. Bill Pascrell of New Jersey. I thank you for attending
this very important hearing.
We expect to be joined by many other Members, and I would
like to just acknowledge them in absentia for right now; Mr.
Langevin, who is my predecessor as Chair of this committee. I
would like to congratulate him on his new Chairmanship and
thank him for his leadership on the electric grid security
issue.
I would also be expecting a colleague on the Subcommittee
for Intelligence to the Homeland Security Committee, Ms.
Harman, and thank her for her attendance today.
Unfortunately, a number of my colleagues and our friends
from the Energy and Commerce Committee are unable to attend and
participate in today's session due to their work on the health
care legislation. We have reached out to Mr. Waxman, Mr.
Markey, and Mr. Barrow to ask them to act with urgency on the
subject matter we will discuss today.
Our national health care delivery system, just like all of
our critical infrastructure systems, requires secure and
reliable electric system. That is what this committee has been
investigating for years, and what we will discuss today.
The electric grid is fundamental to our lives and our
country's existence. Without electricity, medicines expire,
banks shut down, food goes bad, sewage and water plants don't
function. Chaos ensues and our security is compromised.
We simply cannot afford to lose broad sections of our grid
for days, weeks, or months.
It is our very reliance on this infrastructure that makes
it an obvious target for attack. We know that many of our
adversaries, from terrorist groups to nation-states, have and
continue to develop capabilities that would allow them to
attack and destroy our grid, at a time of their choosing.
There are two significant threats that will be discussed at
today's hearing. One is the threat of a cyber attack.
Many nation-states, like Russia, China, North Korea, and
Iran, have offensive cyber attack capabilities, while terrorist
groups like Hezbollah and al Qaeda continue to work to develop
capabilities to attack and destroy critical infrastructure,
like the electric grid, through cyber means.
If you believe intelligence sources, our grid is already
compromised. An April 2009 article in the Wall Street Journal
cited intelligence forces who claim that ``the grid has already
been penetrated by cyber intruders from Russia and China, who
are positioned to activate malicious code that could destroy
portions of the grid at their command.''
The other significant threat to the grid is the threat of a
physical event; that could come in the form of a natural or
man-made electromagnetic pulse, known as EMP. The potentially
devastating affects of an EMP to the grid are well documented.
During the Cold War, the U.S. Government simulated the
effects of EMP on our infrastructure because of the threat of
nuclear weapons, which emit an EMP after detonation. Though we
may no longer fear a nuclear attack from Soviet Russia, rogue
adversaries including North Korea, and Iran, possess and test
high-altitude missiles that could potentially cause a
catastrophic pulse across the grid.
These are but two of the significant emerging threats we
face in the 21st Century. Our adversaries openly discuss using
these capabilities against the United States.
According to its cyber warfare doctrine, China's military
strategy is designed to achieve global electronic dominance by
2050, to include the capability to disrupt financial markets,
military and civilian communications capabilities, and the
electric grid prior to the initiation of a traditional military
operation.
Cyber and physical attacks against the grid could both be
catastrophic and incredibly destructive events. They are not
inevitable.
Protections can, and must, be in place ahead of time to
mitigate the impact of these attacks. My colleague on the
Homeland Security Committee, and I, have spent nearly 3 years
identifying and reviewing the security protections that are in
place to mitigate the affects of any intentional or
unintentional attack on the electric system.
Our goal is to determine whether appropriate protections
are in place that would mitigate catastrophic incidents on the
grid. Our review has required extension discussions and
assessment with the private sector, which owns, operates and
secures the grid.
The private sector develops its own security standards, the
private sector also oversees compliance with these standards.
In short, the private sector has the responsibility for
securing the grid from electromagnetic events and cyber
attacks.
In the course of our review, we have questioned hundreds of
experts, and reviewed thousands of pages of research and
analysis. Many have submitted statements for the record today.
They have all reached one conclusion. The electric industry has
failed to appropriately protect against the threats we face, in
the 21st century.
In the past, this committee has been deeply critical of the
standards that the industry has written. They are, in the words
of GAO and NIST and other independent analysts, inadequate for
protecting critical national infrastructure.
The committee has suggested that the industry adopt missed
standards for control systems, if it hopes to achieve greater
security. My understanding is that the industry has not
embraced this suggestion.
The committee has also been critical of the industry's
effort to timely mitigate the Aurora vulnerability. What should
have been an urgent action issue has taken some utilities years
to fix. Many have not even hardened their assets at all.
This is especially troubling given the catastrophic damage
that could be caused by an Aurora-style attack. Today, there is
a new problem.
Many in the industry are apparently trying to avoid
compliance with their own inadequate standards. I am deeply
concerned about this irresponsible behavior.
A letter dated April 7, 2009, which is attached for the
record, sent to the industry by the NERC chief security
officer, Mike Assante, suggests that industry is choosing not
to identify critical assets in order to avoid securing them.*
---------------------------------------------------------------------------
* The information referred to is included in Appendix I.
---------------------------------------------------------------------------
According to Mr. Assante, only 29 percent of generation
owners and generation operators reported identifying at least
one critical asset. Sixty-three percent of transmission owners
identified at least one critical asset.
This effort seems to epitomize the head-in-the-sand
mentality that seems to permeate broad sections of the electric
industry. The committee will be following up with NERC to learn
which utilities have not appropriately identified assets, and
seek to make this information public.
It is amazing that many within the industry would rather
gamble with our national and economic security, than implement
precautionary security measures. What is even more amazing is
that utilities have chosen to take this posture, even though
they can be reimbursed for these security expenditures in their
rate cases.
I am at a loss as to why the industry isn't apparently
securing its assets. But clearly, the time has come for change.
I am pleased to join Chairman Thompson and Ranking Member
King and my other colleagues in co-sponsoring H.R. 2195. Given
the industry's lackluster approach toward securing its own
assets, I believe this measure will provide the Federal Energy
Regulatory Commission with the appropriate authorities to
ensure that our grid is secure and resilient against the
threats we face in the 21st Century.
This subcommittee will continue to perform rigorous
oversight until we are satisfied that progress is being made.
I now recognize my colleague, the gentleman from
California, Ranking Member, Mr. Lungren, for his opening
statement.
Mr. Lungren. Thank you very much, Madame Chairwoman, I
commend you for holding this hearing on the security of our
Nation's electric grid.
As you know, I share your concern about the continuing
vulnerability of our electric grid, which many consider the
most critical piece of our Nation's infrastructure.
As everyone knows, without electricity our banking,
commerce, transportation, health and medical services would be
unavailable or severely limited. Indeed, our economy and the
public welfare have become severely dependent on electricity.
Consequently, securing this grid is a critical national
economic priority that Congress must, and I am sure we will,
address with urgency.
In recent decades, the push towards making our society more
reliant on electric power has also made us more vulnerable.
Because of expanding digital and computerized connections, our
electric grid is now, more than ever, vulnerable to cyber and
physical attacks. These attacks could disable wide segments of
the grid for weeks, months, possibly years.
The effective functioning of the electric grid is highly
dependent on today's control systems, which are computer-based,
and used to monitor and control sensitive processes and
physical functions.
You know, once largely proprietary, closed systems, control
systems are now increasingly connected to open networks such as
corporate intranets and the internet. The expansion of control
systems, including supervisory control and data acquisition,
SCADA systems, and the ability to monitor them via the
internet, has increased the vulnerability of our Nation's
critical infrastructure to cyber attack.
As was mentioned, U.S. adversaries, whether they are
nation-states or rogue nations, can strike crippling blows to
our Nation's infrastructure from remote locations around the
world.
I think these nation-states that have the offensive cyber
attack capabilities understand that it is far cheaper, and
oftentimes unattributable, to attack and destroy U.S. critical
infrastructure through cyberspace rather than risk any type of
conventional warfare.
The other significant threat to our grid, is as mentioned
by the Chair, that of EMP. My colleague from Maryland, who has
done as much work on this as anybody as I know in the House,
and it is a concept that, unfortunately, I am afraid most
Members are not fully aware of.
It is because of rogue nations, and their ability now to
command certain missile delivery systems, it seems to me that
this is a far more urgent matter than it was just a number of
years ago.
While we understood the importance of this vulnerability
during the Cold War, I am not sure we have visited this subject
with the intensity and the urgency that is necessary. So I do
appreciate what we are doing in this hearing.
Because of these increased cyber and EMP threats to our
electric grid and the Federal Energy Regulatory Commission's
lack of authority to address them in an expeditious manner, I
join Chairwoman Clarke and the Chair of the full committee and
the Ranking Member of the full committee in co-sponsoring H.R.
2195.
I believe our legislation will provide FERC with emergency
authority to create mandatory physical and cybersecurity
standards to protect the electric power system.
I would just like to say, we are all in this together,
whether we are in the private sector or the public sector. We
have got a lot of catching up to do.
I would hope that we would try and strive for solutions.
Not necessarily be overly critical of all the participants in
this. It is just my reflection that we have, in some ways, come
to this late, both as a Congress, as an Executive branch, as
the private sector as well. We need to work together as quickly
as we can to protect this system.
It is a lifeline to so much of our economic life, and
actually, life period, in this country. The vulnerabilities
have to be recognized up front. We can't be embarrassed about
them. We have to work with one another to try and solve this
very urgent problem.
That is why I am very pleased that we have this hearing
today. I think we have a good line-up of witnesses that can
give us various perspectives and help us move in the direction
that I hope we can move in on a bipartisan basis with some
urgency.
So, I thank the Chairwoman.
Ms. Clarke. I thank you.
I now recognize prime sponsor of H.R. 2195, Chairman of the
full committee, the gentleman from Mississippi, Mr. Thompson.
Mr. Thompson. Thank you very much, Chairwoman Clarke. Thank
you for holding this critical hearing today.
Like you, I am determined to prevent any attack on the
United States homeland. A multitude of failures contributed to
our inability to prevent the attacks on New York City, and
Washington, DC on September 11.
Mindful of our previous mistakes, let's review the set of
facts before us in today's testimony.
We have significant vulnerabilities in the grids'
electrical infrastructure. The infrastructure is only getting
more vulnerable with Smart Grid technology. There is a massive
computer espionage campaign being launched against the United
States by our adversaries.
Intelligence suggests that countries seek, or have
developed, weapons capable of destroying our grid. A
congressional commission says that our grid, and the critical
infrastructure that relies on the grid, is not adequately
protected.
Our military installations are vulnerable because they rely
on an insecure electric grid. The private sector is in charge
of writing its own security standards, but experts have judged
the standards to be ineffective in securing the infrastructure.
Many utilities are avoiding compliance with these standards.
I ask my colleagues here today, and those who could not
join us, what more do we need to hear from, before we act? We
are more motivated, than we need to. The warning signs are
flashing red.
Now is the time to act to secure the electric grid, not
after a major incident has occurred. This committee has a
bipartisan, bicameral legislative solution to secure the
electric grid. Our bill is comprehensive in its scope, because
the grid is only as strong as its weakest link.
We believe that all elements of the grid, from generation
to transmission, to distribution, to metering infrastructure,
should be included. Our bill covers physical attacks like
electromagnetic pulse, as well as cyber attacks. The Critical
Electric Infrastructure Protection Act will do four things to
improve our defensive posture.
No. 1, it requires FERC to establish interim measures
deemed necessary to protect against physical and cyber threats
to critical electronic electric infrastructure. This will
improve existing mandatory standards.
No. 2, it provides FERC with the authorities necessary to
issue emergency orders to owners and operators of electric grid
after receiving a finding from DHD about a credible or imminent
cyber attack.
No. 3, it requires DHS to perform on-going cybersecurity,
vulnerability and threat assessment, to critical electric
infrastructure and provide mitigation recommendations to
eliminate those vulnerabilities and threats.
No. 4, it also requires DHS to conduct an investigation to
determine if the security of Federally-owned, critical,
electric infrastructure has been compromised by outsiders. I am
proud of this bill. I know my colleagues are proud also. We
have support of both Republican and Democratic co-sponsors.
Madame Chairwoman, I look forward to the testimony of our
two panel witnesses today, and I yield back.
Ms. Clarke. Thank you. I now recognize Mr. Bartlett, who is
widely acknowledged here on the Hill as one who has been a
visionary and a leader in providing a robust roadmap for
addressing the threat of EMP, and I would like to acknowledge
him and have him make his comments at this time.
Mr. Bartlett. Thank you very much for inviting me to sit
with you today. I am very pleased that there is now increasing
recognition of the vulnerability of our grid and our country,
to EMP. I have been concerned about this a number of years. Dr.
Graham is here, who has chaired the commission that my
legislation set up in 2001, and this is probably one of the
longest-serving commissions on the Hill. I hope that it will be
serving for a while yet, because the job is not done.
If an EMP attack were vigorous enough, and you know, this
is kind of tough, because it is said that if it is too good to
be true, it is probably not true, and in this case, if it is
too bad to be true, it is probably not true. But in this case,
I am sorry to say, it could be true.
If the EMP lay down were vigorous enough, you could find
yourself in a world that, essentially the only person you could
talk to is the person next to you, unless you were a ham
operator with a vacuum tube set, which is a million times less
susceptible. The only way you could go anywhere, is to walk,
unless you were the proud owner of a Edsel or similar vintage
automobile with coil and distributor.
Of course, if you do not have electricity, you do not have
anything in our world. Our very vulnerability invites attack,
and it doesn't have to be a nation-state. Anybody who can get a
tramp steamer, buy a SCUD launcher for $100,000, with a crude
nuclear weapon, could do an EMP lay down. Not country-wide, but
certainly over New England. By the way, if you missed your
target by 100 miles, it is as good as a bull's-eye.
So this would obviously be the most asymmetric attack that
could be launched against us. My wife says I shouldn't talk
about this, because I am giving these people ideas, you know.
But it is in all of their literature. It is in all of their war
games. Not one out of 50 Americans may know about EMP, but I
will assure you that 100 percent of our potential enemies know
all about EMP.
So thank you very much for your vision in holding this
hearing, and thank you for inviting me to be with you.
Ms. Clarke. Other Members of the subcommittee are reminded
that under committee rules, opening statements may be submitted
for the record.
I welcome our first panel of witnesses today. We are joined
by a distinguished panel of private sector witnesses. Dr.
William Graham is the chairman of the Commission to Assess the
Threat to the United States from Electromagnetic Pulse, also
known as the EMP Commission.
Mr. Fabro is the president and chief security scientist of
Lofty Perch. Mr. Michael Assante, is the chief security officer
of the North America Electric Reliability Corporation, also
known as NERC, and Mr. Steve Naumann, is the vice president of
wholesale markets at Exelon Corporation. Mr. Naumann is
providing testimony on behalf of the Electric Industry
Association, Edison Electric Institute, and the Electric Power
Suppliers Association.
Just to give you an idea of the importance of this topic,
we received a number of statements for the record. I have made
these statements available to the Members ahead of time, but
ask unanimous consent that the following statements be included
into the record. The National Association of Regulatory Utility
Commissioners; Dr. Bill Rodasky, President of Metatech, and
John Caperman, Metatech consultant. George Anderson and Gail
Nordling of Emprimus. Mike Frankel, executive director of the
EMP Commission, Joe Weiss, Applied Control Solutions, and
Curtis Birnbach, president of Advanced Fusion Systems.
Hearing no objections, it is so ordered.
In the interest of time, I will ask that each of you
provide a brief biography of your work without objection. The
witnesses' full statement will be inserted in the record. I now
ask you to introduce yourselves, and summarize your testimony
for 5 minutes, beginning with Dr. Graham.
STATEMENT OF WILLIAM R. GRAHAM, CHAIRMAN, COMMISSION TO ASSESS
THE THREAT TO THE UNITED STATES FROM ELECTROMAGNETIC PULSE
Mr. Graham. Thank you, Madame Chairwoman, distinguished
Members of the committee, for the opportunity to testify today
on the matter of the nuclear magnetic pulse threat to the
United States, to our forces, our allies and our friends
worldwide.
By way of background, I am an electrical engineer and a
physicist, who first served as a junior officer in the Air
Force in 1962, and encountered the EMP problem as a great
surprise to all of us, as a result of the high altitude test
series that the United States conducted over the Pacific,
primarily Johnston Island, at that time.
I continued to work on the problem throughout my career,
now some 45 years, including as, among other things, the
director of the Office of Science and Technology Policy in the
Executive Office of the President and the science advisor to
President Reagan during his second term.
Several potential adversaries have or can acquire the
capability to attack the United States with high-altitude
nuclear weapon-generated electromagnetic pulse. In fact, a
determined adversary can achieve an EMP attack capability
without having a high level of technical sophistication. EMP is
one of a small number of threats that can hold our society at
risk of catastrophic consequences.
EMP will cover a wide geographic region within line-of-
sight of a nuclear weapon explosion. It has the capability to
produce significant damage to critical infrastructures, and
thus the very fabric of U.S. society, as well as the ability of
the United States and western nations to project influence and
military power. The common element that can produce such an
impact from EMP is primarily electronics, so pervasive in all
aspects of our society and military, coupled with critical
infrastructures.
An example of this, and the increase in potential
vulnerability, can be seen in the Smart Grid, where
considerable interest and effort is being made in adding
electronics to our electric distribution grid for efficiency,
effectiveness, and safety. But it can undermine that grid if it
is not designed properly. This EMP impact is asymmetric in
relation to our potential adversaries who are not so dependent
on modern electronics.
The current vulnerability of our critical infrastructure
can both invite and reward attack, if not corrected. Correction
is feasible and well within the Nation's means and resources to
accomplish. In fact, with proper design of protection for both
physical and cyber attacks, which should be integrated in our
electrical distribution and other critical infrastructure
systems, I believe we can actually work to a net economic
benefit, because of the improved reliability and performance
that we will achieve with these critical infrastructures.
However, there is an implicit invitation in the fact that
the United States is vulnerable in this area, to adversaries.
We know that geomagnetic storms will occur and they will damage
electric power distribution systems. The question is not if,
but when?
Concerning EMP, the logic of the position is upside-down,
in often-made statements about it being improbable. By ignoring
large-scale catastrophic EMP vulnerabilities, we invite such
attacks on our infrastructure by adversaries who seek to attack
us where we are weak, not where we are strong, and to take
advantage of that vulnerability.
We have prepared two unclassified reports, one on critical
national infrastructures, and an executive oversight report by
the commission, and I submit those to you as well, Madame
Chairwoman.
I would like to say then, while much of our discussion is
contained in those, in conclusion I would say that I would like
to go on the record as supporting H.R. 2195, the bill to amend
the Federal Power Act, to provide additional authority to
adequately protect the electrical infrastructure against cyber
attack, and for other purposes.
At the same time, I would like to strongly recommend that
very large-scale electromagnetic threats to the critical
infrastructure, both EMP and naturally occurring, be addressed
explicitly in the bill, in a manner comparable to and parallel
with the cyber threats now contained in the bill. Thank you
very much.
[The statement of Mr. Graham follows:]
Prepared Statement of William R. Graham
July 21, 2009
Mr. Chairman, Members of the committee, thank you for the
opportunity to testify today on the matter of the Nuclear
Electromagnetic Pulse (EMP) threat to the United States, its forces,
its allies, and its friends worldwide.
abstract
Several potential adversaries have or can acquire the capability to
attack the United States with a high-altitude nuclear weapon-generated
electromagnetic pulse (EMP). A determined adversary can achieve an EMP
attack capability without having a high level of sophistication.
EMP is one of a small number of threats that can hold our society
at risk of catastrophic consequences. EMP will cover the wide
geographic region within line of sight to the nuclear weapon. It has
the capability to produce significant damage to critical
infrastructures and thus to the very fabric of U.S. society, as well as
to the ability of the United States and Western nations to project
influence and military power.
The common element that can produce such an impact from EMP is
primarily electronics, so pervasive in all aspects of our society and
military, coupled through critical infrastructures. Our vulnerability
is increasing daily as our use of and dependence on electronics
continues to grow. The impact of EMP is asymmetric in relation to
potential protagonists who are not as dependent on modern electronics.
The current vulnerability of our critical infrastructures can both
invite and reward attack if not corrected. Correction is feasible and
well within the Nation's means and resources to accomplish.
background
I am an Electrical engineer and physicist who has served as a
junior officer in the Air Force, as Director of the Office of Science
and Technology Policy in the Executive Office of the President, and in
the aerospace industry, together for over 45 years. I have also served
on several Government advisory boards, including as Chairman of the
President's General Advisory Committee, and a member of the Defense
Science Board, the Department of State's International Security
Advisory Board, The National Academies Board on Army Science and
Technology, and from 2001 to 2009 as Chairman of the statutorily
established Commission to Assess the Threat to the United States from
Electromagnetic Pulse (EMP) Attack. While now retired, I have worked on
problems related to EMP during much of my career, beginning with my
service in the Air Force at the Air Force Weapons Laboratory in 1962.
The commission requested and received information from a number of
Federal agencies and National Laboratories. We received information
from the North American Electric Reliability Corporation, the
President's National Security Telecommunications Advisory Committee,
the National Communications System (since absorbed by the Department of
Homeland Security), the Federal Reserve Board, and the Department of
Homeland Security.
introduction
A high-altitude electromagnetic pulse results from the detonation
of a nuclear warhead at altitudes of about 40 to 400 kilometers above
the Earth's surface. The immediate effects of EMP are disruption of,
and damage to, electronic systems and electrical infrastructure. EMP is
not reported in the scientific literature to have direct effects on
people.
EMP and its effects were observed during the U.S. and Soviet
atmospheric test programs in 1962. During the U.S. STARFISH nuclear
test at an altitude of about 400 kilometers above Johnston Island,,
some electrical systems in the Hawaiian Islands, 1,400 kilometers
distant, were affected, causing the failure of street lighting systems,
tripping of circuit breakers, triggering burglar alarms, and damage to
a telecommunications relay facility.
In their testing that year, the Soviets executed a series of
nuclear detonations in which they exploded 300 kiloton weapons at
approximately 300, 150, and 60 kilometers above their test site in
South Central Asia. They report that on each shot they observed damage
to overhead and underground buried cables at distances of 600
kilometers. They also observed surge arrestor burnout, spark-gap
breakdown, blown fuses, and power supply breakdowns.
The physical and social fabric of the United States is sustained by
a system of systems; a complex dynamic network of interlocking and
interdependent infrastructures (``critical national infrastructures'')
whose harmonious functioning enables the myriad services, transactions,
and information flows that make possible the orderly conduct of civil
society in this country while also supporting our economic strength and
national security. The vulnerability of these infrastructures to
threats--deliberate, accidental, and acts of nature--is the focus of
significant concern in the current era, a concern heightened by the
events of 9/11, major hurricanes, recent wide-area power grid failures,
and large-scale cyber attacks to date directed at other countries.
In November 2008, the commission released an unclassified
assessment of the effects of a high altitude electromagnetic pulse
(EMP) attack on our critical national infrastructures and provides
recommendations for their mitigation. The assessment entitled Critical
National Infrastructures was informed by analytic and test activities
executed under commission sponsorship, as discussed in the report. An
earlier executive report: Report of the Commission to Assess the Threat
to the United States from Electromagnetic Pulse (EMP)--Volume 1:
Executive Report (2004), provided an earlier unclassified overview of
the subject. The commission also prepared and submitted to the Congress
and the administration several classified reports addressing military,
nuclear weapon, and intelligence aspects of the subject.
The electromagnetic pulse generated by a high altitude nuclear
explosion is one of a small number of threats that can hold our society
at risk of catastrophic consequences. The increasingly pervasive use of
electronics of all forms represents the greatest source of
vulnerability to attack by EMP. Electronics are used to control,
communicate, compute, store, manage, and implement nearly every aspect
of United States (U.S.) civilian systems. When a nuclear explosion
occurs at high altitude, the electromagnetic fields it produces will
cover the geographic region within the line of sight of the
detonation.\1\ This intense electromagnetic phenomena, when coupled
into sensitive electronics through any connected wires or other
electrical conductors, has the capability to produce widespread and
long lasting disruption and damage to the critical infrastructures that
underpin the fabric of U.S. society. Because of the ubiquitous
dependence of U.S. society on the electrical power system, its
vulnerability to an EMP attack, together with power grids increasing
dependence on electronics for efficiency, control, and safety, as
reflected for example in increasing national interest in ``Smart Grid''
design and implementation, creates the possibility of long-term,
catastrophic consequences.
---------------------------------------------------------------------------
\1\ For example, a nuclear explosion at an altitude of 100
kilometers would expose 4 million square kilometers, about 1.5 million
square miles, of Earth surface beneath the burst to a range of EMP
field intensities.
---------------------------------------------------------------------------
the implicit invitation
Some in Government have taken the position that EMP attack and
geomagnetic storm disruption are low-probability events. Of course, we
know that geomagnetic storms will occur, and large ones can seriously
damage very long-lead components of the electrical system--it is only a
question of when, not if. Concerning EMP, the logic of their position
is upside-down. By ignoring large-scale, catastrophic EMP
vulnerability, we invite such attack on our infrastructure by
adversaries looking to attack us where we are weak, not where we are
strong. Our adversaries know how to take advantage of this
vulnerability, and when coupled with increasing nuclear weapon and
ballistic missile proliferation, it is a serious concern. A single EMP
attack may effectively instantaneously degrade or shut down a large
part of the electric power grid in the geographic area of EMP exposure.
There is also a possibility of functional collapse of grids beyond the
exposed area, as electrical effects propagate from one region to
another, as has happened in power grid failures over the last 40 years.
The time required for full recovery of electrical power service
would depend on both the disruption and damage to the electrical power
infrastructure and to other national infrastructures. Larger affected
areas and stronger EMP field strengths would prolong the time to
recover. Adding to the recovery time, some critical electrical power
infrastructure components, such as large high-voltage transformers, are
no longer manufactured in the United States, and even in routine
circumstances their acquisition requires up to a year of lead time.
Damage to or loss of these components could leave significant parts
of the electrical infrastructure out of service for periods measured in
months to a year or more. There is a point in time at which the
shortage or exhaustion of sustaining backup systems, including
emergency power supplies, batteries, standby fuel supplies,
communications, and manpower resources that can be mobilized,
coordinated, and dispatched, together would lead to a continuing
degradation of critical infrastructures for a prolonged period of time.
Electrical power is necessary to support other critical
infrastructures, including supply and distribution of fuel,
communications, transport, financial transactions, water, food,
emergency services, Government services, and all other infrastructures
supporting the national welfare, economy, and security. Should
significant parts of the electrical power infrastructure be lost for
any substantial period of time, the commission believes that the
consequences are likely to be catastrophic, and many people may
ultimately die for lack of the basic elements necessary to sustain life
in dense urban and suburban communities. In fact, the commission is
deeply concerned that such impacts are likely in the event of an EMP
attack unless practical steps are taken to provide protection for
critical elements of the electric system and for rapid restoration of
electric power, particularly to essential services.
a plan of action
It is the consensus of the EMP Commission that the Nation need not
be vulnerable to the catastrophic consequences of an EMP attack. As
detailed in the commission reports provided to the Congress, the
Nation's vulnerability to EMP that gives rise to potentially large-
scale, long-term consequences can be reasonably and readily reduced
below the level of a potentially catastrophic national problem by
coordinated and focused effort between the private and public sectors
of our country. The cost for such improved security in the next 3 to 5
years is modest by any standard--and extremely so in relation to both
the war on terror and the value of the national infrastructures
threatened. In fact, electromagnetic protection of the critical
national infrastructures may over time provide a net saving of money
through the more reliable and robust operation of the systems involved.
The appropriate response to the EMP threat is a balance of
prevention, protection, planning, and preparations for recovery. Such
actions are both feasible and well within the Nation's means and
resources to accomplish. A number of these actions also reduce
vulnerabilities to other serious threats to our infrastructures, thus
giving multiple benefits.
It is not feasible to reduce the consequences of an EMP attack to
an acceptable level of risk by any single measure. However, in the view
of the EMP Commission, it is possible to achieve an acceptable level of
risk and reduced invitation to an EMP attack with a strategy that
integrates several significant measures:
Pursuing intelligence, interdiction, and deterrence to
discourage EMP attack against the United States and its
interests;
Protecting critical components of the infrastructure, with
particular emphasis on those that, if damaged, would require
long periods of time to repair or replace;
Maintaining the capability to monitor and evaluate the
condition of critical infrastructures;
Recognizing an EMP attack and understanding how its effects
differ from other forms of infrastructure disruption and
damage;
Planning to carry out a systematic recovery of critical
infrastructures;
Training, evaluating, ``Red Teaming,'' and periodically
reporting to the Congress;
Defining the Federal Government's responsibility and
authority to act;
Recognizing the opportunities for shared benefits;
Conducting research to better understand infrastructure
system effects and developing cost-effective solutions to
manage these effects.
Finally, I would like to state for the record that I support H.R.
2195, a bill to amend the Federal Power Act to provide additional
authorities to adequately protect the critical electric infrastructure
against cyber attack, and for other purposes. At the same time, I
strongly recommend that electromagnetic threats to the critical
electric infrastructure, both from nuclear EMP attack and from
naturally occurring, large-scale geomagnetic storms, be addressed in
the bill in a manner explicitly comparable to and in parallel with
cyber threats as now contained in the bill. It is important to do this
because an integrated approach to protecting critical electrical
infrastructure will be much less expensive and more effective and
expedient than any fragmented approach to the problem, and unlike the
Department of Defense, the Department of Homeland Security, from its
establishment forward, has shown neither an understanding nor a
willingness to consider the problem of electromagnetic threats to our
country.
Mr. Thompson [presiding]. Thank you very much, Dr. Graham.
Chairwoman Clarke had to go and cast votes in a mark-up. She
will return shortly.
Mr. Fabro, 5 minutes.
STATEMENT OF MARK FABRO, PRESIDENT AND CHIEF SECURITY
SCIENTIST, LOFTY PERCH
Mr. Fabro. Thank you to the committee for the opportunity
to testify today. My name is Mark Fabro and I am the president
and chief security scientist of Lofty Perch, a company focused
on providing control systems, cybersecurity services and
research. I am a member of the UTC Smart Network Security
Committee; the chairman of the Canadian Industrial Cyber
Security Council; and co-chair of ISA-99, Working Group 10.
I am here today to provide insight as to what measures can
be taken to help protect the modern electric grid from cyber
attack. There is no doubt as to whether or not our electric
infrastructure will continue to converge with internet-based
systems, and as it matures, it will inherit cyber
vulnerabilities.
We know there is a problem. We know the cause of the
problem. We know what works to correct it. We just need a plan
to implement. Our challenge is to ensure that, as we go
forward, we have done our due diligence, improving solutions as
secure and reliable, and that we protect what might be the most
vital of all critical infrastructures.
But it is important to note, the findings regarding
cybersecurity risk are not ubiquitous across all the entities
supporting the bulk power system. Moreover, they are not unique
to single countries, entities or operators, and they most
certainly are not indicative of an overall generally poor
security posture.
We continue to witness excellent examples of effective
cybersecurity activities from many entities and observe
progress that does not align with the popular opinion that the
bulk power system is ripe for total cyber compromise.
The complexity of the problem in trying to measure how
secure or resilient the grid is from cyber attack, cannot be
overstated. Often, and erroneously, the cybersecurity problem
is framed under the assumption that there is simply a single,
uniform grid, and that a mitigation strategy, be it technical
or policy-based, should be applicable in all areas.
Nothing could be further from the truth. Clearly, the
strategy for securing the modern grid requires significant
utilization of information security technology, security
research, information-sharing capabilities, and the integration
of these in a manner that meets the challenges associated with
current and future power delivery requirements.
To that end, it becomes important to understand that many
of the cybersecurity vulnerabilities in the bulk power system
that were once only theorized, have indeed been proven.
Sometimes the risk is connected to the core technology,
vulnerabilities in hardware, and software and various
protocols, can manifest in a multitude of attack vectors, even
ones that could involve the compromise of large aggregated
systems that could impact millions of consumers simultaneously.
But as researchers and subject matter experts, our ability
to communicate findings in a broad and effective manner is
often impeded by the absence of an effective information
sharing system. Thankfully, there is good work being done today
that can be leveraged for a secure grid tomorrow.
We have seen the NERC standards in action, reducing some
cybersecurity risk profiles by orders of magnitude.
We have seen the creation of non-invasive security
assessment tools that create usable guidance for securing
energy management systems. We have seen extensive energy sector
road maps that have provided for the creation of technologies
that can be used for security of electricity domain.
As proven time and time again, there are public-private
partnerships already in place contributing to the mitigation of
security threats to the bulk power system. Rather than develop
new plans that are tied to more aggressive standards and
enforcement, we need to ramp up the efforts in place now and
support the continuation of what has been proven to work.
I feel that there are three areas that should be focused on
to meet the emerging security challenges; research, improved
standards, and procurement language.
First, research, the research effort regarding the
cybersecurity of the bulk power system needs to be expanded and
nurtured. A sanctioned activity that promotes the independent
assessment of power system technologies without the risk of
legal retaliation or negative attribution is necessary.
In essence, cybersecurity's researchers must be protected.
This research must also include information sharing and cyber
incident response functions so that we can better prepare for,
detect, and respond to incidents unique to bulk power system
architectures.
Second, refining standards, the continued development of
cybersecurity standards for grid elements is required. This
effort should leverage standards that are already in place and
accepted by the national and international community of
stakeholders.
These standards should be updated to be more flexible so
that they can accommodate shared threat and vulnerability
information, but not so flexible to allow for erroneous
reporting regarding critical assets and cyber assets. The
standards should also incorporate instruction regarding how to
implement emergency orders related to specific and imminent
cyber attacks.
Third, for procurement guidance, this public-private
activity should leverage the existing body of work done for
industrial control systems and enhance it with sections
tailored to the electric sector. Simple refinement of existing
procurement guidelines can have a tremendous influence in bulk
power system cybersecurity and it can be done immediately.
To the committee, Madame Chairwoman, Ranking Member, I
thank you for this opportunity to testify here today and I
commend you on your attention to this very important matter. I
will be more than happy to answer any questions you may have at
this time.
[The statement of Mr. Fabro follows:]
Prepared Statement of Mark Fabro
July 21, 2009
Madame Chairwoman and Ranking Member, thank you for the opportunity
to testify today before the Homeland Security Subcommittee on
``Securing the Modern Electric Grid from Physical and Cyber Attacks.''
My name is Mark Fabro and I am the president and chief security
scientist of Lofty Perch, a company focused on providing cybersecurity
services to critical infrastructure organizations such as those in the
energy, water, transportation, and oil and gas sectors. I am a member
of the Utilities Telecom Council Smart Networks Security Committee, the
chairman of the Canadian Industrial Cyber Security Council, and co-
chair of ISA SP99 Working Group 10: Governance and Metrics for
Industrial Automation and Control Systems Security. For the last
several years I've been a subject matter expert supporting the
industrial control systems cybersecurity research effort at the
Department of Energy's Idaho National Laboratory, as well as the
efforts spearheaded by the Department of Homeland Security and the
Control Systems Security Program. I have authored several key
Recommended Practices for securing industrial control systems, and have
participated in the development of specific guidance as it pertains to
securing information technology in critical infrastructure systems. My
professional experience has provided me the privilege of performing
extensive cybersecurity research as it applies to the electric sector,
and I have been involved in a multitude of assessments specifically
performed to determine the cybersecurity of critical elements of the
bulk power system.
I want to be clear in stating that my testimony today is based on
my opinions and mine alone. This testimony was generated using my
experiences in working with sector-specific organizations as well as
many utilities, researchers, and other international government
entities facing the same challenges regarding cybersecurity and the
electric utility industry. My comments are based on my experience in
working with stakeholders, asset owners, vendors, and from detailed
cybersecurity assessment work specific to the electricity sector. I
also want to state that I have reviewed and assessed material from
other industry and subject matter experts who specialize in the field
of cybersecurity for electric grid systems, and have vetted my concerns
with them to ensure the committee is empowered with actionable
intelligence.
background and problem statement
As we look inwards to the Nation's vital information systems, such
as those responsible for maintaining our most essential
infrastructures, we continue to see, as Madame Chairwoman said in her
March 10, 2009 opening remarks, ``too many vulnerabilities existing on
too many critical networks which are exposed to too many skilled
attackers who can inflict too many damages to our systems.'' The
statement is chillingly accurate and has specific applicability to the
North American power grid. There is no doubt as to whether or not our
electric infrastructure will continue to converge with internet-based
systems, and as it matures it will inherit cybersecurity
vulnerabilities. As an example we are well on our way to seeing Smart
Grid happen; it has already been proven to be successful in many cities
and funding has been allocated to make it a proven reality. Our
challenge is to ensure that as we go forward we have done our due
diligence in proving these solutions as secure and reliable, and that
we protect what may be the most vital of all critical infrastructures.
In the last several years the rate at which critical infrastructure
entities have embraced modern information technology to enhance their
business operations has been staggering. This activity is of course a
natural progression, as a considerable portion of the Nation's critical
infrastructure systems have been found to be significantly aged, have
been built with a single purpose in mind, and deployed assuming
isolation by both physical and technological means. In an ever-changing
environment that demands businesses operate better, faster, and more
efficiently these characteristics clearly showcase a need for
modernization. With the President directing the National Security
Council to undertake a 60-day review of the U.S. approach to
cybersecurity it is important to recognize that the issues related to
the national critical infrastructure are being investigated, and
measures to protect vital systems are going to be done not unilaterally
but with the cooperation of allies. Recently proposed bills have
specific intent on augmenting current responsibilities as they pertain
to protecting the bulk power system from cyber attack, as well as
refine security and intelligence practices to specifically address
cyber threats and vulnerabilities to the power grid. Congressional
hearings have done an excellent job at highlighting the cybersecurity
issues associated with the industrial control systems running our
infrastructure, and the release of Smart Grid stimulus funds being
conditional on cybersecurity plans showcases that the issues regarding
cybersecurity are penetrating relevant communities of concern.
But the findings and risks regarding cybersecurity are not
ubiquitous across all entities supporting the bulk power system.
Moreover, they are not unique to a single country, they are not unique
to a single type of entity, and they most certainly are not indicative
of an overall ``generally poor'' security posture. We continue to
witness excellent examples of effective cybersecurity activities from
many entities, both large and small, and continue to see progress that
does not align with the popular opinion that the bulk power system is
ripe for total cyber compromise.
Unfortunately, regardless of how driven we are to address and
mitigate the larger cybersecurity problem, there is almost an
unavoidable introduction of cybersecurity vulnerabilities into grid-
related elements. This problem is of course exacerbated by the cultural
impediments that often drive reticence and the uncooperativeness of
infrastructure asset owners to address cybersecurity. Issues with
interdependency and cross-sector reliance mean that a single weak link
in the cybersecurity chain is a very influential one, and an attack on
even the smallest participant can have national impact. As
interoperability is the cornerstone of the bulk power system, we need
to ensure our current solutions and path forward are paved with the
useable safeguards we implement today. Indeed, robust situational
awareness and a cohesive response plan are necessary components within
any cyber risk reduction plan, but we must not forget that a majority
of the North American critical infrastructure is not owned or operated
by Government. As such, an understating of the real cybersecurity
issues within the electric sector community, including those related to
culture, multi-national interdependency and legacy operations is a
fundamental requirement in protecting the power grid.
Extensive research has been done regarding the risk associated with
migrating critical infrastructure systems over to modern IT
architectures, with some specific material focused on industrial
control systems. Numerous organizations, within both the public and
private sector, have for years recognized this problem and have
established several watershed efforts to meet the ever-changing
challenges associated with this very important issue. However,
resulting efforts have been disparate in nature, and only manage to
accommodate the needs of certain communities of interest and not the
Nation as a whole. As the protection of the North American bulk power
system is not only a national issue it is a multi-national issue, we
need to ensure our efforts become unified and provide consideration for
the diversified stakeholders dealing with this problem.
knowing the risk
Of all the 18 critical sectors recognized by DHS, the security and
reliability of the bulk power system could be considered the most
critical. Studies have repeatedly shown that the ability for the other
17 to function properly depend on its availability. The realization
that the grid is vulnerable to cyber attack is not new, as more than 12
years ago the National Security Telecommunications Advisory Committee's
Information Assurance Task Force cited numerous electronic security
incidents and threats to the grid. In their Electric Power Risk
Assessment, the IATF referenced the possibility of electronic attack,
cited technical hackers (including terrorists) as a threat, and
cautioned on the pervasiveness of open source information that can
facilitate the creation of target folders. At that time a majority of
utility members agreed ``that an electronic attack capable of causing
regional or widespread disruption lasting in excess of 24 hours is
technically feasible.''\1\ Today, we appear to be in the same position,
and most would agree with the findings as if the report came out last
week.
---------------------------------------------------------------------------
\1\ National Security Telecommunications Advisory Committee
Information Assurance Task Force ``Electric Power Risk Assessment'',
March 1997, www.solarstorms.org/ElectricAssessment.html.
---------------------------------------------------------------------------
The complexity of the problem in trying to measure how ``secure''
or ``resilient'' the grid is from cyber attack cannot be overstated.
Often, and erroneously, the cybersecurity problem is framed under the
assumption that there is simply a single uniform ``grid'' and that a
mitigation strategy, be it technical or policy-based, should be
applicable to all areas. Nothing could be further from the truth. The
processes and technology required to support the reliability and
functionality of the bulk power system, across all entities and
interconnects, is incredibly diverse. An immeasurable number of
different vendor technologies, protocols, operating systems,
communications media, and operating procedures simply cannot facilitate
for a security ``silver bullet'' in either the policy or technology
space. With the power infrastructure comprised of legacy systems that
cannot provide for useable event data, and newer systems unable to be
tuned to account for cybersecurity, it becomes very difficult to
discern between inherent system irregularities and incidents generated
by malicious cyber attack. Compounding the problem is the fact that
modern cybersecurity technologies are not always adaptable to control
system environments, as the need for perpetual system availability
often precludes even the simplest countermeasure.
Clearly, the strategy for securing the modern grid requires
significant utilization of energy technology, information security
technology, research, and the integration of these in a manner that
meets the challenges associated with current and future power delivery
requirements. As the bulk power system does and will continue to depend
on diverse information technology solutions, many of which possess
inherent cybersecurity vulnerabilities, we must be diligent in
understanding the cyber risk associated with critical cyber assets. The
past several years have brought about a significant increase in
attention to the issue of cybersecurity and industrial control systems
as well as the development of enforceable cybersecurity standards for
the electric sector entities. Indeed, the work both nationally and
internationally has been substantial. It is no question that we as a
society are committed to protecting the power grid. But it has become
very clear that the security safeguards we have created are often not
commensurate with the levels of protection required for a system with
such high value. The economics associated with the energy business has
in many ways threatened the potential of well-intended cybersecurity
guidance, and perhaps may have contributed towards many of the recent
incidents that precipitated this hearing and affiliated bills. We now
know that we have a situation that, if left unattended, could have
catastrophic results.
specific security issues
As a concerned community, we need to ensure that the issues
regarding cybersecurity in the bulk power system are presented and
studied in the appropriate light and not necessarily in the same
context as cybersecurity for general IT systems. Accurately
understanding the threats and vulnerabilities associated with the bulk
power system will only serve to ensure that future State architectures
will have the necessary countermeasures and mitigations properly
embedded. To that end, it becomes important to understand that many of
the cybersecurity issues in the bulk power system (including Smart
Grid) that were once only theorized have indeed been proven. We have
been able see the impact of hostile mobile code on nuclear facilities,
witness hackers tunnel into distribution systems, create attacks that
can take over a large metering infrastructure, and watch researchers
create useable exploit code that is specific to a vendors industrial
control system product. Although we see threats and malicious activity,
we still lack reports of any cyber attacks that have directly impacted
the bulk power system. Presenting these issues is not intended to
instill fear or panic, nor is it intended to question the surety of our
current and future grid plans as advantageous. Rather, they are
presented to support the problem statement with facts that can be used
to structure coordinated and effective mitigation activities. With
proposals in place to possibly adjust the current landscape of
authority as it pertains to the cyber protection of the bulk power
system, familiarization with some of the more core problems is
required. It is intended that such a discussion can facilitate for a
better understanding of key issues, thus empowering the committee to
make informed choices going forward.
Many elements that make up the bulk power system are not secure
from cyber events, whether they are of malicious intent or not. On a
regular basis we see cyber incidents impact some aspect of our energy
infrastructure, and as connectivity increases, along with hacker
interest, we will continue to hear more. Sometimes the risk is
connected to the core technology. The bulk power system can be
disrupted by using attacks that neither NERC nor FERC can regulate,
such as those that exploit vulnerabilities inherent in vendor
technologies. Vendors that use a single security safeguard across their
entire solution makes the attacker's work considerably easier, as the
compromise of a single device can often mean a compromise of many
devices in the command-and-control architecture. This is particularly
applicable to Smart Metering, and to date various research teams have
shown vulnerabilities that could be exploited across a metering
infrastructure rendering the network inoperable (or under the control
of an attacker). In some instances vulnerabilities exist within devices
that have capability for remote disconnect, suggesting attacks could
disable a metering infrastructure, impact utility load forecasting, and
perhaps impact control. Remote disconnect capability can be deployed to
the residential level as well, and compromised meters could lie dormant
until a later date and be used to attack other devices or grid
elements. One must consider what would happen in the event of an
aggregated attack, where an attacker was able to compromise 5 million
meters in a city-wide deployment, and suddenly render those 5 million
end-points off-line--what is the impact to the bulk power system when
the load from 5 million residences suddenly vanishes? I do not know
what that would look like in terms of grid coordination efforts but I
know it would definitely be non-trivial and require some expensive
investigation. Consumer trust in Smart Grid would surely be impacted.
New vulnerabilities in the embedded systems responsible for the
availability and integrity of electricity operations continue to be
discovered. An emerging security issues relates to how some critical
field technology can be compromised by exploiting methods used for
upgrading device firmware, such as those for substation and field
operations. These attacks that can render the device inoperable, make
the data collection/submission capabilities useless, or cause
undesirable impact to control capabilities. Such an attack would
significantly impact a utility's ability to provide market data, impact
load forecasting, impact ability to accurately control load shedding
operations, and possibly be used to force improper and unexpected load
shedding.
By creating and deploying control system solutions that utilize
commercial radio technologies with tunable antennas, the compromise of
networked grid equipment with embedded vulnerable radios could lead to
the creation of an unauthorized broadcast network, causing interference
on almost any radio frequency. This could impact radio communications
used by transmission operations, as well as integrated water and gas
systems, transportation functions, and municipal emergency services. In
addition to impacting electric grid control, the result could be
millions of rogue radio transmitters broadcasting multi-frequency noise
across the radio spectrum of a major urban metropolis, with the
potential to jam vital infrastructure communications. This issue is in
the same category as those vulnerabilities recently discovered that, if
exploited, can lead to a persistent denial of service in some utility
operations.
The suite of protocols that allow our bulk power system to work is
an extensive one, but many of the more common ones have for many years
been compromised and well understood by hackers and engineers alike.
With common industrial control protocols now using modern IT protocols
as the basis for communication, hacker tools and methods are easily
used against critical infrastructure systems. Attacks that compromise
availability, integrity, and confidentiality can easily be launched
against infrastructure systems, and we cite examples such as the worm
attack on the Davis-Besse nuclear plant and the hacker attack on the
California ISO. Considering the fact that many major protocols were
openly published (to meet interoperability needs), the practice of
reverse engineering both proprietary and open protocols has also
increased the overall risk to our grid operations. Many of the meshed
networks designed to heal themselves and ensure system communications
have been found to be vulnerable to attacks traditionally only known to
the IT world. This vastly extends the scope of plausible attacks
useable by adversaries, and could lead to the compromise of grid
integrity, energy operations, load control, and critical energy
infrastructure information.
Finally, there is risk associated with the deployment of secure
solutions in an insecure manner, a concern shared by many operators
within the bulk power system. The problem is cultural, and is a
residual effect from many decades of using control environments
isolated from internet-based networks. Moving to new modern
interconnectivity, supported by the economics associated with energy
markets and customer satisfaction, assessments have shown that energy
management and even maintenance networks can be quite insecure from a
cyber perspective. Field engineers using unknowingly compromised
service computers, wrought with insecure instant messaging and social
networking applications have authoritative access to vital grid
elements. These issues, along with requirements for corporate
operations to have on-demand access to energy management systems,
create new conduits for attackers. The weaknesses that exist in some
power system deployments can also impact the entire information path
from the SCADA systems to the consumer. In some cases, this has
actually manifested in attackers compromising utility customer service
web portals, and hacking back into the command function of the utility
to cause loss-of-control situations in the energy management system.
We have seen numerous vulnerabilities in our own research
environment, in the assessment environment, and even in emerging Smart
Grid elements such as Advanced Metering Infrastructure, or AMI. In some
cases, the results and findings are discouraging. Assessments and
incident response repeatedly provide alarming information, such as
proof of qualified threats looking to use cyber means to impact
electric grid operations. As a researcher and subject matter expert, my
ability to communicate findings in a broad and effective manner is
often impeded by the absence of an information sharing system.
positive perspectives
There is very good work being done today that needs to be leveraged
for a secure grid tomorrow. We have seen the NERC standards in action
that, when implemented, have reduced an entities risk profile by orders
of magnitude. We have seen the creation of non-invasive assessment
tools and techniques that create useable guidance for securing energy
systems. We have seen extensive sector-specific cybersecurity roadmaps
that have provided forums for the creation of technologies that can be
used in the energy domain. As an example, we have the knowledge and
technological capability to shape an early detection and warning system
that could be tuned for the bulk power system elements, as we have seen
small-scale solutions deployed with great success. We have proven case
studies that can be used to build effective ``deter'' and ``detect''
capabilities ones that can perhaps add completeness to a unified
``respond'' function. And, as is proven time and time again, the
public/private partnerships are in place to ensure cooperative
capabilities in mitigating security threats to the bulk power system on
North America.
Even though we had warnings in the mid-1990's, in the last 12
months we have gone from simply knowing about the security concerns of
the bulk power system to a widespread understanding that
vulnerabilities have and continue to be exploited by adversaries. The
problem has manifested to the point that DHS, DOE, and members of the
defense and intelligence community have taken an interest. We are
trying to categorize the threat and use our traditional analysis
methods to fit our data into the boxes we are comfortable with.
However, we need to ensure the tactical strategy for defending our bulk
power system does not require a development runway so long it precludes
us from defending against the threat today. To ensure we are successful
in creating security mandates and mobilizing any response capability we
need to leverage what is working presently. We do not have the luxury
of time; we need to leverage and support existing efforts and public/
private programs that are already established and move forward as
opposed to sideways.
Many experts suggest that the realization of a secure bulk power
system is ``blue sky'' wishful thinking. But to say that ``Secure Power
Grid'' is an oxymoron is a dangerous and erroneous statement. The
electric power industry regularly protects the bulk power system using
advanced coordination and seamless response activities. Present-day
capabilities, research initiatives, and subject matter expertise
continues to facilitate for effective and self-sustaining solutions to
ensure security in electric sector deployments. With appropriate
direction, support, and funding the community of interest is more than
capable to address these issues and provide for secure solutions. Much
work has been done across the stakeholder community, and we need not
start from zero. The required direction to mitigate the security
vulnerabilities that could have an adverse effect on the bulk power
system is well within our reach. Rather than develop new plans that are
tied to more aggressive standards and enforcement we need to ramp-up
the efforts in place now, and support the continuation of what has been
proven to work. New activities that will attempt to create a secure
energy infrastructure through hyper-rigorous compliance mandates is not
the right approach. In the past we have seen how the process for
instantiating new mandates can bring progress to a grinding halt, and
any new changes could actually reduce the security posture of the
electric system while entities struggle to align with new directives.
The stakeholder community may be very unreceptive to new instruction
and mandates, especially if it could make their historical progress
obsolete.
suggestions for a path forward
While many programs exist that can support a better understanding
of how to address these issues, certain activities must be undertaken
to ensure success in protecting key assets. I feel that there are three
primary areas that must be focused on to meet the current and emerging
challenges associated with protecting the bulk power system from cyber
attack.
First: SUPPPORTED RESEARCH
The research function regarding the cybersecurity of the bulk power
system needs to be expanded and nurtured. As in the traditional IT
domain, having well-funded and approved research is vital in making
sure the user community is safe from malicious cyber attack. A
supported and sanctioned activity that promotes the assessment of
vendor technology without the risk of legal retaliation or negative
attribution is necessary. In essence, the cybersecurity researchers
focusing on critical infrastructure must be protected and, whenever
possible, empowered by having their efforts embraced by vendors and
asset owners alike. This would of course contribute to the existing
work being done through public sector initiatives. Working to remove
the hurdles that prohibit cybersecurity testing for electric system
solutions will dissolve a shroud of secrecy that provides for the ever-
failing ``security through obscurity''. Believing threat actors do not
know how a system works is no grounds to assume it is secure. With a
wide range of on-line auctions that can be used to purchase systems
that are identical to what we would call critical assets, we need to
enroll our best minds, including private researches, to stay ahead of
the threat. This research will provide additional value to those
vendors that have long understood the impact of cybersecurity on
critical infrastructure, as well as assist those that are new to the
domain and need support in understanding the impact insecure solutions
can have. This would provide specific value to the Smart Meter arena. A
coordinated research effort between vendors, researchers, and utility
operators would help precipitate mitigations that would maximize our
own security postures and allow for easy integration into electric
system solutions. Failure to do so simply provides the adversary with
an advantage, and hinders our ability to proactively protect our
assets. This research must also include the updating of information
sharing and cyber incident response functions so that we can prepare,
detect, and respond to cyber incidents unique to our bulk power system
architectures. This action can be put in place today by leveraging
existing public/private programs, with assurances that the research
activities to date can be used to help protect the solutions being
manufactured for delivery in the very near term.
The committee is encouraged to support the existing frameworks that
can promote cybersecurity research for electric grid elements, and have
it defined in such a way that both researchers and vendors are driven
by appropriate incentives to promote the discovery and mitigation of
cyber vulnerabilities. Specific technological security testing, perhaps
under Cooperative Research and Development Agreement initiatives, could
augment the analysis and processing of cybersecurity incidents that
impact the bulk power system. When permitted, the inclusion of results
from Federal research, such as that done by DOE, will provide
significant value to the library of useful findings. As the issues of
cybersecurity and the power grid are not unique to the United States,
efforts to maximize the sharing of threat information among allies can
only help to precipitate better understanding. The committee is also
encouraged to facilitate these cooperative efforts by appointing a non-
regulatory lead organization within the Federal Government to
coordinate current research efforts, manage relationships and, when
feasible, ensure existing public/private efforts can implement actions
defined by research findings.
Second: REFINED STANDARDS
The continued development of cybersecurity standards is required to
be the baseline for driving definitive specifications to protect grid
elements, and to date we have working standards that are in effect
across the sector. With such a broad scope of critical component
functions, standards that define interoperability safeguards must also
be provided. Standards must continue to be developed and improved with
full support and contribution from the stakeholder community both
nationally and internationally. Most importantly, these standards
should be flexible to accommodate for refinement based on threat
information, but not so flexible that it facilitates erroneous
reporting regarding critical assets and cyber assets. The reliability
and security of the bulk power system is the responsibility of the
United States, Canada, and Mexico and as such these standards must be
enforceable by an integrated an overarching entity that can support
emergency orders swiftly and with authority. The standards should also
have applicability to the vendor community, allowing vendors to be
empowered with guidance as it relates to building secure energy
management technology solutions from the start. This must be provided
so that vendors can insert cybersecurity into their Systems Development
Life Cycle, and ensure security is built in to the solutions
proactively. As many experts agree that the fear of regulation or audit
greatly exceeds the fear of security breach, we must be careful of
creating standards that move organizations in a direction opposite to a
secure path, as we have witnessed instances where adherence to strict
regulations actually decreases the cybersecurity posture of an entity.
These cybersecurity standards developed must take into
consideration current and future states regarding threat intelligence,
cyber incident reporting, control systems cybersecurity, and legal
frameworks for information sharing. As such, an effective capability on
sharing cybersecurity vulnerability and threat data as it relates to
the critical electric infrastructure is required. This capability
should support a Federal entity responsible for providing accurate and
timely data on specific and imminent cyber threat. With that, sanitized
information products can then be used to improve standards and
proactive defensive activities. Of vital importance is that these
improved standards must facilitate for better information sharing
within the stakeholder community.
These standards must support a divergence from a culture based
simply on compliance and towards one founded on the measurement of
adherence to research-based best practices. The improved standards,
using the stakeholders as leadership and critics, would also help
maintain the tremendous success seen in private sector voluntary
actions.
Third: PROCUREMENT GUIDANCE
To support utilities and asset owners acquiring and deploying
secure electric system solutions, specific procurement guidance
language should be developed. Such language will be a valuable
facilitator that will drive vendors and asset owners to work together.
This cooperative activity will help shape bulk power system technology
cybersecurity requirements that can help make informed choices leading
to better procurement. This public/private activity should leverage the
existing body of work done for industrial control systems and enhance
it with sections tailored to the electric sector.
Leveraging the existing procurement language developed to assist in
the evaluation, development, and purchase of secure industrial control
systems, the guidance to assist in selecting secure gird architecture
elements, such as AMI, substation, and transmission elements, can be
created using efforts by vendors, security researchers, and results
from Government-led initiatives. It has been verified that vendors find
such a language very useful to ensure future business, as it will guide
them to develop secure solutions consumers clearly want and need. As
proven in the control systems domain, inherent security becomes a
market differentiator for the community as a whole, and that can lead
to a better and more secure infrastructure. In this case, moderate re-
engineering of existing procurement guidelines can have a tremendous
downstream influence in bulk power system cybersecurity, and it can be
done immediately. Recent advances in Smart Grid and Smart Metering
cybersecurity, such as that done by AMI-SEC Task Force, UtiliSec, and
NIST, could be easily incorporated.
Madame Chairwoman, Ranking Member, and the entire committee I thank
you for this opportunity to testify here today. I would be happy to
answer any questions you may have at this time.
Mr. Thompson. Thank you very much. The Chair now recognizes
Mr. Assante for 5 minutes.
STATEMENT OF MICHAEL J. ASSANTE, CHIEF SECURITY OFFICER, NORTH
AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Assante. Thank you. Madame Chairwoman, Chairman of the
full committee, Ranking Member, Mr. Lungren, Members of the
subcommittee, my name is Michael Assante, I am the chief
security officer of the North American Electric Reliability
Corporation.
As a designated electric reliability organization in the
United States, and much of Canada, our responsibility and we
are dedicated to doing so, is to ensure reliability of the bulk
power system. This is a very sobering responsibility,
especially in light of the comments today.
The last time our organization testified before this
subcommittee, we committed to improving our response to
cybersecurity. I am here confidently to report that we have
done so, but we realize there is much more work to be done.
Cyberspace is proving paramount, both as a national and an
economic security issue. The compromise of our national through
this invisible battleground has cost billions of dollars from
our economy in terms of theft of both intellectual property and
the destruction of information systems.
Even though NERC is not aware of any cyber attacks that
have directly affected the reliability of power systems in
North America, we have no illusions of immunity, as we are well
aware of both Government systems and business systems that have
been successfully attacked at home and power systems that have
been disrupted abroad.
The United States and Canada must be ready to act in the
event of a specific and imminent cyber threat. We believe there
is an important gap in authority when it comes to these
emergency situations in the United States, and additionally,
emergency authority should be put into place and put into place
soon.
NERC and the electric sector have been working to answer
President Obama's broad call to action, stemming from a 60-day
cyber study completed in May 2009 and we are preparing for
Canada's forthcoming national strategy and action plan for
critical infrastructure and a national cyber strategy.
Some of these efforts include on-going revisions to NERC
cybersecurity standards with the goal of building a stronger
foundation. Phase 1 of these revisions was submitted to FERC
for approval in May. Work on additional Phase 2 revisions
continues and we are about to complete a thorough evaluation of
how we can incorporate portions of this framework into the NERC
standards.
I personally believe another important element of the
revisions will be to consider how best to construct broad
requirements for training and awareness programs, in incident
response and reporting, to apply to all entities of the bulk
power system.
We have also instituted and improved our voluntary alert
mechanism, whereby NERC is able to reach nearly 5,000
professionals in control rooms, power plants, and engineering
centers across North America within hours of being informed of
a vulnerability, or a threat. NERC has issued nine such alerts
over 2009.
Efforts also include expanded work on further assessments
and deeper analysis of risk. NERC's cyber risk preparedness
assessment, conducted in close coordination with the industry,
is designed to evaluate the preparedness in dealing with
challenging cyber threats.
While the pilot group will be small, the goal of this
assessment is to develop a toolkit for entities so that they
may assess their ability across the industry.
NERC is also partnering with the Department of Energy in a
very important effort to breathe new life into the previous
work to address high-impact, low-frequency risks, such as
space, weather, electromagnetic pulse, and pandemics. Many of
these are focused on cybersecurity risks, but physical risks in
the security of the power system are a very real concern.
Our understanding, system redundancies, coupled with
existing authorities far exceed what is in place to address a
very structured and well resourced cyber adversary.
The threat is like no other, and to demonstrate my point, I
will compare it to the rash of German U-boat attacks in the
coastal waters surrounding the United States that begin in May
1942 and lasted for almost a year.
The submarine threat was a mysterious one, much like the
ever-present but more deeply mass cyber attacks of today. The
threat is playing out beneath the cyber seas, but unlike
submarine warfare it has not stopped at our shoreline,
attackers are able to strike without being in harm's way.
Cyber weapons are often not flagged and their true origins
are unknown and therefore unattributable, and most importantly,
they have been largely successful in evading the instruments
available to prevent and deter it.
This is the risk to the power grid, that is the
interconnective system of wires, power plants, and digital
controls is still evolving, is still not yet fully understood.
The potential for an intelligent attacker to exploit a common
vulnerability across the system and impact many assets at once
and from a distance is one of the most concerning aspects of
this challenge.
This is not unique to the electric sector, but addressing
it will require better intelligence, and new thinking, on top
of sound operating and planning analysis. Complicating this
issue, much of the information about security-related threats
remain classified in Government communities, with restricted
opportunity to share information with affected asset owners.
From a regulatory perspective, NERC believes the scope of
Section 215 of the Federal Power Act, under which NERC both
develops and enforces mandatory standards, appropriately places
the focus on ensuring the security and reliability of the bulk
power system.
With that said, the increasing adoption of Smart Grid
technology, such as advanced metering systems in the
distribution grid, has come with the need to build in more
security and flexibility to mitigate the emerging risk of
exploring this new connectedness.
While a single device in the distribution system will not
be considered material to the bulk power system reliability
aggregate, these assets may become material. There capricious
magnitude of the priority of the issue at hand, and supports
enacting legislation to address this. Moving forward, NERC is
committed to complementing any Federal authority to address
cybersecurity challenges, regardless of the form it takes.
Thank you.
[The statement of Mr. Assante follows:]
Prepared Statement of Michael J. Assante
July 21, 2009
introduction
My name is Michael Assante and I am the chief security officer for
the North American Electric Reliability Corporation (``NERC''). As the
designated Electric Reliability Organization (``ERO'') in the United
States and much of Canada, NERC is dedicated to ensuring the
reliability of the bulk power system in North America. As part of our
mission, NERC evaluates, assesses, and works with industry to address
risks to the bulk power system through study, information sharing, and,
where appropriate, mandatory standards. Cyber- and physical security
are two such risks.
The last time our organization testified before the subcommittee,
we committed to improving our response to cybersecurity. I am able to
confidently report that we have done so. We certainly have more work to
do, but NERC and the industry have made encouraging progress on this
issue since May 2008. My testimony today will provide an update on our
activities, and will also provide some important perspectives for your
consideration as you continue your vital work on this subject.
Notably, NERC firmly believes that additional, Federal authority is
needed to address specific and imminent cybersecurity threats to the
bulk power system.
risks to the bulk power system
Cyber- and physical security are two of many reliability risks
faced by bulk power system planners and operators.
Unlike other concerns, such as extreme weather, security-related
threats can be driven by malicious actors who intentionally manipulate
or disrupt normal operations as part of a premeditated design to cause
damage. Cyber-related threats pose a special set of concerns in that
they can arise virtually anytime, anywhere and change and emerge
without warning.
While the industry deals with some physical security events, like
copper theft, on a regular basis, other technical threats or hazards,
such as electromagnetic pulse and space weather, are a concern and will
require careful consideration to develop appropriate and effective
mitigations. Cyber threats to control systems are still evolving and
are not yet fully understood. The potential for an intelligent attacker
to exploit a common vulnerability that impacts many assets at once, and
from a distance, is one of the most concerning aspects of this
challenge. This is not unique to the electric sector, but addressing it
will require asset owners to apply additional, new thinking on top of
sound operating and planning analysis when considering appropriate
protections against these threats.
Complicating this issue, much of the information about security-
related threats remains classified in the defense and intelligence
communities, with restricted opportunity to share information with
affected private-sector asset owners. The electric grid is placed at
significant risk as a result of limited information-sharing. NERC is
not aware, however, of any cyber attacks that have directly affected
the reliability of the power system in North America to date.
NERC is presently working to expand the body of analysis of
physical and cybersecurity risks on an industry-wide basis. These
efforts include analysis and consideration of specific risks and
vulnerabilities as they are identified by a group of security experts
from industry, security researchers, and technology vendors, dubbed
``Network HYDRA''. This networked group of professionals provides
important insight, feedback, and a communications vehicle to raise
awareness of important security concerns.
Non-traditional risks are also the subject of a working group NERC
has recently established in partnership with the Department of Energy
to analyze ``high-impact, low-probability'' risks--or, more accurately,
those risks whose likelihood of occurrence is uncertain relative to
other threats, but that could significantly impact the system were they
to occur. Officially launched on July 2, this working group will
examine the potential impacts of these events on the bulk power system,
focusing on influenza pandemic, space weather, terrorist attacks, and
electromagnetic pulse events. The group will host an invitation-only
workshop in the coming months to discuss their assessment and develop
conclusions and recommendations to industry based on their work. These
recommendations will be used to drive needed technology research,
development, and investment and also to evaluate NERC's current
standards and initiatives, potentially driving the creation of new
standards to address these issues.
In addition to these on-going efforts, NERC is conducting a Cyber
Risk Preparedness Assessment. This industry-led, voluntary assessment
will focus on detection, response, and mitigation capabilities for
cyber incidents. Coordinated by NERC, the assessment will look beyond
NERC's current cybersecurity standards for practices, procedures, and
technologies that contribute to cyber preparedness across the industry.
Generalized, aggregated results from the assessment will be used to
inform standards development activities, alert the industry to
potential areas of concern, and identify areas where research and
development investment is needed. For security reasons, specific
results of the assessment will remain confidential, a key condition of
participation in the program.
Through these and other, more specific assessments, NERC seeks to
broaden the understanding of cyber risk concerns facing the
interconnected bulk power system and guide industry-wide efforts to
develop prudent approaches to address the most material risks--in both
the short-term, through appropriate alerts, and longer-term, through
appropriate standards.
scope of nerc authority
The scope of NERC's authority as the ERO is limited to the ``bulk
power system,'' as defined below in Section 215(a)(1) of the Federal
Power Act:
``(A) Facilities and control systems necessary for operating an
interconnected electric energy transmission network (or any portion
thereof); and
``(B) electric energy from generation facilities needed to maintain
transmission system reliability.
``The term does not include facilities used in the local distribution
of electric energy.''
This authority places appropriate focus on the reliability of the
bulk power system, as outages and disturbances on the bulk system have
the potential for far greater impact than those on distribution
systems. Elements of the power grid outside this authorization include
telecommunications infrastructure and ``local distribution,'' which
typically includes the infrastructure within urban areas and that
serves many military installations.
The increasing adoption of ``Smart Grid'' and advanced metering
systems on distribution systems has brought renewed focus to the
appropriate definition of a bulk power system component. As grid
operators rely on demand-response, rooftop solar panels, and other
distribution-level assets in capacity planning and operation, the
reliability of the bulk power system may become increasingly dependent
on the operation of assets connected at the distribution level. While a
single device would not be considered material to bulk power system
reliability, in aggregate, these assets may become critical to the bulk
power system.
As a result, NERC is working with the National Institute of
Standards and Technology (``NIST''), the Department of Energy (``DOE'')
and the Federal Energy Regulatory Commission (``FERC'') as security and
interoperability standards are developed for ``Smart Grid''
technologies. Additional efforts at NERC include high-level assessment
by several working groups. NERC's technical committees are presently
considering the formation of a ``Smart Grid Task Force'' to further
evaluate these issues.
nerc mandatory reliability standards & compliance
Developing mandatory standards that apply to the more than 1,800
diverse entities that own and operate the North American bulk power
system is a complex undertaking. Standards must apply equally to
companies with thousands of employees and to those with only 20.
Additionally, the standards must not do harm. They must take into
account unique component configurations and operational procedures that
differ widely across the grid. Given our extensive experience in
standards development, NERC firmly believes the level of expertise
needed to create standards that achieve security objectives and ensure
reliability can best be found within the industry itself.
NERC develops all its Reliability Standards through an ANSI-
accredited process, which we believe provides the appropriate framework
for ensuring that subject matter expertise is used to create and vet
the standards. Though use of an ANSI-accredited process is not
specifically required, the Federal Power Act does specify that the
standards development process must ``provide for reasonable notice and
opportunity for public comment, due process, openness, and balance of
interests in developing reliability standards . . . .'' (Sec.
215(c)(2)(D)).
In certifying NERC as the ERO, FERC found that NERC's ANSI-
accredited standards setting process meets these requirements. The
standards development process is set forth in NERC's Rules of
Procedure, which FERC has approved.
The ANSI-accredited standards development process has yielded
important results as NERC has revised its Critical Infrastructure
Protection (``CIP'') Reliability Standards over the past year. NERC's
Board of Trustees approved revisions to eight of the nine currently-
approved CIP Reliability Standards on May 6, 2009, after the standards
passed industry balloting with an 88 percent approval rating. The high
approval rating indicates the industry's strong support for these
development efforts, which has been vital to their success.
These revised standards were filed with FERC for regulatory
approval in the United States on May 22 and are already mandatory and
enforceable in parts of Canada.
NERC's Critical Infrastructure Protection standards fill a specific
role in the protection of the bulk power system. The standards are
comprised of roughly 40 specific requirements designed to lay a solid
foundation of sound security practices that, if properly implemented,
will develop capabilities needed to defend critical infrastructure from
cybersecurity threats. The standards are not, however, designed to
address specific, imminent threats or vulnerabilities.
Work on additional, phase-two CIP standards revisions continues,
with initial industry validation on track for the fourth quarter of
2009. Modifications underway as part of the phase-two revisions include
considering the extent to which elements of the Recommended Security
Controls for Federal Information Systems under development by NIST can
be incorporated into the CIP Reliability Standards. Also under
consideration are broader foundational requirements for training and
preparedness, specifically with applicability to entities who do not
own or operate Critical Assets.
Additional modifications underway in this phase-two development
work were the subject of a letter I sent to industry stakeholders on
April 7, 2009. The letter addressed the identification of Critical
Assets and associated Critical Cyber Assets that support the reliable
operation of the bulk power system, as required by NERC Reliability
Standard CIP-002-1. The letter was based on initial data collections
NERC has used to evaluate the implementation of the standard across the
industry prior to the start of formal audits, which began for some
entities on July 1, 2009. The appropriate prioritization of assets for
protection is a critical component of a successful security strategy,
though its implementation poses a significant challenge to industry
given the complex nature of the system and the changing nature of cyber
threats.
In my April 7 letter, I called on users, owners, and operators of
the bulk power system to take a fresh look at current risk-based
assessment models to ensure they appropriately account for new
considerations specific to cybersecurity, such as the need to consider
misuse of a cyber asset, not simply the loss of such an asset. The
letter is part of the iterative process between NERC and industry
stakeholders as we work together to improve reliability. In this case,
NERC gathered information about the status of implementation of the
critical infrastructure protection standards and fed that information
and its own insights back to the industry as part of a cycle of
continuous improvement.
This effort demonstrates that NERC is working to address a critical
element of the cybersecurity challenge: The educational learning curve
and resulting compliance-related challenges that must be addressed to
improve the cybersecurity of the bulk power system. Ensuring that each
of the more than 1,800 entities that own and operate components of the
bulk power system understands cybersecurity and the efforts needed to
adequately protect the security of the bulk power system has been a
priority for NERC.
The standards development and improvement process is producing
results; however, NERC recognizes this process is not well-suited to
addressing more imminent threats. As a result, NERC has been working
with its stakeholders over the past year to develop and vet an
alternate process for standards development to address imminent needs.
This process is nearing completion and is expected to be submitted to
FERC for approval before the end of the year.
addressing imminent threats
At NERC, we are working in a number of areas to help provide or
assist in the provision of the kinds of information that will help the
industry better secure critical assets from advanced, well-resourced
threats and other known cyber activity on an on-going basis. Strong and
proactive participation by industry volunteers thus far has been
encouraging.
In these efforts, NERC collaborates with DOE and the U.S.
Department of Homeland Security (``DHS'') on critical infrastructure
and security matters on an almost daily basis. Additionally, NERC
serves as the Electricity Sector Information Sharing and Analysis
Center (``ES-ISAC''), which is responsible for promptly analyzing and
disseminating threat indications, analyses, and warnings to assist the
electricity industry.
NERC has in place a formal mechanism for issuing alerts to the
industry about important matters that come either from NERC's own
efforts, identified vulnerabilities or attacks, or from Government
agencies with specific information about possible threats. Alerts
issued through this mechanism are not mandatory and cannot require an
entity to perform tasks recommended or advised in the alert. NERC has
significantly improved this system over the past year and continues
improvements through the development of a secure alerting portal, due
to be complete this fall.
NERC is now able to provide timely, critical reliability
information to nearly 5,000 security and grid operations professionals
within minutes, and has demonstrated success by conducting training and
using the system to send alerts, record acknowledgements and receive
responses within several days. NERC has issued nine such alerts in
2009, with its most recent ``recommendation'' receiving a 94 percent
response rate. The industry has been very supportive as we have worked
to improve this process.
NERC's recent work to alert the industry of the Conficker worm,
including lessons learned on mitigation, involved the issuance of one
recommendation, two advisories, and an awareness bulletin over the span
of 6 months. These efforts significantly contributed to overall
preparedness and awareness of the underlying vulnerability and cyber
threat.
We acknowledge and believe, however, that there are circumstances
where NERC's efforts will not be adequate to identify or address
specific imminent threats. Threats like those suggested by the April 8
Wall Street Journal article discussing the existence of ``cyber spies''
in the electric grid, for example, have been challenging for the
industry to fully evaluate and address. Without more specific
information being appropriately made available to asset owners, they
are unable to determine whether these concerns exist on their systems
or develop appropriate mitigation strategies. A mechanism therefore is
needed to validate the existence of such threats and ensure information
is appropriately conveyed to and understood by asset owners and
operators in order to mitigate or avert cyber vulnerabilities.
NERC and the electric industry have been working closely in
confidence to evaluate threats such as those described in the article.
Specific information about these efforts is bound by confidentiality
agreements.
emergency federal authority needed
Preparedness and awareness efforts like the assessments, alerts,
and standards discussed above are necessary, but not sufficient, to
protect the system against specific and imminent threats. NERC firmly
believes that additional emergency authority is needed at the Federal
level to address these threats, and NERC supports legislation that
would give an agency or department of the Federal Government necessary
authority to take action in the face of specific and imminent cyber
threats.
For the reasons discussed above (that reliability standards must do
no harm, take unique component configurations into account, and apply
equally to all bulk power system entities--including those in Canada--
regardless of size or structure), NERC firmly believes the level of
expertise needed to create standards that achieve security objectives
and ensure reliability can best be found within the industry itself.
NERC believes an industry-based standards development process utilizing
cross-border subject matter expertise will yield the best results for
long-term reliability standards.
conclusion
NERC, the electric industry, and the governments of North America
share a mutual goal of ensuring threats to the reliability of the bulk
power system, especially cybersecurity threats, are clearly understood
and effectively mitigated. NERC has taken a number of actions to
protect the bulk power system against cybersecurity threats and NERC
will continue its work with Governmental authorities and industry
stakeholders to do so. We believe these efforts have improved and will
continue to improve the reliability and security of the bulk power
system. We maintain, however, that these efforts cannot be a substitute
for additional emergency authority at the Federal level to address
specific and imminent cybersecurity threats.
NERC appreciates the magnitude and priority of this issue, and
supports enactment of legislation to address this gap in authority as
quickly as possible. Moving forward, NERC is committed to complementing
Federal authority to address cybersecurity challenges, regardless of
the form it may take. We commend this subcommittee for its action to
date and look forward to supporting your efforts however possible.
Mr. Thompson. Thank you very much. Mr. Naumann, for 5
minutes.
STATEMENT OF STEVEN T. NAUMANN, VICE PRESIDENT, WHOLESALE
MARKETS, EXELON CORPORATION; REPRESENTING EDISON ELECTRIC
INSTITUTE AND ELECTRIC POWER SUPPLY ASSOCIATION
Mr. Naumann. Thank you. Chairwoman Clarke and Members of
the subcommittee. My name is Steve Naumann, and I am vice
president of wholesale market development for Exelon
Corporation. Our utility companies serve 5.4 million customers
in Chicago and Philadelphia.
I also serve as Chairman of the NERC Member Representatives
Committee. As was noted, I am appearing on behalf of the Edison
Electric Institute and the Electric Power Supply Organization.
We appreciate the opportunity to testify about cybersecurity in
a critical infrastructure on behalf of these organizations.
I would like to discuss three issues relating to securing
critical electric infrastructure. First, the success of public-
private partnerships in recognizing and addressing cyber
threats and vulnerabilities; second, the need to avoid
unintended consequences when implementing cybersecurity
remedies; and third, policy proposals being considered by
Congress and the administration.
The owners, operators, and users of the bulk power system
take cybersecurity very seriously. To this end, as
cybersecurity threats continue to evolve and our adversaries
become more sophisticated, the public sector welcomes even more
cooperation with, and information from, Government partners.
Both the Federal Government and electric utilities have
distinct realms of responsibility and expertise in protecting
the bulk power system from cyber attack.
Ideally, to ensure the cybersecurity of the Nation's
electric grid and utilize the vast expertise of both public and
private sectors, we need to, clearly, define these
complementary roles and responsibilities while facilitating
cooperation and information sharing between Government agencies
and utilities.
Giving you an example of how Exelon operates, we address
risks through a defense-and-depth strategy while balancing the
considerations for consequences. This includes preventive
monitoring and detective measures to ensure the security of our
systems.
We regularly perform penetration tests to inform us of
whether our preventative strategies are working so we can
enhance our protection as technologies and capabilities evolve.
These tests allow us to practice and enhance our monitoring
capabilities while yielding lessons learned that are unique to
our system.
But as was mentioned before, no two utility systems have
identical network, hardware, or logistical strengths. No,
single entity, will know the systems strengths or weaknesses
like we do.
Going on to Smart Grid, one of the issues that was raised
was the increased, possible, vulnerability of adding these
devices to the distribution system. We believe it is very
important to work with the manufacturers and the vendors to
ensure that security is built into the devices and is
upgradeable from the devices.
We would encourage the development of the security
certification program, a good housekeeping seal of approval if
you will, through which Smart Grid components and systems could
undergo independent testing and receive that certification that
security tests have been passed.
This would help the utilities differentiate among vendors
to select those providing appropriate cybersecurity. The
careful consultation with the electric utility industry helps
ensure that Government intervention in protecting the grid from
a cyber attack doesn't have unintended or harmful consequences.
As mentioned, the electricity grid is a complex system,
there are certain measures that might prevent a particular
cyber attack, could themselves, have adverse impacts to safe
and reliable utility operation and service to customers.
For this reason, any new legislation that would give
additional cybersecurity authority to a Federal agency should
be limited to true national emergency situations where there is
a significant national security or public welfare concern and
should provide to the extent possible consultation with
industry experts.
Congress should focus then, on what additional authority is
needed in order to promote clarity and focus in response to
imminent cybersecurity threats.
The Section 215, mandatory reliability framework, reflects
years of work in broad consensus reached by industry and other
stakeholders and is a good starting point to go by. EPSO and
EEI and their member companies remain fully committed to work
with the Government and the industry partners to increase
security.
I appreciate the opportunity to appear today and would be
happy to answer any questions. Thank you very much.
[The statement of Mr. Naumann follows:]
Prepared Statement of Steven T. Naumann
July 21, 2009
Mr. Chairman and Members of the subcommittee: My name is Steve
Naumann, and I am vice president for Wholesale Market Development for
Exelon Corporation. I also serve as chairman of the member
representatives committee of the North American Electric Reliability
Corporation (NERC). I appreciate your invitation to appear today and
the opportunity to testify about protecting the electric grid from
cybersecurity threats.
Exelon is a holding company headquartered in Chicago. Our retail
utilities, ComEd in Chicago and PECO in Philadelphia, serve 5.4 million
customers, or about 12 million people--more than any other electric
utility company. Our generation subsidiary, Exelon Generation, owns or
controls approximately 30,000 MW of generating facilities, including
fossil, hydro, nuclear, and renewable facilities. Our nuclear fleet
consists of 17 reactors; it is the largest in the Nation and the third
largest in the world.
I am appearing today on behalf of the Edison Electric Institute
(EEI) and the Electric Power Supply Association (EPSA). Exelon is a
member of both. EEI is the trade association of U.S. shareholder-owned
electric companies and has international affiliate and industry
associate members world-wide. EEI's U.S. members serve 95% of the
ultimate customers in the shareholder-owned segment of the industry and
represent about 70% of the U.S. electric power industry. EPSA is the
national trade association representing competitive power suppliers,
including generators and marketers. EPSA members own 40 percent of the
installed generating capacity in the United States, providing reliable
and competitively priced electricity from environmentally responsible
facilities.
My testimony focuses on the nature of cybersecurity threats to the
bulk power electric system and the efforts of electric utilities to
respond to those threats. At the subcommittee's request, I also will
share suggestions and observations regarding the relationship between
Government and the private sector in our efforts to secure the electric
grid from cyber attacks.
I want to assure the subcommittee that as owners, operators, and
users of the bulk power system, electric utilities take cybersecurity
very seriously. We are actively engaged in addressing cybersecurity
threats as they arise and in employing specific strategies that make
every reasonable effort to protect our cyber infrastructure and
mitigate the risks of cyber threats. As the industry relies
increasingly on electronic and computerized devices and connections,
and the nature of cyber threats continually evolves and becomes more
complex, cybersecurity will remain a constant challenge for the
industry. But we believe we are up to the task, building on our
industry's historical and deep-rooted commitment to maintaining system
reliability.
industry standards, emergency authority, and legislative proposals
The industry believes it is appropriate for Congress to consider
legislation providing the Federal Energy Regulatory Commission (FERC)
new emergency authority to address imminent cybersecurity threats. I
want to emphasize, however, that current law already provides the means
to address many cybersecurity issues in the electric industry. Section
215 of the Federal Power Act (FPA), which was enacted by Congress as
part of the Energy Policy Act of 2005, provides for mandatory and
enforceable electric reliability rules, specifically including rules to
address cybersecurity with FERC oversight.
The basic construct of the relationship between FERC and NERC,
which FERC certified as the Electric Reliability Organization (ERO)
under FPA Section 215, in developing and enforcing reliability rules is
sound. In summary, NERC, using a well-defined stakeholder process that
leverages the vast technical expertise of the owners, users, and
operators of the North American electric grid (including those in
Canada with whom we are interconnected) develops reliability standards,
which are then submitted to FERC for review and approval. Once approved
by FERC, these standards are legally binding and enforceable in the
United States. NERC also submits these standards to regulatory
authorities in Canada.
I suggest the question on which the subcommittee should focus is,
``What additional authority should be provided to FERC in order to
promote clarity and focus in response to imminent cybersecurity threat
situations?'' Legislation in this area should complement, not supplant,
the mandatory reliability regime already established under FPA Section
215, and any new FERC authority should be appropriately narrow and
focused only on unique problems that cannot be addressed under Section
215. The FPA Section 215 mandatory reliability framework reflects years
of work and broad consensus reached by industry and other stakeholders
in order to ensure a robust, reliable grid. It should not be undermined
so early in its implementation.
Any cybersecurity legislation should promote consultation with
industry stakeholders and owner-operators of the bulk power system on
remediation measures. Consultation is critical to improving
cybersecurity.
Obviously, the scope of the damages that could result from a
cybersecurity threat depends on the details of any particular incident.
A carefully planned cyber attack could potentially have serious
consequences. In considering the scope of damages that any particular
cybersecurity threat might inflict, utilities must also consider the
potential consequences caused by any measures taken to prevent against
cyber attack. Certain measures that might prevent a particular type of
cyber attack could themselves have adverse impacts to safe and reliable
utility operations and service to electricity customers. Examples might
include slower responses during emergency operations, longer times for
restoration of outages and disruption of business operations dependent
on internet access. That is why each situation requires careful
consultation with utilities to ensure that a measure aimed at
protecting the grid from a malicious cyber attack does not instead
cause other unintended and harmful consequences.
Furthermore, every utility operates different equipment in
different environments, making it difficult to offer generalizations
about the impacts to the bulk power system or costs and time required
to mitigate any particular threat or vulnerability. This complexity
underscores the importance of consultation with owners, users, and
operators to ensure that any mitigation that may be required
appropriately considers these factors to ensure an efficient and
effective outcome.
For the foregoing reasons, any new legislation giving FERC
additional statutory authority should be limited to true emergency
situations involving imminent cybersecurity threats where there is a
significant declared national security or public welfare concern. In
such an emergency, it is imperative that the Government provide
appropriate entities clear direction about actions to be taken, and
assurance that those actions will not have significant adverse
consequences to utility operations or assets, while at the same time
avoiding any possible confusion caused by potential conflicts or
overlap with existing regulatory requirements.
Because of its extraordinary nature and potentially broad impacts
on the electric system, any additional Federal emergency authority in
this area should be used judiciously. Legislation granting such
authority should be narrowly crafted and limited to address
circumstances where the President or his senior intelligence advisors
determine there is an imminent threat to national security or public
welfare.
public-private partnerships: collaboration and communication
The following comments address the specific issues raised by the
subcommittee's invitation to testify regarding how Government and the
private sector share information before, during, and after
cybersecurity attacks.
Both the Federal Government and electric utilities have distinct
realms of responsibility and expertise in protecting the bulk power
system from cyber attack. The optimal approach to utilizing the
considerable knowledge of both Government intelligence specialists and
electric utilities in ensuring the cybersecurity of the Nation's
electric grid is to promote a regime that clearly defines these
complementary roles and responsibilities and provides for on-going
consultation and sharing of information between Government agencies and
utilities.
Information about cybersecurity vulnerabilities and attempts to
exploit those vulnerabilities is shared with electric industry owners,
users, and operators through a number of channels every day. Federal
agencies that communicate this information to the private sector, such
as the United States Computer Emergency Readiness Team (US-CERT), as
well as cybersecurity hardware and software vendors, classify
vulnerabilities in terms of the generalized risk to systems. Factors
such as the seriousness of consequences of a successful attack, the
sophistication required to conduct the attack, and how widely used the
potentially affected assets are within an industry are used to rank
vulnerabilities as ``high'', ``medium'', or ``low'' risk.
Fundamentally, however, the private sector can sometimes be
disadvantaged in assessing the degree and urgency of possible or
perceived cyber threats because of inherent limitations on its access
to intelligence information. The Government is entrusted with national
security responsibilities and has access to volumes of intelligence to
which electric utilities are not privy. On the other hand, electric
utilities are experienced and knowledgeable about how to provide
reliable electric service at a reasonable cost to their customers, and
we understand how our complex systems are designed and operate. Owners,
users, and operators of the bulk power system are in a unique position
to understand the consequences of a potential malicious act as well as
proposed actions to prevent such exploitation. Greater cooperation,
coordination, and intelligence sharing between Government and the
private sector should be encouraged, consistent with the public-private
partnership model endorsed by the President's 60-day cybersecurity
review.
Exelon, for example, is addressing the risks we know about through
a ``defense-in-depth'' strategy while appropriately balancing
considerations of potential consequences. This defense-in-depth
strategy includes preventive monitoring and detective measures to
ensure the security of our systems. We perform penetration tests where
a contractor attempts to find and exploit vulnerabilities. The results
of these regular penetration tests inform us about whether our
preventive strategies are working so that we can enhance our protection
as technologies and capabilities evolve. These penetration tests, which
allow us to practice and enhance our monitoring capabilities, also
yield lessons learned that are unique to our system. Because no two
utility companies have identical network, hardware or logistical
configurations, no single entity will know our system's strengths or
weaknesses quite like we do.
NERC, which functions as the Electric Sector Information Sharing
and Analysis Center (ISAC), disseminates alerts to provide information
to the electric industry. With the input of its members, NERC has
revised its procedures significantly over the past 2 years to improve
the ability to quickly and securely provide this critical information
to industry. This should ensure that when new vulnerabilities are
uncovered, that users, owners, and operators will receive the needed
information in a timely manner to take corrective action. Thus, we
believe that the ISAC is providing timely and relevant analysis and
alerts to the industry. Many of us have been frustrated with NERC's
historically slow information-sharing process. I am pleased to note
they have improved and we are getting information in a much more timely
manner, though like anything else, there is always room for more
improvement.
smart grid
As grid technologies continue to evolve and become ``Smarter,''
they inevitably will include greater use of digital controls. Congress
recognized the potential cybersecurity vulnerabilities, as well as
benefits, that could result from greater digitization of the grid when
it directed DOE to study these issues in Section 1309 of the Energy
Independence and Security Act of 2007. Manufacturers of critical grid
equipment and systems must fulfill their security responsibilities by
adopting good security practices in their organizations, building
security into their products, and establishing effective programs so
that, as new vulnerabilities are discovered, they can inform customers
and provide technical assistance with mitigation. As new Smart Grid
technologies are developed, it is imperative for the industry to work
closely with vendors and manufacturers to ensure they understand that
cybersecurity is essential so that protections are incorporated into
devices as much as possible.
It is equally critical that cybersecurity solutions be incorporated
into the architecture being developed for Smart Grid solutions, so that
the great benefits new Smart Grid technologies will provide are
implemented in a secure fashion. With Smart Grid solutions in the early
stages of development, opportunities exist to ensure this vision is
fulfilled. EEI supports the process currently underway at the National
Institute of Standards and Technology (NIST) to develop a framework of
standards that will become the foundation of a secure, interoperable
Smart Grid. It is imperative that NIST proceed boldly and expeditiously
to establish standards applicable to all.
EEI is encouraging the development of a security certification
program, through which Smart Grid components and systems could undergo
independent testing and receive a certification that security tests had
been passed. Such a program would help utilities differentiate among
different vendor solutions to select those providing appropriate
cybersecurity.
Finally, I would like to provide the subcommittee information on
advanced metering implementation by Exelon's operating utilities. ComEd
will be installing Advanced Metering Infrastructure under an Illinois
Commerce Commission approved pilot program. PECO is installing Smart
Meters in accordance with Pennsylvania law that requires distribution
companies to deploy Smart Meters for all customers over 15 years.
Cybersecurity has been a cornerstone of Exelon's Smart Grid/Advanced
Meter Strategy from its inception in early 2008. Exelon understands and
recognizes the potential risks associated with the deployment of such
technologies throughout its service territories and treats
cybersecurity with the utmost importance. To ensure security of these
installations, Exelon is following internally developed security
requirements and documenting them in requests for proposals to vendors
for the supply of Smart Grid/Advanced Meter solutions. This includes
the requirement to enumerate vendor security capabilities that ensures
confidentiality, integrity, and availability. Exelon maintains a
vulnerability management program which requires a documented
penetration test to demonstrate that controls are implemented as
designed. Third-party vendor audits are also performed to ensure vendor
design & manufacturing controls are adequate. From an industry
community and vendor perspective, Exelon is an active participant in
the NIST Smart Grid Roadmap and Security Strategy development
initiative and actively participates in other industry groups. ComEd
and PECO will seek recovery of 100% of their costs of metering
infrastructure in rate cases--as they do for all other infrastructure--
except to the extent ComEd and PECO receive stimulus funding for
advance meters. ComEd and PECO both plan to apply to DOE for Smart Grid
Investment Grant (SGIG) funds to support their overall Smart Grid
deployment efforts. Greater security is one of the benefits of the
Smart Grid that DOE has articulated. Pursuant to this, SGIG
applications are required to detail the cybersecurity implications of
any project seeking funding. Cybersecurity has been a key consideration
in the development of ComEd and PECO's Smart Grid plans and will be
further detailed in their respective grant applications.
conclusion
While many cybersecurity issues are already being addressed under
current law, we believe it is appropriate to provide FERC with explicit
statutory authority to address cybersecurity in a situation deemed
sufficiently serious to require a Presidential declaration of
emergency. In such a situation, the legislation should clarify the
respective roles, responsibilities, and procedures of the Federal
Government and the industry, including those for handling confidential
information, to facilitate an expeditious response.
Any new authority should be complementary to existing authorities
under Section 215 of the Federal Power Act, which rely on industry
expertise as the foundation for developing reliability standards. Any
new authority should also be narrowly tailored to deal with real
emergencies; overly broad authority would undermine the collaborative
framework that is needed to further enhance security.
Promoting clearly defined roles and responsibilities, as well as
on-going consultation and sharing of information between Government and
the private sector, is the best approach to improving cybersecurity.
Each cybersecurity situation requires careful, collaborative assessment
and consultation regarding the potential consequences of complex
threats, as well as mitigation and preventive measures, with owners,
users, and operators of the bulk power system.
Exelon and other electric utilities remain fully committed to
working with the Government and industry partners to increase
cybersecurity.
I appreciate the opportunity to appear today and would be happy to
answer any questions.
Mr. Thompson. Thank you very much, and I thank all the
witnesses for their testimony. I will remind each Member that
he or she will have 5 minutes to question the panel. I will now
recognize myself for the first set of questions.
Each of you have talked about this attack in one capacity
or another. Starting with Dr. Graham and going to his left, can
the panel tell this committee in their professional opinion if
the electric industry has appropriate protections, today, to
protect against a cyber or an EMP attack?
Mr. Graham. Mr. Chairman, the electric industry today does
not have adequate protection in place, or as far as I can tell,
any protection in place for the power distribution and the
power generation systems of this country.
Given that the power grids are in a state of
transformation, I believe this is a particularly appropriate
time to build that protection in and it will help not only with
EMP but with such problems as grid collapse, as we saw on
August 13, 2003 and earlier times as well.
So it could be very effective. It is very timely and I
believe, very needed.
Mr. Thompson. Mr. Fabro.
I have to admit, also, I love the name of your company too.
Mr. Fabro. Thank you, sir. Thank you, sir. The question
that you are asking is one that is quite difficult, because you
are trying to encapsulate a very, very large problem with one
single question.
Is the bulk power system of the electric grid completely
immune and protected from cyber attack? No, but there are
significant pockets, significant pockets, and significant
pockets of progress that have shown that the overall
cybersecurity risk profile of the bulk power system in North
America, not just within the United States, within North
America, because it is a multi-national issue, has improved
substantially. Substantially. It is very easy to go and look at
the things that are notably bad; reports from the press or
other issues that we hear in various news outlets.
But overall, from someone who experiences on a day-to-day
basis, who lives and works in the trenches of this, I actually
see standards and work and cooperative engagements and what is
being done by public-private partnerships in action and they
work.
I cannot comment on EMP. I will just leave that, of course,
to Dr. Graham.
Mr. Thompson. Thank you. Mr. Assante.
Mr. Assante. I have been very encouraged by the progress in
industry to secure vital systems to protect the bulk power
system. It is a very complex problem in order to wrestle. I
will tell you this: I have been working for years and looking
at the underlying technology, the vulnerabilities that exist in
the unique operating environments in which the technology
exists.
We do believe that there are vulnerabilities in the system.
We know that we are not immune from these attacks. We are
committed to this call to action. My letter, made on April 7,
was a, I think, very important in that it brought out the
dialogue that was necessary to talk about how to prioritize
assets for protection.
There are some important issues to consider when you look
at how one can manipulate technology in such a way to cause an
impact. The misuse of technology is a very important thing to
consider. The ability to exploit technology horizontally is
important.
Industry, I believe, is up for that challenge. I don't
think there is an easy answer, and it won't happen very
quickly, or enhancing the standards. We are putting in place
all the mechanisms necessary to be able to communicate about
threats and warnings, so that we can take quicker action. We
are dedicated to public and private partnerships to learn more
information.
Very briefly on EMP, I again, believe that the
electromagnetic pulse, is a high-impact concern is something
that we are concerned in the electric power system. We are
partnering with the Department of Energy. We have consumed the
EMP Commissions report. We supported it, not only staff, but
also industry experts, in the deliberation. We intend to look
at these risks alongside of other risks to evaluate them and
prioritize them and to take a look at what mechanisms we have
to further mitigate the system for these types of threats.
Mr. Thompson. Mr. Naumann.
Mr. Naumann. Thank you.
My belief is that in general, the North American grid is
well-protected against cyber attacks; at least those threats
that we know about.
The biggest problem, we believe, we face is the lack of
information because of the security nature of that information
and it is hard to devise mitigation against something you don't
know.
That is something that is on-going. We are trying to work
with the Federal agencies. But that, to us, is the No. 1 thing
that we need to work on.
As far as EMP attack, as Mr. Assante has said, and as Dr.
Graham said, that this is a low-probability, high-impact event.
It is something that the industry will pay attention to, wants
to work with the Federal Government to devise mitigation and
responses. But what we need to know is what is the design
threat that needs to be dealt with? What are the mitigations
from that that we need to work out? What are the consequences
of that mitigation? What is the priority of this particular
threat compared to the other low-probability, high-impact
threats that have been mentioned?
Thank you.
Mr. Thompson. My time has expired. I recognize the
gentleman from California, Mr. Lungren.
Mr. Lungren. Thank you very much, Mr. Chairman. Again, I
would like to congratulate the panel, not only on their verbal
testimony, but their written testimony. It is very helpful. We
could spend hours here and we have got two really serious
subjects. One, the EMP and one cybersecurity, and I think it is
good that we have them here together, but also there is a
problem because we can't go in depth as to where we want to go
on this.
First of all, Mr. Naumann, you talked about the problem
with the industry not knowing the threat because of the
security nature of the information from the Federal Government.
Are we beginning to attack that problem? How would you suggest
that we try and resolve that problem?
Mr. Naumann. I believe we need to have a more formal
collaborative, where a certain set of industry people are given
sufficient clearance. This is something that NERC is working
on, where the Federal Government can give us high-level
security information. Those experts can then, working with the
Federal Government, devise the mitigation and then essentially
censor the information, but send out the mitigation to the
industry, so that we could implement that.
Mr. Lungren. Mr. Assante.
Mr. Assante. We have been working hard, I think, and it is
a critical impasse. I think it gets back to the Aurora
vulnerability. What is needed to devise the best mitigation
strategies is accurate information in order to support the
development of those strategies. We have been working very hard
with the Department of Energy, the Department of Homeland
Security, and even through the intelligence community, to be
able to share information.
To be able to validate information as we see it in the
printed and public press, of the Wall Street Journal, to be
able to understand the success and tactics that adversaries
have been able to use to compromise systems, whether they be
Government or private sector and being able to appropriately
adjust our defense postures. Importantly, going past
information sharing, we are working on the elements to share
the information.
So within our industry, we can get that information to
people who need to take action. We are also working on
developing the ability to respond to and to contain and to
minimize the consequences of a successful attack. We are not
going to put all our effort into simply prevention. That has
failed us as a Nation. Prevention is important, but it is not
the only part of it and we are dedicated to working with
entities to be able to put more focus on it.
Mr. Lungren. Let me ask you this, when we usually do a risk
analysis, we talk about threat vulnerability and consequence.
You obviously know the consequence, your companies would know
the consequence of a problem; a disastrous or consequential
interruption.
Are you saying what you need more from the Federal
Government is information with respect to the threat only? Or
also that the Federal Government has an ability to tell you
what the vulnerabilities are above and beyond what you know
your vulnerabilities to be?
Mr. Assante. They are, actually, it is on both accounts. As
far as it relates to threats, when the Federal Government can
observe and analyze successful attacks. It is important for us
to understand how those attacks looked and how we would respond
to those attacks. But importantly, as you address
vulnerabilities, control systems are very complex, the
implementation of that technology is complex and the ability of
any one asset owner utility to understand the inner workings of
that technology to all the underlying weaknesses that might be
there, it is very difficult for the asset owner to do that.
Mr. Lungren. So who would you look to for that? The Federal
Government? Both?
Mr. Assante. It is the Government. The Department of Energy
and the Department of Homeland Security have two very
successful programs that have been testing control system
technology. The discovery of vulnerability is very helpful for
us to be able to enhance the security of those systems.
Mr. Lungren. Does that need to be somewhat made more
robust? Or is there a problem with getting security ratings for
your people? I mean, where is the problem there?
Mr. Assante. Well, some of the problem has to do with the
partnership that is required in this global supply chain of
working with these vendors that supply the technology. A lot of
times, they are willing to look at the technology, but under
contract agreements, so that the information wouldn't be made
public. That information then goes to the vendor to address. It
is, in many cases, shared with the utilities. But that progress
has been limited by the scope of those programs. We do believe
they provide a lot of value.
We have been heavily participating----
Mr. Lungren. Well, if you need any additional legislative
umbrella for that, let us know.
Dr. Graham, can you tell me, are there any other countries
hardening their critical infrastructure to defend against EMP?
Mr. Graham. Yes. In fact, we have helped some of our allies
in that direction. We know that at least the Soviet Union, now
Russia, has also worked on that. We know that China is
extremely interested in EMP, has a large number of people
there, engineers, scientists, working on it. There is enough
traffic among these communities that deal with high-tech and
nuclear subjects, outside the United States, that are among our
adversaries that it is widely spread.
Mr. Lungren. Just one real short question. That is, are any
countries ahead of us in terms of our efforts to either
recognize our problem or react to it by hardening our critical
infrastructure?
Mr. Graham. They are all ahead of us in one way, which is
they are less dependent upon computer-controlled information,
dominant systems, than we are, and therefore less vulnerable.
In terms of number of people working on the subject, I
think China is far ahead of us. In terms of the implementation
in civilian systems, most of the European countries are ahead
of us.
Mr. Thompson. Thank you very much. The Chair now recognizes
the gentlelady from California for 5 minutes. Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman, and thanks for this
hearing. I think the fact that we are here today speaks of our
bipartisan intention to pay attention to this. Our new
Chairwoman, Ms. Clarke, is joined, of course, by the Chairman
of the full committee. Mr. Lungren has had a full interest in
this for some time.
I notice Mr. Langevin, who chaired the subcommittee with
jurisdiction over cyber was earlier here. A long time ago, I
was the Ranking Member on the Cyber Security Subcommittee, when
it was chaired by Mr. Thornberry. So it is many years of
frustration over this situation that has brought us here today
and I am happy to be an original co-sponsor of this bill.
I think back to the last Congress, at a hearing that we
had, and we all knew, because we had been briefed in a
classified setting, about some things that needed to be done to
make the Nation secure and it was not happening. When we turned
to FERC, they were unable to make it happen. We asked them if
they wanted the authority to require the steps to keep the
Nation secure? They basically saw--so they couldn't do it, and
they didn't want to do it, which I thought was a pretty weird
answer, in all honesty.
Because the comments made today about the need for
collaboration, we agree with. The comments made about the role
of the ISECs, we agree with. The need, and if there are
suggestions, and that is my question, to add some additional
steps so that the private sector has consultation, that will
just enhance the matter.
But when all is said and done, the infrastructure that is
owned, primarily, by the private sector is relied on by the
entire country. If a SCADA system has a vulnerability that we
know about, and steps are not taken to secure it, and the whole
grid goes down, the Government has the right to be interested
in that matter and right to, really, to require that steps be
taken to protect the Nation.
So I am interested in specific comments that any of the
witnesses may have about how you believe that collaboration
might be enhanced in this bill. I don't think it precludes
anything actually. I don't think there is a need to enhance it
because it doesn't preclude the things that you have discussed.
But if you have specific suggestions on how to involve the
private sector, I would be interested in hearing them.
Before I turn to you, I didn't want to neglect Mr.
Bartlett, who of course has been known for some time on the
log, focusing on cyber, that is the issue he has focused in on
for some time; that also needs attention.
So anybody who has a suggestion on private sector
collaboration, I am all ears.
Mr. Graham.
Mr. Graham. I believe in the line of collaboration, one of
the first things that needs to be done is the Department of
Homeland Security needs to be informed and take an interest in
the subject of EMP and I presume cyber attack.
To give you an example, trying to--we have been, as a
commission, unsuccessful in engaging Department of Homeland
Security in this area. Today, I went to the Homeland Security
website, I put in EMP, it took me to FEMA and there it told me
that EMP was a form of radioactive fallout and it said ``only
those who rely on electronically-driven life support systems
are at risk.''
Ms. Lofgren. Could I--very good. So you at DHS, pay more
attention, our new Secretary, I think, will be paying
attention. Mr. Fabro.
Mr. Fabro. I think that the questions, the statement that
you have made is exceptionally accurate. That we have all the
pieces in place, from what I see, from what my experience
indicates, is that the element of robustness, as it relates to
what is coming upwards from independent research, what is
actually being discovered and found within the operational
environment of the private sector itself isn't coming upwards.
There is no sharing mechanism for that information to come
upwards to either, validate, substantiate, disprove, or have
some other impact on what is being done by the Federal research
community. Make no mistake, the work that is being done with
DHS and DOE, absolutely valuable, absolutely valuable. The
capabilities for FERC----
Ms. Lofgren. So, the research world needs to be brought in.
Mr. Fabro. It needs to be brought in. Has been spoken about
earlier, the complexities involved with the fact that there is
so much vendor-specific issues related to securing this, the
vendors are often exceptionally reticent to accept the
independent research, because it may impact a variety of
different things from----
Ms. Lofgren. Right.
Mr. Fabro [continuing]. From a business perspective.
Ms. Lofgren. I don't know if I have time, Mr. Chairman, to
get a few quick comments from the other two witnesses, under a
minute total?
Mr. Thompson. You have a minute.
Mr. Fabro. I do believe our interests are well aligned
here, in terms of what to protect. One of the obligations that
we have is that we enhance our security incident reporting.
As incidents occur within the private sector, it is very
important they quickly be shared. The incidents be absolutely
analyzed. And information, lessons learned, be shared back, so
others could protect themselves.
It is something we feel very strongly about. I think we
demonstrated that recently.
We also believe in terms of research, that better cyber
awareness tools, of what actually is occurring across the
internet and large networks, is very important. This is an area
that the Government can contribute greatly.
Ms. Lofgren. Couldn't ES-ISAC be used to that effect?
Mr. Fabro. We absolutely believe the ES-ISACs can affect,
and they probably need some analytical support in the ability
to----
Ms. Lofgren. Mr. Naumann, you have 15 seconds.
Mr. Naumann. That much. Thank you. Very briefly, just to
add on. We think the most important thing is clear and concise
communication. So that if there is a threat out there, that
threat gets down to the users, owners and operators, who
understand our system and equipment, so that we can take
appropriate mitigation.
If we don't know about the threat, it is very hard to
mitigate against it.
Ms. Lofgren. So, this bill will certainly let you know
about that threat.
Mr. Naumann. Yes, but if there is an emergency, to the
extent there is time, it is very important that rather than
issuing a directive, there be as much consultation as is
possible under the circumstances, else our concern about
unintended consequences of those directives.
Ms. Lofgren. Thank you, Mr. Chairman, I appreciate the
extra minute.
Mr. Thompson. Thank you very much. The Chair recognizes the
gentleman from Maryland, Mr. Bartlett, for 5 minutes.
Mr. Bartlett. Thank you very much. I want to thank you
again for inviting me to be here.
EMP attack may be a low probability, it is certainly a
high-impact event. But when you have such a potential like your
house burning, you buy an insurance policy. You do something
that will make you whole in the event that that happens.
I would submit that in our country, we have done
essentially, nothing, that would make us whole, if this were to
happen.
Dr. Graham, it is my understanding that electromagnetic
pulse is an unavoidable accompaniment of any and every nuclear
detonation. That if it occurs at ground level, that the area of
the fireball and the EMP area, are not all that much different,
that we have had little attention to EMP when it is a ground
level attack.
But if it is at altitude, and if it is extra atmospheric,
it is line of sight. A detonation 300 miles high above
Nebraska, Iowa, would cover our whole country? Is that
essentially correct?
Mr. Graham. Yes, with a footnote that even for a surface,
or near-surface nuclear burst, if there are things like power
lines or conductors going into the fireball, that fireball acts
like a tremendous battery. And will drive electrical signals
miles and miles beyond its perimeter, but along the line.
Mr. Bartlett. It is my understanding that in your work on
the commission that you interrogated two Russian generals, who
told you that the Soviets had developed, and they have enhanced
EMP weapons that would produce 200 kilovolts per meter. That is
correct?
Mr. Graham. Yes, that is correct.
Mr. Bartlett. That would be 100 kilovolts per meter at the
margins of our country?
Mr. Graham. It depends--it is somewhat north, south
dependent affect, but in some directions, yes.
Mr. Bartlett. It is my understanding that the most we have
ever built and tested to is sometimes 30 and sometimes 50
kilovolts per meter. Is that correct?
Mr. Graham. Yes, that is correct. The upper figure was used
earlier, and now the lower.
Mr. Bartlett. If in fact we could be exposed to 100 or 200
kilovolts per meter, protecting to 50 kilovolts per meter is
little better than doing nothing, is--or 30, it is now 30. Is
that correct?
Mr. Graham. Well, it is unknown as to how good the
protection would be above that, because, it would be an
untested regime. In general, the test, the protection could
fail at the higher levels.
Mr. Bartlett. What proportion, what part of our electronic
world would you expect to be affected by 200 kilovolts per
meter?
Mr. Graham. Essentially, every thing that wasn't in a
conductive package, everything from PCs on up through power
grids.
Mr. Bartlett. It would have to be in a Faraday cage and
grounded if it were to survive. Is that correct?
Mr. Graham. Yes, individual components that are wrapped up
in protective packages might survive it. But anything that is
functional, or connected to other systems, would not.
Mr. Bartlett. In a former life, I was a scientist. I am
always amazed at scientists and their ability to understate. I
am now kind of a recovering scientist.
But Dr. Graham is a scientist, and he says that ``EMP is
one of a small number of threats that can hold our society at
risk of catastrophic consequences.''
In other words, ``that could end life as we know it.'' Is
that correct?
Mr. Graham. Certainly as we know it in the United States. I
don't think North Korea would find it a shock if they had an
EMP event, because, they have so little infrastructure to begin
with.
But, our country has many times the population it had say
in 1900. Yet, our facilities could be driven back to the pre-
1900 level by an EMP attack. The country could just not support
that population.
Mr. Bartlett. This has been described as a high-level EMP,
robust EMP lay down, as a giant time machine that would move us
back a century in technology. That is roughly correct?
Mr. Graham. Yes, maybe a little more than a century affect.
Mr. Bartlett. So, this is such a horrendous consequence.
Why are we not paying more attention to it?
One of the great experts in this area, Lowell Wood, says
``it is just too hard. They don't want to deal with it.'' Is
that the problem?
Mr. Graham. That is probably a better question for a social
scientist to answer. But, I have heard it characterized as a
low-probability, high-impact affect. The commission would not
assign a probability to it.
However, we do know that all of our adversaries across
their whole reach have all the capability necessary to execute
this kind of attack. They know our vulnerability to it.
So, it seems to me that we cannot assign it a low
probability of occurring. It won't happen every day. But, it
would take us by surprise if it happened today.
Mr. Bartlett. Thank you very much, Mr. Chairman.
Mr. Thompson. Thank you very much. For a recovering
scientist, you do all right.
Ms. Jackson Lee for 5 minutes.
Ms. Jackson Lee. I want to thank the Chairwoman and the
Ranking Member for holding this committee. Thank you, Chairman.
Dr. Graham, I assume, and I am making the statement that
you feel comfortable with your statement, and as chairperson of
the commission to assess the threat to the United States from
EMP. The research of that commission gives you comfort to make
the statements you are making today. Is that correct?
Mr. Graham. Yes, that is correct. Three other members of
the commission are here as well.
Ms. Jackson Lee. Let me thank them for their work. Let me
just read the opening of your comments: ``EMP is one of a small
number of threats that we can hold our society at risk from
catastrophic consequences.''
Then you make mention of the fact that several potential
adversaries have, or can acquire, the capability to attack the
United States with a high-altitude, nuclear weapon-generated
electromagnetic pulse, EMP. A determined adversary can achieve
an EMP attack capability without a high level of
sophistication.
Would you make these comments right at the front of your
statement without substance and being able to substantiate it?
Mr. Graham. Well, I would make those statements. We have
substantiated them.
Ms. Jackson Lee. Yes, and you would not make them without
them being substantiated. Is that correct?
Mr. Graham. Absolutely not.
Ms. Jackson Lee. Why did you make those statements, Dr.
Graham?
Mr. Graham. We have issued several classified reports as
well, that go into these in much more detail, which are
available to the Congress. We have explored the subject with
the intelligence community, and with the Department of Energy,
and its nuclear weapon design laboratories, at great length. We
base our conclusions on that.
Ms. Jackson Lee. Let me ask the three gentlemen, I think to
your right, if I am correct. A simple hurricane that most
people don't know anything about called, ``Hurricane Ike,''
which obviously is a natural disaster, had a catastrophic
impact, or an exponential impact. Because in fact, after the
storm was over, the community that it impacted, was without
electricity for some 6 weeks-plus.
It is probably the most costliest hurricane in that Gulf
region, short of Hurricane Katrina, and possibly Rita. But more
importantly, the suffering was enormous.
Can you explain to me the basis of the self-regulation of
your industry, Mr. Naumann? Why you wouldn't want more intense
regulation? Because a potential attack, or impact of EMP, as
Dr. Graham has said, ``would be enormously catastrophic.'' In
fact, whole communities could be wiped out.
Mr. Naumann.
Mr. Naumann. Thank you, I don't believe it is an issue of
regulation. I believe it is an issue of getting together,
setting the priorities, determining what the threat is and
then----
Ms. Jackson Lee. You don't think that you could do it
better with a Government partnership? Having more stringent
regulations as it relates to EMP?
Mr. Naumann. I don't believe the regulation itself would
make the difference. The partnership would.
Ms. Jackson Lee. So, you agree with Dr. Graham that we have
the potential of a catastrophic impact with the EMP?
Mr. Naumann. I don't have access to the classified
information Dr. Graham does.
Ms. Jackson Lee. But I just asked Dr. Graham, whether he
could substantiate it. So, based on his being able to
substantiate, would you agree that it could have a catastrophic
impact?
Mr. Naumann. I absolutely agree.
Ms. Jackson Lee. I thank you.
Mr. Assante.
I think you are NERC, N-E-R-C, and I think that is the
group that self-regulates and allows electric companies to go
out during a hurricane, and have no criteria for getting back
on.
What is your description of self-regulation? Do you feel
there needs to be more regulation and partnership between the
Government and its industry to protect it against EMP, as Dr.
Graham has mentioned?
Mr. Assante. Certainly, EMP as a threat is disturbing in
that, different from Ike, it destroys components of the power
system that will be difficult to restore from----
Ms. Jackson Lee. Ike, is only an example, I mean it holds
electricity.
Mr. Assante. I absolutely understand. I do believe that,
and we had the meeting with the commission, and we have met
with experts that has provided testimony----
Ms. Jackson Lee. So would you support more Government
regulation and partnership?
Mr. Assante. I would suggest partnership is really
important to understand the problem----
Ms. Jackson Lee. Regulation you would look at?
Mr. Assante. I do believe Section 215, is an appropriate
vehicle to----
Ms. Jackson Lee. Is or is not?
Mr. Assante. I think it could be and it is an appropriate--
--
Ms. Jackson Lee. Let me go to--thank you very much.
The few minutes that I have, Mr. Fabro.
You heard my comments and Dr. Graham's comments. We have a
real problem.
Do you believe that we need to have a greater enhancement
of Government partnership? I call it regulation to ensure
against this disaster?
Mr. Fabro. Absolutely, if the findings from Dr. Graham and
his commission are accurate, as a scientist myself, I firmly
agree that these issues are very important.
I think that the partnership, with involvement from the
Federal Government is critical, to fully understand the issues.
I think that the findings from that must be incorporated into
future State standards.
From a regulation perspective, I don't know if it has to be
a regulatory function, but I certainly do agree involvement
from the Federal Government is required for a full picture.
Ms. Jackson Lee. I thank you. I think without regulation,
we don't get enforcement and implementation.
I thank you, and I yield back to the Chairman.
Mr. Thompson. Thank you very much.
Now, your 5 minutes, the gentleman from New Jersey.
Mr. Pascrell. Thank you, Mr. Chairman.
Mr. Chairman, this legislation did not come out of the
blue. It didn't materialize itself.
I want to associate myself with the comments of Mr.
Bartlett. We should all be very seriously concerned. I guess
that is why we are here.
But I remember last May, when NERC's CEO, Rick Sergel, sat
in that seat over there. He admitted to this committee that we,
the committee, had been lied to by the electric industry. Maybe
you will remember that.
For those Members who were not here last year, NERC told us
in October 2007, that three-quarters of the industry had
mitigated a vulnerability known as Aurora. NERC claimed that
they sent the survey out to industry, and they had received,
obviously, responses back.
We finally got the truth out, and found out that the survey
hadn't been sent. NERC had no hard numbers. NERC just made them
up to get us off their back. We found that out last year.
So we learned then to be suspicious. After the hearing, and
to his credit, Mr. Sergel, brought in Mr. Assante to restore
the credibility of NERC. The committee--and I believe he has
chosen a very, fine person for this position.
I would like to ask Mr. Naumann a question.
You are here representing the Edison Electric Institute and
the Electric Power Supply Association, Mr. Naumann, is that
correct?
Mr. Naumann. Yes, Congressman.
Mr. Pascrell. A question about September 11, your 2008
meeting of the NERC Critical Infrastructure Protection
Committee. At the committee meeting, the NERC Infrastructure
Protection Committee received a briefing on the report of the
commission to assess the threat to the United States from the
EMP. This is the report. Have you seen that report, Mr.
Naumann?
Mr. Naumann. I have skimmed--scanned the report on-line,
yes.
Mr. Pascrell. Then you know, basically, what is in here
then, right?
Mr. Naumann. I do.
Mr. Pascrell. This report was written by the congressional
commission that Dr. Graham chairs. The commission has been
reviewing our electric grid security against an intentional, or
unintentional, event for years. The commission found, Mr.
Chairman, and Mr. Ranking Member, ``a single EMP attack may
seriously degrade or shut down a large part of the electric
power grid in the geographic area of the EMP exposure,
effectively instantaneously.''
The commission came up with a number of steps that the
private sector can take to help significantly reduce the threat
of EMP. They were good recommendations. I do not believe they
were prohibitively costly.
Now, here are the minutes of the meeting. Have you seen
this, Mr. Naumann?
Mr. Naumann. No, sir.
Mr. Pascrell. You never saw the minutes of the meeting?
Mr. Naumann. I am not a member of that committee.
Mr. Pascrell. I know you are not. But I asked you if you
saw the meeting--the minutes. Did you see the minutes, Dr.
Graham?
Mr. Graham. No.
Mr. Pascrell. Okay.
I currently have in my hands, the minutes from the meeting.
I ask for unanimous consent to introduce these minutes into the
record, Mr. Chairman.
Mr. Thompson. Without objection.*
---------------------------------------------------------------------------
* The information referred to has been retained in committee files.
---------------------------------------------------------------------------
Mr. Pascrell. You would think that an issue as serious as
an electromagnetic pulse, which has catastrophic consequences,
is not terribly expensive to fix, would have spurred the
electric industry into action. You would think that an at-risk
industry would want to fix its vulnerabilities. You would think
that after not fixing the Aurora vulnerability for years, the
industry would want to show some proactive security efforts,
send a message that at least they are moving in the right
direction.
But this is not what happened, Mr. Chairman, on September
11 of last year. According to the minutes, ``there are no
actions expected by the Critical Infrastructure Protection
Committee or NERC to this rep.''
No actions. Nothing. The industry, which is, as Chairwoman
Clarke stated, ``responsible for operating security grid plans
are doing nothing to secure its infrastructure or to mitigate
this threat.''
Now, Mr. Naumann, why aren't your colleagues doing more to
secure your infrastructure against an intentional or
unintentional EMP event or cyber attack? Mr. Naumann.
Mr. Naumann. Congressman, as I said, we want to work with
NERC and the industry in identifying what needs to be done,
what the design threat is. I just heard from Congressman
Bartlett, for example, whether the threat is 200 volts per
meter or 50 volts per meter----
Mr. Pascrell. Mr. Naumann, Mr. Naumann, excuse me. Why
aren't you doing anything right now to secure the
infrastructure?
Mr. Naumann. In order to----
Mr. Pascrell. You are telling me something, everybody knows
in this room. We listen.
Mr. Naumann. I----
Mr. Pascrell. Well, then please answer my question?
Mr. Naumann. In order to secure the infrastructure, we
first have to determine what threat to protect against and then
design mitigation. As I understand it, through NERC, Mr.
Assante is taking this up as one of the action items. But it
has to be done in a thoughtful manner.
Mr. Pascrell. So the industry--these are the minutes. I
mean, I didn't make it up.
Mr. Naumann. I was testifying----
Mr. Pascrell. I yield back.
Mr. Thompson. Thank you very much. I appreciate your--we
have Ms. Richardson and Mr. Lujan and we have four votes to
take after that. Ms. Richardson.
Ms. Richardson. Mr. Chairman, I will be very brief so I can
give my colleague an opportunity to speak before our break.
Is Mr. Sean McGurk present, from the Department? Okay. I
would like to recommend during the break, Dr. Graham, since you
have said ``you have had an unsuccessful engagement of speaking
with the Department,'' he is right here, I think, in the third
row. For the record, Mr. Chairman, I would like to recommend
that maybe we submit the testimony to the new Secretary and
urge her and her appropriate Department to review the
information and give them an opportunity to come forward.
Mr. Thompson. I would be happy to do it.
Ms. Richardson. My last point, and I do want to be brief,
as I said, for my colleague. Having reviewed the bill that we
have on the table, I would just like to work with the Chairman,
possibly in a Manager's Amendment, as I listen to the testimony
today, one of the things that I think we could add is in Mr.
Fabro's testimony, in the very back, he gives three points that
we could focus on. One is ``research,'' which has been much
discussed, much discussed today.
Second, ``redefining standards,'' which there is the
ability to do some of that in the bill. But what we don't talk
about is he talked about ``procurement guidance.'' Specifically
from his testimony, he says ``in the case moderate
reengineering of existing procurement guidelines can have
tremendous downstream influence, in both power systems,
cybersecurity and it can be done immediately.''
So I will work with my staff and in conjunction with some
of the folks that have been here today to see if there is any
way that we can help to strengthen it even further.
With that, I yield back the balance of my time.
Mr. Thompson. Thank you very much.
The gentleman from New Mexico for 5 minutes.
Mr. Lujan. Thank you very much, Mr. Chairman and thanks to
my colleague, Ms. Richardson, for being so kind with her time.
Mr. Assante, did I hear you correctly that when there was a
reference to cybersecurity that prevents--did you say something
along the lines ``prevention is not necessarily the answer?''
Mr. Assante. I don't think we should put our full faith in
preventing attacks. It is very important that we also address
investments in being able to categorize, observe them, and
respond to them, and minimize their consequences in the system.
So we would like to take a comprehensive approach to cyber
attacks, not just installing more cybersecurity solutions that
have failed in the past. Some of the advanced threats are
capable of getting around those solutions. We want to make sure
that we have got the full capabilities to be able to handle
this important challenge.
Mr. Lujan. Do any of the bulk power systems have a
responsibility to report to NERC, or the body, if there is a
cyber attack?
Mr. Assante. They do. Under the CIP standards today, they
have to report security incidents affecting critical cyber
assets to NERC. NERC will take that information, analyze it and
pass it on for warnings for other organizations.
Mr. Lujan. To date, have there been any reports to NERC?
Mr. Assante. Yes. We have received reports of security
incidents to the bulk power system.
Mr. Lujan. So is the grid safe today?
Mr. Assante. I would tell you that it is--I believe that
the grid is not immune from attack. We have seen the attacks
occur. What we can do is try to respond to those attacks,
enhance our security and ability to respond to them. It is
definitely a concern. It is why we are asking for, immense
authorities from the Federal Government to very specific and
imminent cyber threats.
Mr. Lujan. So, Mr. Naumann, with that being said, I stand
corrected, but I thought I heard you say earlier that you feel
that the grid is safe today?
Mr. Naumann. I believe I said ``it is relatively secure
from the threats that we know of.''
But it----
Mr. Lujan. Okay.
Mr. Naumann [continuing]. May not be secure from the
threats we don't know of, which is why we support the emergency
legislation.
Mr. Lujan. Mr. Assante, with that being said, I think that
we heard from Ms. Richardson and others the importance of
making sure that we are able to provide the information
necessary so that you can prepare for any cyber attacks that do
exist. But there was a Wall Street Journal article in April of
this year that highlighted threats that we do know, that
occurred, that I don't know if they have been addressed or not,
but in your testimony you state ``that there has been progress
made through NERC with the bulk power systems.''
Mr. Assante. Yes.
Mr. Lujan. Can you just highlight those quickly?
Mr. Assante. Sure. I absolutely can. Most importantly, our
ability to communicate effectively with the 1,800-plus entities
that comprise the bulk power system is an important capability
that we work very hard to achieve.
The second piece is that we have been working in great
partnership with the Department of Homeland Security and the
Department of Energy to be able to analyze advanced threats. So
when we become aware of them, and I will give you a quick
example, we have seen suspicious activity against power system
networks. They have reported that to me at the ES-ISAC. I
shared that information with our Government partners and then
provided excellent analysis of what it looked like, what it
was, and we went back and we were able to notify and warn other
entities of the suspicious activity.
So those are the types of progress that I think is very
important. I think it--we are working full force in the
collaborative side. But if a cyber threat was imminent and
specific, we believe the necessity to have emergency
authorities to deal with that and deal with it in a mandatory
way are appropriate.
Mr. Lujan. Yes. With that being said, Mr. Naumann, there
was a reference made earlier that there is not a set of
standards in place for utilities across the country today, that
everyone has their own platforms that they operate on and it
would be difficult to institute a fix that would reach
everyone. With that being said, is there a need to go to
standard platforms, as utilities are making investments into
the future? Understanding that this is a threat that does exist
today?
Mr. Naumann. I think there is a need to go to standard
protocols. For example, on the Smart Grid, dealing with Smart
Grid, FERC has just issued a final rule that said ``any Smart
Grid devices that are attached to the system should follow
protocols that are being developed under the auspices of
this.'' So it is the protocols as to how they communicate and
how they interact with the system, that it is very important;
that they be common; and that they be secure.
Mr. Lujan. The last question I have, Mr. Chairman, is that
as we go forward and we understand the direction where Smart
Grid will take us and how broadband applications are going to
be critical to achieving the efficiencies that we need with
distribution and transmission.
Understanding that NERC's sole responsibility is with bulk
power systems and does not include distributed generation or
settlement, industrial utilities or applications, even within
some of our rural cooperatives: Who is overseeing that aspect
and is there anybody--are there any, I guess, large umbrella
support systems other than State regulatory bodies that are
working directly with them? Are those actually reported?
Mr. Lujan. Mr. Chairman, we can get back to that one later,
if need be.
Mr. Thompson. The gentleman can answer.
Mr. Naumann. To answer very quickly, it is important that
under U.S. legislation, that as it relates to Smart Grid in
particular, that NIST, and the Department of Energy, in working
with FERC, and NERC is then engaged in this activity, do
address system standards, so that they can build security into
this technology before it gets deployed in great numbers. But
most of the jurisdiction and regulation of the system has been
done at the local level and the State level. However, in a lot
of cases, that can be very appropriate, based on local issues.
But NERC is concerned about the bulk power system and in
the future, as devices in aggregate might cause a material
issue to reliability, we would actively engage in those
efforts.
Mr. Lujan. Mr. Chairman, just want to suggest quickly
there, we may want to work with NARUC, the National Association
of Regulatory Utility Commissions, to truly get an inventory of
how many utilities, investor-run utilities across the country,
have been working with their State partners. Having come to
Congress as a former regulator, from the utility commission, in
New Mexico, I can tell you that there is a concern that I have
there and to make sure that we are working with our colleagues
across the country that this information is truly being
compiled.
Mr. Thompson. Mr. Lujan, as you can see, once this
legislation is brought up for mark-up, you will see some
additions to it.
Let me thank our first panel of witnesses for excellent
testimony and answers to the questions. We have four votes,
plus 111th Congress photograph that will probably take about 35
or 40 minutes. But we release the first panel. Thank you for
your testimony. The committee will recess and reconvene at the
end of the votes.
[Recess.]
Ms. Clarke. [Presiding.] I welcome the second panel of
witnesses. We are joined by Joe McClelland, the director of
reliability at the Federal Energy Regulatory Commission, also
known as FERC. Our second witness is Patricia Hoffman, acting
assistant secretary at the Office of Electricity Delivery and
Energy Reliability, Department of Energy.
Our third witness is Sean McGurk, director of the Control
Systems Security Program at the Department of Homeland
Security. Welcome. Finally, Cita Furlani, is the director of
the Information Technology Laboratory, National Institute of
Standards and Technology at NIST.
I want to welcome you all here. Without objection, the
witnesses' full statements will be entered into the record.
Hearing no objection, so ordered.
I now ask each of the witnesses to introduce yourself and
summarize your statement for 5 minutes, beginning with Mr.
McClelland.
STATEMENT OF JOSEPH H. MCCLELLAND, DIRECTOR OF RELIABILITY,
FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Chairwoman Clarke, thank you. Member
Lungren, and distinguished guests. Thank you for the privilege
to appear before you today to discuss the security of the
electric grid.
My name is Joe McClelland, and I am the director of Office
of Electric Reliability at the Federal Energy Regulatory
Commission. I am here today as a commission staff witness and
my remarks do not necessarily represent the views of the
commission or any individual commissioner.
In the Energy Policy Act of 2005, Congress entrusted the
commission with a major new responsibility, to oversee
mandatory enforceable reliability standards for the Nation's
full power system. This authority is in new Section 215 of the
Federal Power Act.
Under the new authority, FERC cannot author or modify
reliability standards. It must select an electric reliability
organization, or ERO, to perform this task. The ERO develops
and proposes reliability standards or modifications for the
commission's review, which it can either then remand or approve
them.
If the commission approves the proposed reliability
standards, it applies to the users, owners, and operators of
the bulk power system, and becomes mandatory in the United
States. If the commission remands a proposed standard, it is
sent back to the ERO for further consideration.
The commission selected the North American Electric
Reliability Corporation or NERC as its ERO. It is important to
note that NERC's jurisdiction and reliability authority is
limited to the, ``bulk power system,'' as defined in the
Federal Power Act, which excludes Alaska and Hawaii,
transmission facilities in certain large cities, such as New
York, and distribution systems.
In addition to the reliability authority, FERC is also
charged with the oversight of cybersecurity of the bulk power
system. As is the case with non-security issues, FERC's
authority in Section 215 over cybersecurity is to exercise the
reliability standards developed by the ERO and approved by
FERC.
Pursuant to this duty, FERC approved eight cybersecurity
standards known as the Critical Infrastructure Protection, or
CIP standards, proposed by NERC, while concurrently directing
modifications to them in January 2008. Although the existing
CIP standards are approved, full implementation of these
standards by all entities will not be mandatory until 2010.
The first of several batches of modification responding to
the commission's directives was received from the ERO in May
2009, and they are now under review.
On a related note, as Smart Grid technology is added to the
bulk power system greater cybersecurity protections will be
required. Given that this technology provides more access
points to attackers, and increases the grid's cyber
vulnerability. The CIP standards will apply to some, but not
all Smart Grid applications.
Physical attacks against the power grid can cause equal or
even greater destruction than cyber attacks. One example of a
physical threat is an electromagnetic pulse or EMP event. In
2001, Congress established a commission to assess the threat
from EMP. In 2004, and again in 2008, the EMP Commission issues
its reports.
Among the findings in the reports were that a single EMP
attack could seriously degrade or shut down a large part of the
electric power grid. Depending upon the attack, significant
parts of the electric infrastructure could be, ``out of service
for periods measured in months to a year or more.''
In addition to man-made attacks, EMP events are also
naturally generated, caused by solar flares and storms
disrupting the earth's magnetic field. Such events can be
powerful and can also cause significant and prolonged
disruptions to the power grid.
The standards development system utilized under FTA215,
involved mandatory reliability standards using an open and
inclusive process based on consensus. Although it can be an
effective mechanism when dealing with the routine requirements
of the power grid, it is inadequate when addressing threats to
the power grid that endanger national security.
Despite its active role in approving reliability standards,
FERC's current legal authority is insufficient to assure
direct, timely, and mandatory action to protect the grid,
particularly where certain information should not be publicly
disclosed.
Any new legislation should address several key concerns.
First, FERC should be permitted to take direct action before a
cyber- or physical national security incident has occurred.
Second, FERC should be allowed to maintain appropriate
confidentiality of security-sensitive information.
Third, the limitations of the term ``bulk power system''
should be considered, as FERC cannot act to protect against
attacks involving Alaska and Hawaii as well as some
transmission, and all local distribution, facilities in
population areas.
Finally, entities should be permitted to recover costs they
incur to mitigate vulnerabilities and threats. Thank you for
your attention today and I am available to address any
questions that you may have.
[The statement of Mr. McClelland follows:]
Prepared Statement of Joseph H. McClelland
July 21, 2009
Mr. Chairman and Members of the subcommittee: Thank you for this
opportunity to appear before you to discuss the security of the
electric grid. My name is Joseph McClelland. I am the director of the
Office of Electric Reliability (OER) of the Federal Energy Regulatory
Commission (FERC or commission). The commission's role with respect to
reliability is to help protect and improve the reliability of the
Nation's bulk power system through effective regulatory oversight as
established in the Energy Policy Act of 2005. I am here today as a
commission staff witness and my remarks do not necessarily represent
the views of the commission or any individual commissioner.
My testimony summarizes the commission's oversight of the
reliability of the electric grid under section 215 of the Federal Power
Act, and some of the limitations in Federal authority to protect the
grid against physical and cybersecurity threats. The commission
currently does not have sufficient authority to require effective
protection of the grid against cyber or physical attacks. If adequate
protection is to be provided, legislation is needed and my testimony
discusses the key elements that should be included in any new
legislation in this area.
background
In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted
the commission with a major new responsibility to oversee mandatory,
enforceable reliability standards for the Nation's bulk power system
(excluding Alaska and Hawaii). This authority is in section 215 of the
Federal Power Act. Section 215 requires the commission to select an
Electric Reliability Organization (ERO) that is responsible for
proposing, for commission review and approval, reliability standards or
modifications to existing reliability standards to help protect and
improve the reliability of the Nation's bulk power system. The
commission has certified the North American Electric Reliability
Corporation (NERC) as the ERO. The reliability standards apply to the
users, owners, and operators of the bulk power system and become
mandatory in the United States only after commission approval. The ERO
also is authorized to impose, after notice and opportunity for a
hearing, penalties for violations of the reliability standards, subject
to commission review and approval. The ERO may delegate certain
responsibilities to ``Regional Entities,'' subject to commission
approval.
The commission may approve proposed reliability standards or
modifications to previously approved standards if it finds them ``just,
reasonable, not unduly discriminatory or preferential, and in the
public interest.'' The commission itself does not have authority to
modify proposed standards. Rather, if the commission disapproves a
proposed standard or modification, section 215 requires the commission
to remand it to the ERO for further consideration. The commission, upon
its own motion or upon complaint, may direct the ERO to submit a
proposed standard or modification on a specific matter but it does not
have the authority to modify or author a standard and must depend upon
the ERO to do so.
Limitations of Section 215 and the Term ``Bulk Power System''
Currently, the commission's jurisdiction and reliability authority
is limited to the ``bulk power system,'' as defined in the FPA, and
therefore excludes Alaska and Hawaii, including any Federal
installations located therein. The current interpretation of ``bulk
power system'' also excludes some transmission and all local
distribution facilities, including virtually all of the grid facilities
in certain large cities such as New York, thus precluding commission
action to mitigate cyber- or other national security threats to
reliability that involve such facilities and major population areas.
Critical Infrastructure Protection Reliability Standards
An important part of the commission's current responsibility to
oversee the development of reliability standards for the bulk power
system involves cybersecurity. In August 2006, NERC submitted eight
proposed cybersecurity standards, known as the Critical Infrastructure
Protection (CIP) standards, to the commission for approval under
section 215. Critical infrastructure, as defined by NERC for purposes
of the CIP standards, includes facilities, systems, and equipment
which, if destroyed, degraded, or otherwise rendered unavailable, would
affect the reliability or operability of the ``Bulk Electric System.''
NERC proposed an implementation plan under which certain requirements
would be ``auditably compliant'' beginning by mid-2009, and full
compliance would be mandatory in 2010. Pursuant to NERC's
implementation plan for the CIP standards, the term ``auditably
compliant'' means ``the entity meets the full intent of the requirement
and can demonstrate compliance to an auditor, including 12-calendar-
months of auditable `data,' `documents,' `documentation,' `logs,' and
`records.' '' At the end of July 2009, responsible entities will
provide responses to NERC's self-certification survey. Those responses
will include information on their progress towards compliance with the
CIP standards.
On January 18, 2008, the commission issued a Final Rule approving
the CIP reliability standards while concurrently directing NERC to
develop significant modifications addressing specific concerns. The
commission set a deadline of July 1, 2009 for NERC to resolve certain
issues in the CIP reliability standards, including deletion of the
``reasonable business judgment'' and ``acceptance of risk'' language in
each of the standards. NERC concluded that this deadline would create a
very compressed schedule for its stakeholder process. Therefore, it
divided all of the changes directed by the commission into phases,
based on their complexity. NERC opted to resolve the simplest changes
in the first phase, while putting off more complex changes for later
versions.
NERC filed the first phase of the modifications to the CIP
Reliability Standards (Version 2) on May 22, 2009 and the filing is
currently under review by commission staff. The filing includes removal
from the standards of the terms ``reasonable business judgment'' and
``acceptance of risk,'' which the commission found problematic, the
addition of a requirement for a ``single senior manager'' responsible
for CIP compliance, and certain other administrative and clarifying
changes. The remaining phases of the CIP reliability standard revisions
to respond to the commission's directives are still under development
by NERC. Currently, there are no set time frames for the remaining
phases.
Identification of Critical Assets
As currently written, the CIP reliability standards allow utilities
significant discretion to determine which of their facilities are
``critical assets and the associated critical cyber assets,'' and
therefore are subject to the protection requirements of the standards.
In the Final Rule, the commission directed NERC to revise the standards
to require independent oversight of a utility's decisions by industry
entities with a ``wide-area view,'' such as reliability coordinators or
the Regional Entities, subject to the review of the commission. This
revision to the standards, like all revisions, is subject to approval
by the affected stakeholders in the standards development process and
has not yet been developed or presented to the commission. We expect
this revision to be part of the remaining phases of CIP reliability
standard revisions, as discussed above.
When the commission approved the CIP reliability standards in
January 2008, it also required entities under those standards to self-
certify their compliance progress every 6 months. In December 2008,
NERC conducted a self-certification study, asking each entity to report
limited information on its critical assets and the associated critical
cyber assets identified in compliance with reliability standard CIP-
002-1. As the commission stated in the Final Rule, the identification
of critical assets is the cornerstone of the CIP standards. If that
identification is not done well, the CIP standards will be ineffective
at protecting the bulk power system. The results of NERC's self-
certification request showed that 31% of responsible entities
responding to the survey, and only 29% of generation owners and
operators, identified at least one critical asset, while about 63% of
transmission owners identified at least one critical asset. NERC
expressed its concern with these results in a letter to industry
stakeholders dated April 7, 2009. In addition, NERC is working on a
guidance document that will help industry to identify their critical
assets. That document is still under development, and should be
completed in approximately 6 months. Another self-certification by
industry is due to NERC at the end of July, and includes additional
questions designed to obtain a better understanding of the results from
industry's critical asset identification process. Those results will
help gauge how widely the CIP reliability standards have been applied.
The results of the NERC survey demonstrate that it is not clear,
even today, what percentage of critical assets and their associated
critical cyber assets has been identified and therefore made subject to
the protection requirements of the CIP standards. It is clear, however,
that this issue is serious and represents a significant gap in
cybersecurity protection.
the nerc process
As an initial matter, it is important to recognize how mandatory
reliability standards are established. Under section 215, reliability
standards must be developed by the ERO through an open, inclusive, and
public process. The commission can direct NERC to develop a reliability
standard to address a particular reliability matter, including
cybersecurity threats or vulnerabilities. However, the NERC process
typically requires years to develop standards for the commission's
review. In fact, the existing CIP standards took approximately 3 years
to develop.
NERC's procedures for developing standards allow extensive
opportunity for industry comment, are open, and are generally based on
the procedures of the American National Standards Institute. The NERC
process is intended to develop consensus on both the need for, and the
substance of, the proposed standard. Although inclusive, the process is
relatively slow, open, and unpredictable in its responsiveness to the
commission's directives.
Key steps in the NERC process include: Nomination of a proposed
standard using a Standard Authorization Request (SAR); public posting
of the SAR for comment; review of the comments by industry volunteers;
drafting or redrafting of the standard by a team of industry
volunteers; public posting of the draft standard; field testing of the
draft standard, if appropriate; formal balloting of the draft standard,
with approval requiring a quorum of votes by 75 percent of the ballot
pool and affirmative votes by two-thirds of the weighted industry
sector votes; re-balloting, if negative votes are supported by specific
comments; approval by NERC's board of trustees; and an appeals
mechanism to resolve any complaints about the standards process. This
process requires public disclosure regarding the reason for the
proposed standard, the manner in which the standard will address the
issues, and any subsequent comments and resulting modifications in the
standards as the affected stakeholders review the material and provide
comments. NERC-approved standards are then submitted to the commission
for its review.
Generally, the procedures used by NERC are appropriate for
developing and approving reliability standards. The process allows
extensive opportunities for industry and public comment. The public
nature of the reliability standards development process can be a
strength of the process. However, it can be an impediment when measures
or actions need to be taken to address threats to national security
quickly, effectively and in a manner that protects against the
disclosure of security-sensitive information. The current procedures
used under section 215 for the development and approval of reliability
standards do not provide an effective and timely means of addressing
urgent cyber- or other national security risks to the bulk power
system, particularly in emergency situations. Certain circumstances,
such as those involving national security, may require immediate
action, while the reliability standard procedures take too long to
implement efficient and timely corrective steps.
FERC rules governing review and establishment of reliability
standards allow the agency to direct the ERO to develop and propose
reliability standards under an expedited schedule. For example, FERC
could order the ERO to submit a reliability standard to address a
reliability vulnerability within 60 days. Also, NERC's rules of
procedure include a provision for approval of ``urgent action''
standards that can be completed within 60 days and which may be further
expedited by a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk power system
reliability or national security. However, it is not clear NERC could
meet this schedule in practice. Moreover, faced with a national
security threat to reliability, there may be a need to act decisively
in hours or days, rather than weeks, months, or years. That would not
be feasible even under the urgent action process. In the mean time, the
bulk power system would be left vulnerable to a known national security
threat. Moreover, existing procedures, including the urgent action
procedure, would widely publicize both the vulnerability and the
proposed solutions, thus increasing the risk of hostile actions before
the appropriate solutions are implemented.
In addition, a reliability standard submitted to the commission by
NERC may not be sufficient to address the identified vulnerability or
threat. Since FERC may not modify a proposed reliability standard under
section 215 and must either approve or remand it, FERC would have the
choice of approving an inadequate standard and directing changes, which
reinitiates a process that can take years, or rejecting the standard
altogether. Under either approach, the bulk power system would remain
vulnerable for a prolonged period.
Finally, the open and inclusive process required for standards
development is not consistent with the need to protect security-
sensitive information. For instance, a Standard Authorization Request
would normally detail the need for the standard as well as the proposed
mitigation to address the issue, and the NERC-approved version of the
standard would be filed with the commission for review. This public
information could help potential adversaries in planning attacks.
NERC's ``Aurora'' Advisory
Currently, the alternative to a mandatory reliability standard is
for NERC to issue an advisory encouraging utilities and others to take
voluntary action to guard against cyber or other vulnerabilities. That
approach allows for quicker action, but compliance with an advisory is
not mandatory, and may produce inconsistent and potentially ineffective
responses. Also, an alert can be general in nature and lack
specificity. For example, the issuance of an advisory in 2007 by NERC,
regarding an identified cybersecurity vulnerability referred to as
``Aurora,'' caused uncertainty about the specific strategies needed to
mitigate the identified vulnerabilities and the assets to which they
apply. Reliance on voluntary measures to assure national security is
fundamentally inconsistent with the conclusion Congress reached during
enactment of EPAct 2005, that voluntary standards cannot assure
reliability of the bulk power system.
smart grid
The need for vigilance may increase as new technologies are added
to the bulk power system. For example, Smart Grid technology promises
significant benefits in the use of electricity. These include the
ability to better manage not only energy sources but also energy
consumption. However, a smarter grid would permit two-way communication
between the electric system and a large number of devices located
outside of controlled utility environments, which will introduce many
potential access points.
Smart Grid applications will automate many decisions on the supply
and use of electricity to increase efficiencies and ultimately to allow
cost savings. Without adequate physical and cyber protections, however,
this level of automation may allow adversaries to gain unauthorized
access to the rest of the company's data and control systems and cause
significant harm. Security features must be an integral consideration
when developing Smart Grid technology. The challenge will be to focus
not only on general approaches but, importantly, on the details of
specific technologies and the risks they may present.
Regarding data, there are multiple ways in which Smart Grid
technologies may introduce new cyber vulnerabilities into the system.
For example an attacker could gain access to a remote or intermediate
Smart Grid device and change data values monitored or received from
down-stream devices, and pass the incorrect data up-stream to cause
operators or automatic programs to take incorrect actions. As was
mentioned previously, the potential exists for off-grid equipment to
adversely affect the bulk power system through corrupted
communications.
In regard to control systems, an attacker that gains access to the
communication channels could order metering devices to disconnect
customers, order previously shed load to come back on-line prematurely,
or order dispersed generation sources to turn off during periods when
load is approaching generation capacity, causing instability and
outages on the bulk power system. One of the potential capabilities of
the Smart Grid is the ability to remotely disconnect service using
advanced metering infrastructure (AMI). If insufficient security
measures are implemented in a company's AMI application, an adversary
may be able to access the AMI system and could conceivably disconnect
every customer with an AMI device. If such an attack is widespread
enough, the resultant disconnection of load on the distribution system
could result in impacts to the bulk power system. If an adversary
follows this disconnection event with a subsequent and targeted cyber
attack against remote meters, the restoration of service could be
greatly delayed.
The CIP standards will apply to some, but not all, Smart Grid
applications. The standards require users, owners, and operators of the
bulk power system to protect cyber assets, including hardware,
software, and data, which would affect the reliability or operability
of the bulk power system. These assets are identified using a risk-
based assessment methodology that identifies electric assets that are
critical to the reliable operation of the bulk power system. If a Smart
Grid device were to control a critical part of the bulk power system,
it would be considered a critical cyber asset subject to the protection
requirements of the CIP standards.
Many of the Smart Grid applications will be deployed at the
distribution and end-user level so they may incorrectly be viewed as
not affecting the bulk power system. For example, some applications may
be targeted at improving market efficiency in ways that may not have a
reliability impact on the bulk power system, such that the protection
requirements of the CIP standards, as they are currently written, may
not apply. However, as discussed above, these applications either
individually or in the aggregate could affect the bulk power system.
The commission and its staff currently are coordinating with a
number of Governmental and private sector organizations on
cybersecurity issues surrounding Smart Grid technology, including the
DOE Smart Grid Task Force, the NIST Domain Expert Working Groups, the
Gridwise Architecture Council, and the FERC-NARUC Smart Grid
Collaborative. The commission has issued a policy statement that would
strongly encourage interoperability of Smart Grid technologies,
recognizing that cybersecurity is essential to the operation of the
Smart Grid. The Policy Statement stated that the commission will
require a demonstration of sufficient cybersecurity protections in the
proposed Smart Grid standards to be considered in rulemaking
proceedings under the Energy Independence and Security Act of 2007
(EISA), including, where appropriate, a proposed Smart Grid standard
applicable to local distribution-related components of Smart Grid. The
commission also encouraged NERC to work with NIST in the development of
the standards.
While the commission is doing what it can under its jurisdiction,
EISA does not make any standards mandatory and does not give the
commission authority to make or enforce any such standards. Under
current law, the commission's authority, if any, to make Smart Grid
standards mandatory must derive from the FPA.
physical security and other threats to reliability
The commission's current reliability authority does not extend to
physical threats to the grid, but physical threats can cause equal or
greater destruction than cyber attacks and the Federal Government
should have no less ability to act to protect against such potential
damage. One example of a physical threat is an electromagnetic pulse
(EMP) event. In 2001, Congress established a commission to assess the
threat from EMP, with particular attention to be paid to the nature and
magnitude of high-altitude EMP threats to the United States;
vulnerabilities of U.S. military and civilian infrastructure to such
attack; capabilities to recover from an attack; and the feasibility and
cost of protecting military and civilian infrastructure, including
energy infrastructure. In 2004, the commission issued a report
describing the nature of EMP attacks, vulnerabilities to EMP attacks,
and strategies to respond to an attack.\1\ A second report was produced
in 2008 that further investigated vulnerabilities of the Nation's
infrastructure to EMP.
---------------------------------------------------------------------------
\1\ Graham, Dr. William R. et al, Report of the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP)
Attack (2004).
---------------------------------------------------------------------------
An EMP may also be a naturally-occurring event caused by solar
flares and storms disrupting the Earth's magnetic field. In 1859, a
major solar storm occurred, causing auroral displays and significant
shifts of the Earth's magnetic fields. As a result, telegraphs were
rendered useless and several telegraph stations burned down. The
impacts of that storm were muted because very little electronic
technology existed at the time. Were the storm to happen today,
according to an article in Scientific American, it could ``severely
damage satellites, disable radio communications, and cause continent-
wide electrical black-outs that would require weeks or longer to
recover from.''\2\ Although storms of this magnitude occur rarely,
storms and flares of lesser intensity occur more frequently. Storms of
about half the intensity of the 1859 storm occur every 50 years or so
according to the authors of the Scientific American article, and the
last such storm occurred in November 1960, leading to world-wide
geomagnetic disturbances and radio outages.
---------------------------------------------------------------------------
\2\ Odenwald, Sten F. and Green, James L., Bracing the Satellite
Infrastructure for a Solar Superstorm, Scientific American Magazine
(Jul. 28, 2008).
---------------------------------------------------------------------------
Further, the power grid is particularly vulnerable to solar storms,
as transformers are electrically grounded to the Earth and susceptible
to damage from geomagnetically induced power spikes. The collapse of
numerous transformers across the country could result in reduced grid
functionality or even prolonged power outages.
FERC staff has no data on how well the bulk power system is
protected against an EMP event, and the existing reliability standards
do not address EMP vulnerabilities. Further, the commission currently
does not have any specific authority to order owners and operators of
the transmission grid, generation facilities and other electric
facilities to protect their facilities from EMP-related events, other
than the general authority to order NERC to develop a reliability
standard addressing EMP. Protecting the electric generation,
transmission, and distribution systems from severe damage due to an EMP
would involve vulnerability assessments at every level of electric
infrastructure. In addition, as the reports point out, the reliable
operation of the electric grid requires other infrastructure systems,
such as communications, natural gas pipelines and transportation, which
would also be affected by such an attack or event.
the need for legislation
In my view, section 215 of the Federal Power Act provides an
adequate statutory foundation for the ERO to develop most reliability
standards for the bulk power system. However, the nature of a national
security threat by entities intent on attacking the United States
through vulnerabilities in its electric grid stands in stark contrast
to other major reliability vulnerabilities that have caused regional
blackouts and reliability failures in the past, such as vegetation
management and protective relay maintenance practices. Widespread
disruption of electric service can quickly undermine the U.S.
Government, its military, and the economy, as well as endanger the
health and safety of millions of citizens. Given the national security
dimension to this threat, there may be a need to act quickly to protect
the grid, to act in a manner where action is mandatory rather than
voluntary, and to protect certain information from public disclosure.
The commission's current legal authority is inadequate for such
action. This is true of both cyber and non-cyber physical threats to
the bulk power system that pose national security concerns. This lack
of authority results in the electric grid being vulnerable to attacks,
both physical and cyber.
Any new legislation should address several key concerns. First, to
prevent a significant risk of disruption to the grid, legislation
should allow the commission to take action before a cyber or physical
national security incident has occurred. In order to protect the grid,
it is vital that the commission be authorized to act before an attack
to address vulnerabilities and threats. Second, any legislation should
allow the commission to maintain appropriate confidentiality of
sensitive information submitted, developed or issued under this
authority. Third, it is important that Congress be aware that if
additional reliability authority is limited to the bulk power system,
as that term is currently defined in the FPA, it would exclude
protection against attacks involving Alaska and Hawaii, including any
Federal installations located therein. The current interpretation of
the term bulk power system also excludes some transmission and all
local distribution facilities, including virtually all of the
facilities in certain large cities such as New York, thus precluding
possible commission action to mitigate cyber or other national security
threats to reliability that involve such facilities and major
population areas. Finally, it is important that entities be permitted
to recover costs they incur to mitigate vulnerabilities and threats.
The commission currently has authority to allow recovery by entities
that meet the FPA definition of ``public utility.'' If Congress
believes it appropriate, it could include in legislation a directive
that the commission establish a cost recovery mechanism for the costs
associated with compliance with any FERC order issued pursuant to the
emergency authority.
Finally, any legislation on national security threats to
reliability should address not only cybersecurity threats but also
intentional physical malicious acts (targeting, for example, critical
substations and generating stations) and threats from an
electromagnetic pulse. FERC should be granted authority to address both
cyber and physical threats and vulnerabilities, primarily because FERC
is the one Federal agency with any statutory responsibility to oversee
reliability of the grid. This additional authority would not displace
other means of protecting the grid, such as action by Federal, State,
and local law enforcement and the National Guard. If particular
circumstances cause both FERC and other Governmental authorities to
require action by utilities, FERC would coordinate with other
authorities as appropriate. Additionally, any FERC authority to address
threats to the grid would be based on a determination by the President
or a national security agency that national security is endangered.
conclusion
The commission's current authority is not adequate to address cyber
or other national security threats to the reliability of our
transmission and power system. These types of threats pose an
increasing risk to our Nation's electric grid, which undergirds our
Government and economy and helps ensure the health and welfare of our
citizens. Congress should address this risk now. Thank you again for
the opportunity to testify today. I would be happy to answer any
questions you may have.
Ms. Clarke. Thank you very much, Mr. McClelland. Ms.
Hoffman.
STATEMENT OF PATRICIA A. HOFFMAN, ACTING ASSISTANT SECRETARY,
OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY,
DEPARTMENT OF ENERGY
Ms. Hoffman. Thank you, Chairwoman Clarke, Members of the
subcommittee, for this opportunity to testify before you on
electric sector vulnerabilities and cybersecurity issues.
For more than a decade, the Department of Energy has been
engaged with the private sector to secure the electric grid.
The Homeland Security Presidential Directive 7 designated the
Department of Energy as the Energy Sector-specific agency and
provided authorization to collaborate with all Federal
agencies, State and local governments, and the private sector
to conduct vulnerability assessments of the energy sector, and
to encourage risk management strategies.
Securing the critical infrastructure is a shared
responsibility and requires public-private partnerships. Asset
owners bear the main responsibility for ensuring that key
resources are secure and for making the appropriate
investments, for reporting emergency information to the
Government, and for implementing protective practices and
procedures.
With an economy that is in the process of recovering, it is
even more critical that all energy sector stakeholders
understand the available options, their associated costs, and
the roadmap or path to a more secure energy infrastructure.
As we deploy Smart Grid technology, load management
technology, plug in hybrid electric vehicles, distributed
generation, micro grid, we may find that some measures may not
be necessary, while new ones may emerge. The energy sectors
threat analysis encompasses natural events, hurricanes,
criminal acts, insider threats, and both foreign and domestic
terrorism.
Because of the diversity of assets in the systems in the
energy sector, a multitude of methodologies have been used to
assess risks, vulnerabilities, and consequences. No single
methodology or tool has been used to assess risk in the energy
sector assets, such as what the Nuclear Regulatory Commission
does with design basis threats.
Lessons learned from DBD analysis, in the nuclear industry
could be applied to the electric industry, especially for large
generating stations, large substations and major control
centers.
To address the advancing capabilities of the global cyber
threat as well as implementation of Smart Grid, the Department
of Energy has requested an increase in our 2010 research budget
for cybersecurity and energy delivery systems, from $12 million
in 2009, to $50 million in 2010.
Activities proposed under this budget include, expanding
our national SCADA test bed activities and cybersecurity
assessments of control systems, utilizing existing control
systems simulators as hosts for cyber training, develop trusted
anchors to build trustworthy networks from untrusted
components, and development of a cybersecurity Smart Grid test
bed.
Currently, a laboratory industry and research effort to
enhance the cybersecurity of the energy infrastructure has
produced results in four areas. We have identified
vulnerabilities, cyber vulnerabilities in energy control
systems, and have worked with vendors to develop hardened
systems that mitigate the risk.
Develop more secure communication methods between energy
control systems in field devices. We have developed tools and
methods to help utilities assess their security posture, and we
have provided extensive cybersecurity training for energy
owners and operators to help them prevent, detect, and mitigate
cyber penetration.
The Department is working collaboratively with the private
sector on several activities to ensure that cybersecurity is
baked into the Smart Grid. Over the past year, the Department
has been working collaboratively with the utilities
communication architecture user group to develop security
requirements for advanced metering infrastructure, a key
application to the Smart Grid.
The Department is now working to leverage this effort in
cooperation with the UCS user group to develop cybersecurity
requirements for the full suite of Smart Grid technologies.
Additionally, the Department is working on procurement
standards as a part of this effort.
The Office of Electricity Delivery and Energy Reliability
received $4.5 billion in the American Recovery and Reinvestment
Act, of which about $3.4 billion is for grants for Smart Grid
development and $650 million is for Smart Grid demonstration.
Cybersecurity should be addressed in every phase of the
projects awarded under this funding, and includes design
through on-going maintenance and support. The technical
approach to cybersecurity should include in the proposals, a
summary of cybersecurity risks and how they will be mitigated
at each stage of the life cycle, a summary of the cybersecurity
criteria utilized by vendor and device selection, a summary of
the relevant cybersecurity standards or best practices that
will be followed, a summary of how the projects support
emerging cybersecurity standards.
In conclusion, the United States needs a comprehensive
framework to ensure a coordinated response. The Government, in
partnership with key stakeholders, should design an effective
mechanism that integrates information from the Government and
the private sector, and serves as a basis for informed and
prioritized vulnerability mitigation efforts and incident
response decisions.
This concludes my statement, Chairwoman Clarke. Thank you
for the opportunity to speak. I look forward to answering any
questions you or your colleagues may have.
[The statement of Ms. Hoffman follows:]
Prepared Statement of Patricia A. Hoffman
July 21, 2009
Thank you Chairwoman Clark and Members of the subcommittee for this
opportunity to testify before you on electric sector vulnerabilities
and cybersecurity issues.
All of us here today share a common concern that vulnerabilities
exist within the electric system and that the Department of Energy, in
partnership with the rest of the Federal Government and industry,
should address the full spectrum of events, from high-impact, low-
probability (HILP) to high-impact, high-probability. This is
particularly true for Smart Grid systems, which by their very nature
involve the use of information and communication technologies in areas
and applications on the electric system where they have not been used
before.
For more than a decade, the Department has been substantively
engaged with the private sector to secure the electric grid. In
December 2003, the Homeland Security Presidential Directive 7 (HSPD-7)
designated the Department as the sector-specific agency (SSA) for the
energy sector and provided authorization to collaborate with all
Federal agencies, State and local governments, and the private sector,
to conduct vulnerability assessments of the sector, and to encourage
risk management strategies for critical energy infrastructure.
Securing critical infrastructure is a shared responsibility. Asset
owners bear the main responsibility for ensuring that key resources are
secure, for making the appropriate investments, for reporting threat
information to the Government, and for implementing protective
practices and procedures. As the SSA, the Department works closely with
the private sector and State/Federal regulators to provide secure
sharing of threat information and collaborates with industry to
identify and fund gaps in infrastructure research, development, and
testing efforts.
With an economy in the process of recovering, it is even more
critical that all energy sector stakeholders understand the available
options, their associated costs, and the roadmap or path to a more
secure energy infrastructure. As we deploy Smart Grid technologies,
load management technologies, plug-in hybrid electric vehicles and
distributed generation/microgrids, we may find some measures may not
become necessary, while new ones may emerge.
critical infrastructure protection and risk management framework
Since the energy sector is characterized by very diverse assets and
systems, prioritization of sector assets and systems is highly
dependent upon changing threats and consequences. The significance of
many individual components in the network is highly variable, depending
on location, time of day, day of the week, and season of the year.
The energy sector's threat analysis encompasses natural events,
criminal acts, and insider threats, as well as foreign and domestic
terrorism. Because of the diversity of assets and systems in the energy
sector, a multitude of methodologies have been used to assess risks,
vulnerabilities, and consequences. No single methodology or tool has
been used to assess risks to energy sector assets, such as the Nuclear
Regulatory Commission's design-basis threat (DBT) which is used to
design safeguards and systems to protect against acts of radiological
sabotage and to prevent the theft of special nuclear material. Lessons
learned from DBT analysis in the nuclear industry could be applied to
the electric industry especially for large generating stations, large
substations, and major control centers.
The exploitation of unintentional vulnerabilities has become one of
the greatest concerns for potential disruption and high-consequence
events. Control systems networks provide great efficiency and are
widely used. However, they also present a security risk, if not
adequately protected. Many of these networks were initially designed to
maximize functionality, with little attention paid to security. With
connections to the internet, internal local area and wide area
networks, wireless network devices, and modems, some networks are
potentially vulnerable to disruption of service, process redirection,
or manipulation of operational data that could cause disruptions to the
Nation's critical infrastructure.
The Department is planning to work with the Federal Energy
Regulatory Commission and the North American Reliability Corporation
(NERC) to examine the effects of HILP events on the bulk power system.
The effort will focus on HILP events such as influenza pandemic, space
weather, terrorist attacks, and electromagnetic pulses. The purpose of
this effort will be to develop a framework to look at causes and
consequences and provide a tool to summarize preparedness, response,
recovery, and mitigation measures.
DOE does not have a program that would allow for private or
publicly-owned utilities to receive Federal grants for hardening their
equipment against an intentional or unintentional electromagnetic
pulse.
cybersecurity--information sharing and early detection and warning
The Roadmap to Secure Control Systems in the Energy Sector (2006)
identified the need to improve information sharing between the
Government and the private sector as a high priority. In their 2008
Annual Report, the Energy Sector Control Systems Working Group (ESCWG),
which has worked in partnership with the Department to implement the
Roadmap, stated that most information protection and sharing issues
between the U.S. Government and industry still have not been resolved.
The Department of Homeland Security (DHS) receives the most
complete intelligence related to critical infrastructure protection
because of its cross-sector responsibilities. DHS's Homeland
Infrastructure Threat and Risk Analysis Center (HITRAC) develops early
intelligence warnings, which it shares with the Department. DHS alerts
the US-Computer Emergency Readiness Team (US-CERT) and the North
American Electric Reliability Corporation (NERC).
DOE does not have a separate alert system. DOE does, however, have
mandatory reporting requirements for electric emergency incidents and
disturbances (including cyber incidents) in the United States. Form OE-
417, ``Electric Emergency Incident and Disturbance Report,'' is used to
alert DOE to electrical emergency incidents and disruptions within a 1-
hour or 6-hour period depending on the type of emergency. This
information allows the Department to quickly respond to energy
emergencies that may impact the Nation's infrastructure. The
information, collected from the electric power industry, helps DOE meet
its overall national security and Federal Emergency Management Agency's
National Response Framework responsibilities. DOE uses the data from
this form to obtain situational awareness of energy emergencies of U.S.
electric supply systems. DOE's Energy Information Administration (EIA)
publishes the electric power emergency incidents and disturbances in
its monthly EIA reports. The data may also be used to develop
legislative recommendations, reports to Congress and as a basis for DOE
investigations. When appropriate, information is shared with FERC.
Early intelligence warnings provide the industry and Government
some insight into a potential attack but may not allow for timely
defense against many of them. Besides early intelligence warnings, the
Department recommends that the industry develop its own capabilities
for monitoring rogue, malicious behavior on their systems. The industry
should monitor communications on their systems just as they monitor
system performance. Diligence in upgrading security software and
protocols are essential to minimizing the impact of these events.
One of the challenges in creating an effective information sharing
system is how to share classified intelligence information with State
agencies and utility operators not cleared to receive this information.
The DHS has been working to grant clearances to appropriate members of
the community. An additional difficulty is the means by which the
information can be communicated. For example, a security chief at a
Regional Transmission Organization (RTO) may have a clearance, but not
have any means of communication or storage to receive the classified
information except through face-to-face communications.
cyber standards
Improving the security of the electric sector will require
coordination and cooperation between regulatory agencies and industry.
Because the security of the electric grid does not rely solely on
voluntary private-sector measures, much work is being done to develop
necessary cybersecurity standards. The Federal Energy Regulatory
Commission through the NERC Critical Infrastructure Protection (CIP)
has mandated standards CIP-002 through CIP-009 to provide a security
framework for the identification and protection of critical cyber
assets that support reliable operation. In addition, the International
Electrotechnical Commission (IEC) Working Group 15 of Technical
Committee 57 is developing IEC 62351, focusing on power systems
control, data communications, and security. The Power Engineering
Society Substations workgroup is developing P1689, a trial use standard
for retrofitting cybersecurity of serial Supervisory Control and Data
Acquisition (SCADA) links in intelligent electronic devices for remote
access. International Society of Automation security standard ISA99
addresses cybersecurity for control systems. The National Institute of
Standards and Technology (NIST) is also developing specific
recommendations and guidance for securing Smart Grid and other
industrial control systems. It is clear that standards development is a
priority, and this activity should be monitored closely for progress,
implementation, and gaps.
doe cyber r&d program
Our efforts to enhance the cybersecurity of the energy
infrastructure have produced results in four areas. We have:
1. Identified cyber vulnerabilities in energy control systems and
worked with vendors to develop hardened systems that mitigate
the risks;
2. Developed more secure communications methods between energy
control systems and field devices;
3. Developed tools and methods to help utilities assess their
security posture; and
4. Provided extensive cybersecurity training for energy owners and
operators to help them prevent, detect, and mitigate cyber
penetration.
In 2003, the Department launched its National SCADA Test Bed
(NSTB), a state-of-the-art national resource designed to aid Government
and industry in securing their control systems against cyber attack
through vulnerability assessments, mitigation research, security
training, and focused R&D efforts. The Department has expanded the NSTB
to include resources and capabilities from five national laboratories.
To date, researchers have assessed 90% of the current market
offering of SCADA/Energy Management Systems (SCADA/EMS) in the electric
sector, and 80% of the current market offering in the oil and gas
sector. Twenty NSTB and on-site field assessments of common control
systems from vendors including ABB, Areva, GE, OSI, Siemens, Telvent,
and others, have led vendors to develop 11 hardened control system
designs. Vendors have released countless software patches to better
secure legacy systems, which are now being used by 82 system
applications in the sector. Findings from NSTB vulnerability
assessments have also been generalized by Idaho National Laboratory
into its Common Vulnerabilities Report, which includes mitigation
strategies asset owners across the sector can use to better secure
their systems.
In 2005, the Department, in cooperation with the DHS and Natural
Resources Canada, worked directly with experts in the oil, gas, and
electricity industries to develop a detailed, prioritized plan for
cybersecurity improvements over the next 10 years, including best
practices, new technology, and risk assessment. The results of this
work were published in the 2006 Roadmap to Secure Control Systems in
the Energy Sector, which lays out a vision that in 10 years, controls
systems for critical applications will be designed, installed,
operated, and maintained to survive an intentional cyber assault with
no loss of critical function. Industry members defined goals,
milestones, and priorities to guide the industry toward this vision.
Let me highlight two such projects that the Department is cost-
sharing with the private sector to support the Roadmap:
The Bandolier project, led by Digital Bond, is developing
automated checklists of security configuration baselines,
which, when deployed, can enable the audit of actual
configuration settings against these baselines. Downloadable
checklists have been developed and are now available for
Siemens, Telvent, ABB, and SNC systems, and Digital Bond has
worked to make its product available immediately and at a low
cost to utilities by offering it as subscriber content on its
website.
The Hallmark project, led by Schweitzer Engineering
Laboratories, is working to commercialize the Secure SCADA
Communications Protocol originally developed by Pacific
Northwest National Laboratory. The technology allows utilities
to secure data communications between remote devices and
control centers--a critical cyber access path. The technology
will be available in a hardware device by mid-year.
The Department is also supporting research in academia through a
multi-university R&D project entitled ``Trustworthy Critical
Infrastructure for the Power Grid (TCIP).'' This project is led by the
University of Illinois and includes Dartmouth College, Cornell
University, Washington State University, and companies representing the
spectrum of the electric power industry including utilities, vendors,
regulatory bodies, control center operators, reliability coordinators,
and market operators. TCIP is funded mainly by the National Science
Foundation with supporting funds from the Department and the Department
of Homeland Security, Science and Technology Directorate.
In addition to R&D and NSTB assessments, the Department supports
extensive cybersecurity training to help asset owners learn security
methods they can implement immediately to better secure their
utilities. So far, the Department has trained more than 1,800
individuals in the energy sector and is also ramping up its new
advanced Red Team/Blue Team training through Idaho National Laboratory.
This week-long course invites asset owners to participate in a
simulated attack scenario on an actual control systems environment,
giving them hands-on attack and mitigation training.
In collaboration with the North American Electric Reliability
Corporation (NERC), Critical Infrastructure Protection Committee
(CIPC), the Department leveraged its expertise and experience in
cybersecurity assessments to develop foundational, intermediate, and
advanced mitigations for the NERC ``Top 10'' vulnerabilities associated
with control systems commonly used in the electric sector. The list was
developed by NERC members including small, medium, and large entities
across North America. The list is comprised of the most prevalent, most
exploited, or highest-consequence vulnerabilities that a typical
utility might find in their facilities. Utilities are encouraged to use
this list to augment their risk management processes. Utilities also
used the list as means to select vendors and purchase systems that had
security ``built-in.''
In addition to its R&D and partnership initiatives, the Department
is working collaboratively with the private sector on several
activities to ensure that cybersecurity is ``baked in'' to the Smart
Grid. Over the past year, the Department has been working
collaboratively with the Utilities Communications Architecture (UCA)
Users Group (including utilities, vendors, et al) to develop
cybersecurity requirements for advanced metering infrastructure (AMI)--
a key application for the Smart Grid. The group produced a document
titled ``AMI System Security Specifications'' which will help utilities
procure secure AMI systems. The Department is now working to leverage
this effort in cooperation with the UCA User Group to develop
cybersecurity requirements for the full suite of Smart Grid
technologies.
The Department is also working with the ESCSWG to update the 2006
Roadmap. The update will incorporate new information and lessons
learned, update end-states and milestones, and establish priorities
that have come to the forefront since 2006, such as Smart Grid and
wireless technologies. So far, the ESCSWG has identified gaps in the
2006 Roadmap, reviewed the Roadmap vision and goal structure, assessed
changes in the control systems landscape, and collected ideas for
implementation. In September 2009, the ESCSWG will bring together a
broad section of asset owners and operators, researchers, technology
developers, security specialists, and equipment vendors to establish
new goals and prioritize control systems security needs in the energy
sector. The ESCSWG plans to release the new roadmap in January 2010.
american recovery and reinvestment act (arra)--title xiii, smart grid
A Smart Grid uses information and communications technologies to
improve the reliability, availability, and efficiency of the electric
system. With Smart Grid, these technologies are being applied to
electric grid applications, including devices at the consumer level
through the transmission level, to make our electric system more
responsive and more flexible.
Enhanced grid functionality enables multiple devices to interact
with one another via a communications network. These interactions make
it easier and more cost-effective, in principle, for a variety of clean
energy alternatives to be integrated with electric system planning and
operations, as well as for improvements in the speed and efficacy of
grid operations to boost electric reliability and the overall security
and resiliency of the grid. The communications network, and the
potential for it to enhance grid operational efficiency and bring new
clean energy into the system, are key distinguishing features of the
Smart Grid compared to the existing system.
The Office of Electricity Delivery and Energy Reliability received
$4.5 billion in the ARRA, of which about $3.4 billion is for grants for
Smart Grid development and $615 million is for Smart Grid
demonstrations. In order to gain the greatest return on investment,
this grant money will be disbursed in six areas: Equipment
manufacturing, customer systems, advanced metering infrastructure,
electric distribution systems, electric transmission systems, and
integrated and/or crosscutting systems. The Federal funds for this
program have been divided into two categories:
Smaller projects in which the Federal share would be in the
range of $300,000 to $20,000,000;
Larger projects in which the Federal cost share would be in
the range of $20,000,000 to $200,000,000.
Approximately 40% of Smart Grid Investment Grant (SGIG) funding
will be allocated for smaller projects, while approximately 60% will be
allocated for larger projects. DOE reserves the right to revise these
allocations depending on the quantity and quality of the applications
received.
DOE is working to reduce cybersecurity risks by including the
following language in the grant announcement:
``Cybersecurity should be addressed in every phase of the engineering
lifecycle of the project, including design and procurement,
installation and commissioning, and the ability to provide on-going
maintenance and support. Cybersecurity solutions should be
comprehensive and capable of being extended or upgraded in response to
changes to the threat or technological environment. The technical
approach to cybersecurity should include:
``A summary of the cybersecurity risks and how they will be
mitigated at each stage of the lifecycle (focusing on vulnerabilities
and impact).
``A summary of the cybersecurity criteria utilized for
vendor and device selection.
``A summary of the relevant cybersecurity standards and/or
best practices that will be followed.
``A summary of how the project will support emerging Smart
Grid cybersecurity standards.''
DOE intends to work with those selected for award, but may not make
an award to an otherwise meritorious application if that applicant
cannot provide reasonable assurance that their cybersecurity efforts
will provide protection against broad-based systemic failures in the
electric grid in the event of a cybersecurity breach.
The following technical merit review criteria will be used in the
evaluation of applications and in the determination of the SGIG project
awards. The relative importance of the four criteria is provided in
percentages in parentheses:
1. Adequacy of the Technical Approach for Enabling Smart Grid
Functions (40%);
2. Adequacy of the Plan for Project Tasks, Schedule, Management,
Qualifications, and Risks (25%);
3. Adequacy of the Technical Approach for Addressing
Interoperability and Cyber Security (20%); and
4. Adequacy of the Plan for Data Collection and Analysis of Project
Costs and Benefits (15%).
DOE's programs do not include grants to private or publicly-owned
utilities for hardening their equipment against an intentional or
unintentional electromagnetic pulse.
conclusion
The United States needs a comprehensive framework to ensure a
coordinated response by the Federal, State, local, and Tribal
governments, the private sector, and international allies to
significant incidents related to the Nation's electric power grid,
particularly cyber. Implementation of this framework will require
developing reporting thresholds, adaptable response and recovery plans,
and the coordination, information sharing, and incident reporting
mechanisms needed for those plans to succeed. The Government, working
with key stakeholders, should design an effective mechanism to achieve
a true common operating picture that integrates information from the
Government and the private sector and serves as the basis for informed
and prioritized vulnerability mitigation efforts and incident response
decisions.
The focus should be on addressing the full range of threats and
vulnerabilities to critical infrastructure versus the bulk power system
and requires public-private and international partnerships.
Priority should be placed on deploying sensors for complete and
greater depth in monitoring and diagnostics of physical and cyber
events.
The Federal Government and industry must develop a security
baseline and benchmark milestones for securing critical infrastructure.
As the capabilities of the threat continue to outpace our ability
to develop and implement countermeasures, it is critical that control
systems for critical applications be designed, installed, operated, and
maintained to survive an intentional cyber assault with no loss of
critical functions.
This concludes my statement, Chairwoman Clarke. Thank you for the
opportunity to speak. I look forward to answering any questions you and
your colleagues may have.
Ms. Clarke. Thank you very much, Ms. Hoffman.
Mr. McGurk.
STATEMENT OF SEAN P. MCGURK, DIRECTOR, CONTROL SYSTEMS SECURITY
PROGRAM, NATIONAL CYBERSECURITY DIVISION, OFFICE OF
CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY
Mr. McGurk. Thank you, Chairwoman Clarke, thank you, Member
Lungren, distinguished Members of the subcommittee. I am Sean
McGurk, the director of the Department of Homeland Security's
Control Systems Security Program, and the director of the
Industrial Control Systems Cyber Emergency Response Team, or
the ICF CERT.
I am pleased to appear before you here today, to discuss
the importance of securing control systems that operate our
critical infrastructure including the Smart Grid. Control
system electric power to operate the physical processes which
produce the goods and services that we rely upon on a daily
basis. Therefore assessing risk and effectively securing
industrial control systems, is vital to maintaining our
Nation's strategic interests, public safety, and economic
prosperity.
In 2003, the Department of Homeland Security was designated
as the lead agency for cybersecurity. Since then, several
Homeland Security Presidential directives have established
national policy and further outlined the Department's
responsibility to collaborate with public and private sector
entities to evaluate emerging technologies.
In May 2004, DHS created the control system security
program. To further this mission and lead a cohesive effort
focused on reducing the risk to control systems that operate
the critical infrastructure. The CSSP recognizes that leading
in these activities, such as understanding threats,
vulnerabilities, and subsequent mitigation strategies, is
essential to securing these systems.
To support our leadership role, CSSP funding for fiscal
year 2009, is $22 million. This was an increase from a previous
year's budget of $12 million that enabled us to expand and
enhance our vulnerability discovery facility. This facility
provides advanced capabilities that will aid in identifying the
interdependencies of the critical infrastructures.
Additionally, the Federal workforce was increased from one
position to an authorization of nine Federal employees. For
fiscal year 2010, the President's budget request included an
increase of $5.56 million for CSSP. Even with these
enhancements, the requirements to evaluate new technologies and
the ability to assess risk across the 18 critical
infrastructures presents a challenge.
In order to understand the risk, it is important to
understand the threats, including those actors and motivations,
not only to control systems, but to digital computing in
general. Common crackers or hackers comprise the most prevalent
group of cyber attackers. They attempt to break in, in order to
hack into computer systems to exploit flaws.
Often, motivation is data exfiltration for financial gain.
Of greater concern are the hackers who install back doors such
as trojans or root kits that enable them to remotely access the
systems or the devices. The knowledgeable insider is probably
the most dangerous threat to systems operation and security
because this is someone who is trusted and has access to the
networks and other important company information.
Cyber terrorists or, hacktivists, are those who seek to
disrupt internet activity in the name of personal, political,
or social cause or shared ideology. These individuals
collaborate via cyberspace and work as an organized group
against their target.
These challenges to security offer several opportunities
for malicious actors to attempt to penetrate our systems, using
the vulnerabilities and the advanced technologies that control
our critical infrastructure. The CSSP evaluates risk, conducts
operational risk management, and develops mitigation plans to
manage risk to an acceptable level.
These activities include control system sector analysis,
scenario development and the development of various tools and
training products. In 2006, CSSP conducted the analysis based
on the premise of using the electric grid to attack a facility.
We demonstrated how a perpetrator could use the electric grid
system to produce significant physical damage to the equipment
and the systems.
The Aurora analysis highlights the importance of assessing
risk, interdependencies, and the need to secure industrial
control systems in order to maintain our Nation's strategic
interests. While these efforts result in cybersecurity
strategies that help to increase the overall security of the
grid, they do not protect the grid from attack.
DHS works closely with responsible Federal agencies such as
the Department of Energy and the Federal Energy Regulatory
Commission, as well as the private sector, with the North
American Electrical Liability Corporation, to provide
mitigation measures that reduce the risk of cyber attack. The
Secretary of Homeland Security takes these issues of securing
our critical infrastructure very seriously.
Since 2004, this Department has conducted 148 assessments
of electric sector facilities through the office of
infrastructure protection. To further our mission, we lead a
cohesive effort between Government and industry and the program
created the Industrial Control Systems CERT to analyze and
respond to private sector reports of control systems incidents.
We also engage with our Federal partners, such as the
Department of Defense, the Department of Energy, and the
intelligence community to address equities and mitigate the
risks as we move forward. We also work closely with industry
partners, such as NERC, to provide detailed analysis of cyber
events in order to identify the risks and provide real-time,
actionable information for asset owners.
Chairwoman Clarke, Ranking Member Lungren, and
distinguished Members, I have outlined the role of the
Department's Control Systems Security Program, and the role it
will play in addressing the risk to technologies, including the
Smart Grid. With your assistance, we will help the Department
to continue to protect America.
Thank you again for this opportunity to testify, and I will
be happy to answer your questions.
[The statement of Mr. McGurk follows:]
Prepared Statement of Sean P. McGurk
July 21, 2009
Chairwoman Clarke, Ranking Member Lungren, and distinguished
Members, I am Sean McGurk, the Director of the Department of Homeland
Security (DHS) Control Systems Security Program (CSSP) at the National
Protection and Programs Directorate. I am pleased to appear before you
today to discuss the importance of securing the control systems that
operate our critical infrastructure.
A control system is a general term that encompasses several types
of systems, including Supervisory Control and Data Acquisition (SCADA),
process control, and other automated systems that are found in the
industrial sectors and critical infrastructure. These systems are used
to operate physical processes that produce the goods and services that
we rely upon such as electricity, drinking water, and manufacturing.
Control systems security in our electric power grid is particularly
important because of the significant interdependencies inherent with
the use of energy in all other sectors. Additionally, we rely on the
electric grid to operate the Federal, State, and local, Tribal
governments; therefore, assessing risk and effectively securing
industrial control systems are vital actions to maintaining our
Nation's strategic interests, public safety, and economic prosperity.
In 2003, the National Strategy to Secure Cyberspace designated DHS
as the lead agency for cybersecurity. Since then, Homeland Security
Presidential Directives (HSPD) 7 and 23 have established national
policies and further outlined the Department's responsibility to
collaborate with public and private sector entities to evaluate
emerging technologies. Additionally, various Government Accountability
Office (GAO) reports (e.g., GAO report: Critical Infrastructure
Protection: Challenges and Efforts to Secure Control Systems) have
further shaped Federal activities to improve the security of critical
infrastructure and key resources (CIKR) by identifying the risks that
could impact the networks that operate our critical infrastructure. In
May 2004, DHS created the Control Systems Security Program (CSSP) to
further this mission and lead a cohesive effort focused on reducing the
cyber risks to the control systems that operate the CIKR.
To establish a framework to secure the CIKR, DHS issued the
National Infrastructure Protection Plan (NIPP). This plan identifies
the CSSP as responsible for leading activities to reduce the likelihood
of success and severity of impact of cyber attacks against our Nation's
control systems. The CSSP recognizes that understanding the threats,
vulnerabilities, and subsequent mitigation strategies is essential in
securing industrial control systems.
The CSSP funding for fiscal year 2009 is $22 million, an increase
from the previous year's budget of $12 million that enabled us to
expand and enhance the Advanced Vulnerability Discovery facility. This
facility provides advanced modeling and simulation capabilities that
will aid in identifying the interdependencies of the infrastructures.
Additionally, the Federal workforce increased from one position to an
authorization for nine Federal employees. For fiscal year 2010, the
President's budget request included an increase of $5.56 million for
the CSSP. With these enhancements, DHS will be able to evaluate new
technologies and begin assessing risk across additional CIKR sectors.
CSSP continues to build a culture of reliability and security by
partnering with Government agencies, industry, and the international
community to reduce the cyber risks to U.S.-based control systems and
evaluate emerging technologies such as the Advanced Metering
Infrastructure and the Smart Grid for the energy sector.
In order to understand the risks, it is important to understand the
threats, including actors and motivations, not only to control systems,
but to digital computing in general.
Common hackers comprise the most prevalent group of cyber
attackers. They attempt to break-in or hack into computer
systems or exploit flaws in software to circumvent systems
security. Often the motivation is data exfiltration for
financial gain. Other hackers install backdoors such as Trojans
or other software such as rootkits that enable them to remotely
access the system or device at a later date to perform a
variety of nefarious actions.
The insider is a dangerous threat to control systems because
the individual has internal knowledge to processes and
components. Insiders can defeat security measures put in place
even when entities follow best practices and procedures.
Cyber-terrorists or hacktivists are those who seek to
disrupt internet activity in the name of a shared ideology or
personal, political, or social cause. These actors collaborate
via cyberspace and work as an organized group against their
targets to further their political or social agenda. Web
defacements, denial of service attacks, and redirects are the
most common acts carried out against a target or targets.
These security challenges offer opportunities for malicious actors
to attempt to penetrate our critical infrastructure using the
vulnerabilities in advanced technologies such as the Smart Grid.
The CSSP evaluates risk and serves as the focal point for
coordinating numerous resources to assist all critical infrastructure
entities, including the members of the electric power grid. The CSSP
conducts operational cyber risk management activities and leads
strategic initiatives to develop the mitigation plans to manage cyber
risk to an acceptable level. These activities include: Control systems
sector analysis of vulnerabilities and interdependencies; scenario
development; vendor product assessments; incident response activities;
and the development of assessment tools, information products, and
training.
In 2006, CSSP conducted an analysis based on the premise of using
the electric grid to attack a nuclear facility (originally this was the
``PANDORA'' analysis that later became ``AURORA''). This analysis was
performed at the Control Systems Analysis Center (CSAC) operated by the
Department of Energy's Idaho National Laboratory. The CSAC's analysis
demonstrated how a perpetrator could use the electric utility system to
produce significant nuclear plant apparatus and systems. It is
important to note that this vulnerability was not related to a specific
or imminent threat, and that the vulnerable control system and the
equipment which could be damaged by an attack are often owned by two
different entities. The analysis highlights the importance of assessing
risk, interdependencies, and the need to secure industrial control
systems in order to maintain our Nation's strategic interests, public
safety, and economic prosperity.
While these efforts result in cybersecurity strategies that help to
increase the overall security of the electric grid, they do not protect
the grid from attacks. DHS works closely with the Department of Energy
in providing mitigation measures that reduce the risk of cyber attacks,
such as those exploiting the AURORA vulnerability. DHS works directly
with the sector specific agencies such as the Departments of Defense
and Energy, The Federal Energy Regulatory Commission (FERC) and the
Nuclear Regulatory Commission (NRC), as well as with our private sector
partners such as the North American Electric Reliability Corporation
(NERC) to help them secure their infrastructure assets through
voluntary programs.
The Secretary of Homeland Security takes the issue of securing our
Nation's critical infrastructure very seriously and continues to
emphasize an all-hazards approach to a safe and secure homeland. The
CSSP focuses on a broad range of strategic cybersecurity initiatives
related to securing the systems that operate the Nation's critical
infrastructure, regardless of the cause.
Since 2004 the Department has conducted 148 assessments of electric
sector facilities through the Office of Infrastructure Protection.
These include cybersecurity assessments conducted by CSSP, which
utilize several tools that we developed, such as the Control Systems
Cyber Security Self Assessment Tool (CS2SAT) and the Cyber Security
Vulnerability Analysis (CSVA). DHS and the other sector-specific
agencies perform these vulnerability assessments as directed in HSPD 7,
which states that in accordance with guidance provided by the Secretary
of Homeland Security, sector-specific agencies shall:
(a) collaborate with all relevant Federal Departments and Agencies,
State and local governments, and the private sector, including
with key persons and entities in their infrastructure sector;
(b) conduct or facilitate vulnerability assessments of the sector;
and
(c) encourage risk management strategies to protect against and
mitigate the effects of attacks against critical infrastructure
and key resources.
In addition to performing vulnerability analyses and assessments,
the CSSP also created a series of recommended practices and
informational products to assist owner-operators in improving the
security of their control systems. These information resources are
publicly available on-line at http://www.us-cert.gov/control_systems/
and also are promoted through the monthly meetings held by the Cross-
Sector Cyber Security Working Group, the Industrial Control Systems
Joint Working Group's (ICSJWG) quarterly meetings, and other sector
forums.
While products and tools allow asset owners and operators to
understand the cyber risk to their control systems, it is essential
that all stakeholders have knowledge of the fundamental principles of
control systems security. To that end, we developed an advanced
training center at the Idaho National Laboratory which includes
functional models of critical infrastructure equipment. This center
provides award-winning, hands-on training that ranges from introductory
web-based courses to advanced, hands-on ``Red Team/Blue Team''
exercises and instructor-led classes. This effort has trained more than
14,000 professionals through both classroom and web-based instruction.
To further our mission and lead a cohesive effort between
Government and industry, the Program created two overarching
initiatives: the Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) and the ICSJWG.
The ICS-CERT, in coordination with the Department's United States
Computer Emergency Readiness Team (US-CERT), responds to and analyzes
control systems-related incidents, conducts analyses of vulnerabilities
and malicious software (malware), and disseminates cybersecurity
guidance to all sectors through informational products and alerts. The
ICS-CERT provides a more efficient coordination of control system-
related security incidents and information sharing with Federal, State,
and local agencies and organizations, the intelligence community, and
private sector constituents including vendors, owner-operators, and
international and private sector computer emergency response teams
(CERTs).
Recently, the ICS-CERT responded to an incident at a public water
utility, conducting on-site analysis of an event and providing
recommendations to increase the security posture of the facility.
Additionally, we conducted detailed digital media analysis of the
system hard drive in order to determine the root cause of the incident.
I am available to provide details of the incident in a classified brief
at a later date. The CSSP and ICS-CERT regularly identify
vulnerabilities and work with the vendors, owners, and operators of
control systems to develop mitigation strategies tailored to their use
and application in each of the critical sectors. We recognize there can
be a gap between identification of a vulnerability and development of a
vendor patch or full solution. To address this, the CSSP developed a
Vulnerability Management Process operated by the ICS-CERT, in
conjunction with trusted partners, to identify interim mitigation and
consequence management approaches. We also engage with our Federal
partners, such as the Departments of Defense and Energy as well as the
intelligence community, to address equities and mitigate risks as we
move from vulnerability identification, to risk assessment, to
mitigation development and promulgation. These efforts help us evaluate
new and emerging technologies such as Smart Grid, and the cyber risks
that they introduce to control systems.
The ICSJWG follows a structured approach in accordance with the
NIPP partnership framework and the Critical Infrastructure Partnership
Advisory Council to continue the successful efforts of the Process
Control System Forum to accelerate the design, development, and
deployment of more secure industrial control systems. The ICSJWG is
comprised of industry representatives from both private sector and
Government coordinating councils and provides a vehicle for
communicating and partnering across all CIKR sectors among Federal,
State, and local agencies, and private asset owner-operators of
industrial control systems. The ICSJWG and ICS-CERT collaborate with
one another to leverage partnerships for information sharing and
awareness of current threats and vulnerabilities. CSSP is also
collaborating with the DHS Science & Technology Directorate (S&T) to
ensure that their planned research and development in this area is
well-informed and complements CSSP's related work with industry and
owners/operators.
Implementation of the Smart Grid will include the deployment of
many new technologies, such as advanced sensors to improve situational
awareness, advanced metering, automatic meter reading, and integration
of distributed generation resources. These new technologies will
require the addition of multiple communication mechanisms and
infrastructures that must be coordinated with the developing
technologies and existing systems. Smart Grid deployment is likely to
increase the complexity of the existing power grid system. Increased
complexity and expanded communication paths could lead to an increase
in vulnerability to cyber attack unless there is a coordinated effort
to enforce security standards for design, implementation, and
operation. As the lead agency for cybersecurity and preparedness, DHS
is evaluating the risks and developing guidance to increase the
security of control systems with the implementation of new
technologies.
Chairwoman Clarke, Ranking Member Lungren, and distinguished
Members, I have outlined the role the Department's Control Systems
Security Program will play in addressing the risks that Smart Grid
technologies will introduce to control systems. With your assistance,
we will help the Department continue to protect America. Thank you
again for this opportunity to testify. I will be happy to answer your
questions.
Ms. Clarke. Thank you, Mr. McGurk.
Our next testimony comes from Ms. Cita Furlani.
STATEMENT OF CITA M. FURLANI, DIRECTOR, INFORMATION TECHNOLOGY
LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Ms. Furlani. Member Lungren, and Members of the
subcommittee. I am Cita Furlani, the director of the
Information Technology Laboratory, at the Department of
Commerce's National Institute of Standards and Technology.
Thank you for the opportunity to appear before you today,
to discuss NIST's role in ensuring the cybersecurity and
reliability of the information and communication aspect of the
Smart Grid.
As the Nation's measurement and standards institute, NIST
has earned a reputation as an impartial, technically
knowledgeable third-party, with a long history of working
collaboratively with industry and with other Government
agencies. These strengths allow NIST to make a unique
contribution to the establishment of the Smart Grid.
Recognizing the benefit of focusing this technical
expertise in industry-oriented mission, on what is one of the
Nation's most pressing issues, Congress, and the Energy
Independence and Security Act of 2007, called on NIST to take a
leadership role in ensuring an interoperable, secure, and open
energy infrastructure, that will enable all electric resources,
including demand-side resources, to contribute to an efficient,
reliable electricity network.
NISTs three-phase approach is to build on the relationship
with DOE, FERC, DHS, and other Federal agencies to engage
stakeholders to achieve consensus on Smart Grid standards.
By early fall, the process will deliver the Smart Grid
architecture framework, priorities for interoperability, and
cybersecurity standards, and an initial set of standards to
support implementation. In addition, plans to meet remaining
standards needs.
Second, to launch a formal public-private partnership to
facilitate development of additional standards to address
remaining gaps and integrate new technologies.
Third, develop a plan for testing and certification to
ensure that Smart Grid equipment and systems conform to
standards for security and interoperability.
NIST views its role as accelerating the process by which
the standards development can occur. The actual standards
development work is a process that takes place largely in the
private sector, with standards development organizations
utilities, and other stakeholders.
NIST is reaching out to the private sector, and is using
our expertise to identify where the barriers exist, where
relevant standards currently exit, where standards exist but
are not interoperable, and where gaps exist that require
standards to be developed.
I would like to caution, however, that the process of
creating comprehensive and effective standards can be time-
consuming and difficult. To be effective, standards must be
developed with broad representation and buy-in from all key
stakeholders.
It can take time to do this right. But, NIST is
establishing an agile framework that will meet the urgent
national need for specific Smart Grid standards. For the
reliability of the electric power industry to be fully
realized, cybersecurity concerns must be addressed, in addition
to assuring interoperability.
Congress recognizes, and is specifically calling out the
issue of cybersecurity in the ESA legislation. This is a
critical issue due to the increasing potential of cyber attacks
and incidents against this critical sector, as it becomes more
and more interconnected.
The need to address potential vulnerabilities has been
acknowledged across the Federal Government. This need has also
been cited in the 60-day cyberspace policy review.
With the adoption and implementation of the Smart Grid, the
IT and telecommunications sectors will be more directly
involved. These sectors have existing cybersecurity standards
to address vulnerabilities, conformity assessment programs to
evaluate cybersecurity products, and assessment programs to
identify known vulnerabilities in systems.
Another issue for the Smart Grid, and the implementation of
cybersecurity standards, is the concern that legacy equipment
might be difficult to modify to meet new standards. Smart Grid
cybersecurity strategy must address the addition and continual
upgrade of cybersecurity controls.
The cybersecurity strategy will require the development of
an overall cybersecurity architecture to address potential
points of failure, conformity assessment procedures, and
certification criteria for personnel and processes.
To achieve secure interoperability, products and systems
will require conformity assessment that can be developed by
NIST. Conformity assessment verifies that products adhere to
the specifications define in the standards.
Once a standard has been published, conformity assessment
can accelerate product development by giving vendors well-
defined criteria to meet. Such testing should ensure that
cybersecurity standards are affected and do not adversely
impact interoperability.
NIST is proud to have been given such an important role in
Smart Grid cybersecurity through the ESA legislation. We
believe with the continued cooperation and collective expertise
of the industry in this effort, we will be able to establish
the cybersecurity standards to ensure the Smart Grid vision
becomes a reality.
Thank you for the opportunity to testify today. I would be
happy to answer any questions you may have.
[The statement of Ms. Furlani follows:]
Prepared Statement of Cita M. Furlani
July 21, 2009
introduction
Madame Chairwoman Clarke, Ranking Member Lungren, and Members of
the subcommittee, I am Cita Furlani, the Director of the Information
Technology Laboratory at the Department of Commerce's National
Institute of Standards and Technology (NIST). Thank you for the
opportunity to appear before you today to discuss NIST's role in
ensuring the cybersecurity and reliability of the information and
communication aspects of the Smart Grid as well as its physical
security.
As the Nation's measurement and standards institute, NIST has
earned a reputation as an impartial, technically knowledgeable third
party with a long history of working collaboratively with industry and
other Government agencies. These strengths allow NIST to make a unique
contribution to the establishment of the Smart Grid.
Recognizing the benefit of focusing NIST's technical expertise and
industry-oriented mission on what is one of the Nation's most pressing
issues, Congress, in the Energy Independence and Security Act of 2007
(EISA) called on NIST to take a leadership role in ensuring an
interoperable, secure, and open energy infrastructure that will enable
all electric resources, including demand-side resources, to contribute
to an efficient, reliable electricity network. Specifically, EISA gave
NIST ``primary responsibility to coordinate development of a framework
that includes protocols and model standards for information management
to achieve interoperability of Smart Grid devices and systems . . . ''.
Cybersecurity and associated standards are being addressed as part of
this Smart Grid Interoperability Framework that is under development.
NIST's three-phase approach is to:
Build on the relationship with the Department of Energy
(DOE), Federal Energy Regulatory Commission (FERC), the
Department of Homeland Security (DHS), and other Federal
stakeholders to further engage utilities, equipment suppliers,
consumers, standards developers and other stakeholders to
achieve consensus on Smart Grid standards. By early fall, the
process will deliver:
the Smart Grid architecture framework;
priorities for interoperability and cybersecurity
standards, and an initial set of standards to support
implementation; and
plans to meet remaining standards needs.
Launch a formal public-private partnership to facilitate
development of additional standards to address remaining gaps
and integrate new technologies.
Develop a plan for testing and certification to ensure that
Smart Grid equipment and systems conform to standards for
security and interoperability.
After issuing the initial set of priorities, standards, and action
plans in early fall, NIST will initiate the partnership and complete a
testing-and-certification plan by the end of the year.
NIST views its role as accelerating the process by which the
standards development can occur. NIST plans to implement the above-
mentioned public-private partnership to serve as a mechanism to
organize stakeholders and drive priority-setting of the standards. The
actual standards development work is a process that takes place largely
in the private sector, with standards development organizations,
utilities, and other stakeholders. The duration of those processes will
depend on the complexity of the specific problem. In some cases, it
will occur very quickly--months--and in other cases, if it's
technically very challenging, it may take considerably longer. But in
the case of Smart Grid, NIST is moving as expeditiously as possible to
get the framework set and move the standards development process along.
NIST is reaching out to the private sector and is using our
expertise to identify where the barriers exist, where relevant
standards currently exist, where standards exist but are not
interoperable, and where gaps exist that require standards to be
developed. With appropriations from the American Recovery and
Reinvestment Act (Pub. L. 111-05), NIST is significantly expanding the
public-private coordination so we can move more rapidly to make needed
progress in Smart Grid interoperability standards. We are working
closely at the interagency level to develop the detailed actions to
support this expanded effort. This will allow us to define the
interoperability framework (system architecture); establish standards
development priorities; support standards assessments; identify
standards and conformity testing gaps; and accelerate standards
development and harmonization efforts to provide the secure and
reliable interchange of information that is necessary to accomplish the
Smart Grid mission.
NIST will use the EPRI report in drafting the NIST Smart Grid
Interoperability Standards Framework. The NIST document will describe a
high-level architecture, identify an initial set of key standards, and
provide a roadmap for developing new or revised standards needed to
realize the Smart Grid. The first release of the NIST-prepared
framework is planned to be available in September. In a Federal
Register notice published on June 9, NIST released for public comment
an Initial List of Smart Grid Interoperability Standards. This
preliminary set of standards and specifications is identified for
inclusion in the Smart Grid Interoperability Standards Framework,
Release 1.0, and additional standards and specifications are
anticipated to be included based on analyses of workshop input and
public comments.
An initial step in this process is the release of a draft report,
Report to NIST on the Smart Grid Interoperability Standards Roadmap,
that identifies issues and priorities for developing interoperability
standards for the Smart Grid. In a Federal Register notice published on
June 30, 2009, NIST formally announced the availability for public
comment of this nearly 300-page report, prepared under contract by the
Electric Power Research Institute (EPRI).
I would like to caution, however, that the process of creating
comprehensive and effective standards can be time-consuming and
difficult. To be effective, standards must be developed with broad
representation and buy-in from all key stakeholders. It can take time
to do this right, but NIST is establishing an agile framework that will
meet the urgent national need for specific Smart Grid standards. The
proposed approach will provide that type of expert input through a
voluntary consensus standards development process, while maintaining
the aggressive schedule needed to develop the Smart Grid.
understanding the risk
For the reliability of the electric power industry to be fully
realized, cybersecurity and physical security concerns must be
addressed in addition to assuring interoperability. Congress recognized
this in specifically calling out the issue of cybersecurity in the EISA
legislation. This is a critical issue due to the increasing potential
of cyber attacks and incidents against this critical sector as it
becomes more and more interconnected. Existing vulnerabilities might
allow an attacker to penetrate a network, gain access to control
software, and alter load conditions to destabilize the grid in
unpredictable ways.
Additional risks to the grid include:
Increasing the complexity of the grid that could introduce
vulnerabilities and disruptions and increase exposure to
potential malicious attackers and unintentional errors;
Linked networks can introduce common vulnerabilities;
Increasing vulnerabilities to communication and software
disruptions that could result in denial of service or
compromise the integrity of software and systems;
Increased number of entry points and paths for potential
adversaries to exploit;
Potential for compromise of data confidentiality, including
the breach of customer privacy; and
Increasing vulnerabilities to potential physical attacks or
disruptions, such as those due to Electromagnetic Pulse (EMP),
Electromagnetic Interference (EMI), and Geomagnetically-Induced
Currents (GICs).
The need to address potential vulnerabilities has been acknowledged
across the Federal Government including by NIST, DHS, DOE, and FERC.
This need has also been cited in the 60-Day Cyberspace Policy Review,
which states that `` . . . as the United States deploys new Smart Grid
technology, the Federal Government must ensure that security standards
are developed and adopted to avoid creating unexpected opportunities
for adversaries to penetrate these systems or conduct large-scale
attacks.'' With the adoption and implementation of the Smart Grid, the
IT and telecommunication sectors will be more directly involved. These
sectors have existing cybersecurity standards to address
vulnerabilities, conformity assessment programs to evaluate
cybersecurity products, and assessment programs to identify known
vulnerabilities in systems. These vulnerabilities need to be assessed
in the context of the Smart Grid.
Another issue for the Smart Grid and the implementation of
cybersecurity standards is the concern that legacy equipment may be
difficult to modify to meet the new standards developed. The issue of
legacy equipment is not unique to the Smart Grid. There are many
industrial control systems and IT systems that do not employ the most
current suite of cybersecurity controls. In addition, the life cycle
for information technology, particularly for software is very short--as
short as 6 months for many applications--and the knowledge and skill
level of adversaries to attack these systems continues to increase. To
address this issue, the Smart Grid cybersecurity strategy must address
the addition and continual upgrade of cybersecurity controls and
countermeasures to meet increasing threats. These new controls and
countermeasures may be allocated to stand-alone components within the
overall Smart Grid architecture.
The overall cybersecurity strategy for the Smart Grid must examine
both domain-specific and common requirements when developing a
mitigation strategy to ensure interoperability of solutions across
different parts of the infrastructure. The following is a preliminary
list of cybersecurity requirements applicable to the Smart Grid as a
whole:
Identification and authentication to components of the grid
to system entities;
Physical and logical access control to protect critical
information;
Integrity to ensure that modification of data or commands is
detected;
Confidentiality to protect sensitive information, including
Personally Identifiable Information (PII) and proprietary
information;
Availability to ensure that intentional attacks,
unintentional events, and natural disasters do not disrupt the
entire Smart Grid or result in cascading effects;
Techniques and technologies for isolating and repairing
compromised components of the Smart Grid;
Auditing to monitor changes in the Smart Grid;
Supply chain security to ensure that products and services
are not compromised at any point in the life cycle, a defense-
in-breadth strategy; and
Availability to ensure that intentional attacks, whether
physical or cyber, unintentional events, and natural disasters
do not disrupt the entire Smart Grid or result in cascading
effects.
The cybersecurity strategy will require the development of an
overall cybersecurity architecture to address potential single points
of failure, conformity assessment procedures for Smart Grid devices and
systems, and certification criteria for personnel and processes.
the cybersecurity standards landscape
In addition to understanding and assessing the risks related to the
Smart Grid's information and communications networks, it is important
to gauge the applicability of existing and new cybersecurity standards
to the Smart Grid. Several standards activities are on-going including:
The North American Electric Reliability Corporation (NERC)
Critical Infrastructure Protection (CIP) Cyber Security
Standards CIP-002 through CIP-009, which provide a
cybersecurity framework for the identification and protection
of Critical Cyber Assets to support reliable operation of the
Bulk Power System;
The International Society for Automation (ISA) 99/
International Electrotechnical Commission (IEC) 62443 suite of
standards that address Security for Industrial Control Systems;
The Advanced Metering Infrastructure Security task force
(AMI-SEC), formed to define common requirements and produce
standardized specifications for securing AMI system elements.
These requirements are for electric utilities, vendors, and
stakeholders; and
NIST Special Publication (SP) 800-53, Recommended Security
Controls for Federal Information Systems. This SP provides
guidance for Federal agencies on cybersecurity controls with
one section of the SP specifically addressing industrial
control systems.
Although these standards are being developed by different standards
bodies, there is significant interaction among the working groups. For
example, there are current efforts to harmonize the NERC CIP, ISA99/IEC
62443, and NIST SP 800-53.
Standards are being assessed for applicability and interoperability
across the domains of the Smart Grid, rather than developing a single
set of cybersecurity requirements applicable to all elements of the
Smart Grid. That is, the cybersecurity requirements of different
domains, such as home-to-grid and transmission and distribution, may
not be the same. For example, there are significant cybersecurity
requirements to ensure the confidentiality of Personally Identifiable
Information (PII) in the home-to-grid domain that may not be required
at the transmission and distribution domain.
To achieve secure interoperability, products and systems will
require conformity assessment that can be developed by NIST. Conformity
assessment verifies that products adhere to the specifications defined
in the standards. Once a standard has been published, conformity
assessment can accelerate product development by giving vendors well-
defined criteria to meet. Such testing should ensure that cybersecurity
standards are effective and do not adversely impact interoperability.
community partnership
NIST is working with the International Society of Automation (ISA),
the International Electrotechnical Commission (IEC), and the North
American Electric Reliability Corporation (NERC) on current
cybersecurity standards. NIST also works with other standards bodies,
such as ISO, IEEE, and Internet Engineering Task Force (IETF) on
cybersecurity standards. We will continue to coordinate with all these
standards bodies in the development/revision of cybersecurity standards
applicable to the Smart Grid.
To help ensure that we are addressing the cybersecurity
requirements of the Smart Grid as part of the NIST Smart Grid
Interoperability Framework, NIST has established a Cyber Security
Coordination Task Group (CSCTG), including members from the Domain
Expert Working Groups (DEWG) as well as cybersecurity and control
systems experts from academia and the IT and telecommunications
communities. The DEWGs are groups of technical experts established by
NIST and the GridWise Architecture Council (GWAC) for information
sharing on Smart Grid standards and interoperability issues in
identified Smart Grid domains: Transmission and distribution, home-to-
grid, business-to-grid, and industry-to-grid.
The CSCTG will coordinate among the DEWGs so that cybersecurity is
addressed consistently and comprehensively in the DEWG discussions and
work products. The focus of the CSCTG is to leverage the expertise of
the members to identify the overall threats, vulnerabilities and risks
to the proposed Smart Grid. In addition to cybersecurity, some physical
security issues, including threat assessments related to
electromagnetic pulse (EMP), electromagnetic interference (EMI) and
geomagnetically induced currents (GIC), related to threat assessments,
are also being considered within the CSCTG. This information will be
used to identify the appropriate cybersecurity controls that will be
allocated to various domains of the Smart Grid. The CSCTG is also
considering a layered approach to cybersecurity to ensure that if one
level is compromised, the next layer remains secure--a defense-in-depth
strategy. These cybersecurity controls will be assessed by CSCTG
members for effectiveness, scalability, and impacts on cost and the
reliability of the Smart Grid, and will be integrated into the Smart
Grid architecture from initiation. Interest is significant, and over
150 individuals have joined the CSCTG to date.
NIST will also coordinate closely with DOE, DHS, and FERC in the
development of all Smart Grid cybersecurity products, and is also
working closely with DOE, FCC and others to examine potential Smart
Grid electromagnetic interference issues.
conclusion
NIST is proud to have been given such an important role in Smart
Grid cybersecurity through the EISA legislation. We believe that with
the continued cooperation and collective expertise of the industry in
this effort, we will be able to establish the cybersecurity standards,
within the interoperability and standards framework, to ensure that the
Smart Grid vision becomes a reality.
Thank you for the opportunity to testify today on NIST's work on
Smart Grid cybersecurity. I would be happy to answer any questions you
may have.
Ms. Clarke. I would like to thank you, as well.
Ranking Member Lungren, and Members of the subcommittee,
let me take a moment to request unanimous consent to insert
additional written reports in testimony from the Canadian
Electricity Association, the Industrial Defender Incorporated,
Mr. Brian M. Ahern, and the Southern California Edison into the
record.
Hearing no objections, so ordered.
I thank the witnesses for their testimony, and I will
remind each Member that he or she will have 5 minutes to
question the panel.
I will now recognize myself, for 5 minutes for questions.
Do any of you on the panel believe that the current FERC/
NERC standard-setting process, where industry writes standards
and self-selects what assets it wants to secure, makes sense in
the context of our national security?
We can start.
Mr. McClelland. No, the commission, the prior chairman and
this chairman, and certainly this staff member, has been on
record to say that the standards development process is
adequate for routine matters attached to this power grid, the
reliability of the power grid.
But for matters it would attack the bulk power systems, the
power grid if you will, it is inadequate to protect against
national security threats and vulnerabilities.
Ms. Clarke. Anyone else's perspective on this?
Ms. Hoffman.
Ms. Hoffman. The standard-setting process is a process that
does involve public and private partnerships in looking at
baseline requirements for the system. The standard process can
not be the only mechanism that is viewed as an opportunity to
provide input into emergency and emergency requirements.
Ms. Clarke. Mr. McGurk.
Mr. McGurk. Madame Chairwoman, I concur with my colleagues.
The challenge of coming up with operational or interoperability
standards is usually followed through one process. But to
respond to a threat, or respond to a vulnerability, requires
emergency action, that may or may not be available given the
current construct.
So, some challenges present themselves. Getting that
information into the hands of the operators, and the authority
needs to be there for the Government to direct that activity.
Ms. Clarke. Yes.
Ms. Furlani.
Ms. Furlani. I agree also, that when you start talking
about interconnected systems, wherever the different types of
systems touch is a vulnerable spot. There is not a--you really
need an overarching understanding of the network and the
architecture. You can't do it in isolated pieces.
Ms. Clarke. Thank you, all. Let me direct my next question
to Mr. McClelland and Mr. McGurk.
Can you please explain what additional authority you feel
are necessary for FERC? And whether you think the language in
H.R. 2195 is in line with what you are asking for?
Mr. McClelland. The commission requested, actually the
chairman arrived at the position and again, staff concurred,
that the commission needed additional authority in order to be
able to direct action, measures to the industry to be able to
communicate in a confidential manner.
Because the communications now, the information would have
to have some assurance that the information would be protected
there, regards cybersecurity or physical threats of our power
system.
The commission would have a mechanism to engage industries,
propose and direct to engage, industry and get a directive
established to mitigate either a physical or a cyber threat.
The process under 215, by law, is open. So, if a standard
were to be developed, it would have to be developed in an open
forum. So, not only the vulnerability or the threat would have
to be disclosed, within the proposed mitigation.
It is not necessarily timely, because it is a very
inclusive process that gets everyone to participate. It is not
necessarily responsive, because the commission can't author a
standard. It can't direct a specific measure.
It can make a directive to a specific mitigation. But it
has no control over what might come back from industry.
So in that context, it is totally insufficient to assure
that a vulnerability or a threat, either physical or cyber, has
been addressed.
Mr. McGurk. Yes, ma'am, from the standpoint of Department,
we look at all the pending legislation and we look at
opportunities to identify the best method to move forward. Of
key concern, from our standpoint is, I go back to some of my
previous experience as an arms control inspector under the
START Treaty and INF Treaty.
We were directed to trust, but verify. There lies the key.
I can issue a directive, but unless I have the ability to
follow up and determine whether those actions were taken, I
have no firm understanding whether or not the threat has been,
or the risk has been mitigated.
So subsequently, language that addresses that opportunity,
for whatever appropriate agency, will take those necessary
steps, feel is vital to continuing the mission.
Ms. Clarke. I am going to yield back the balance of my time
and now recognize the Ranking Member of the subcommittee, the
gentleman from California, Mr. Lungren, for his questions.
Mr. Lungren. Thank you very much, I would address this to
all of you.
We talk about the Smart Grid. In some ways, it reminds me
of some of the issues we had when we went to on-line banking.
It is only going to be utilized by people. People are only
going to have confidence in it if they feel that it is secure.
Are we doing what we need to do to make sure, as we develop
the Smart Grid proposals at various levels, to build security
into it?
Ms. Hoffman. Within the funding opportunity announcement,
the Department of Energy did put very strict requirements for
proposers to document and look at their cybersecurity aspect.
They will have to include that in the proposals. So, we feel
very comfortable with the language put in there that any
proposers are going to have to address some of the elements
that I have mentioned in my testimony as part of their Smart
Grid projects.
Mr. Lungren. Let me put it another way. For other kind of
enterprises, we have insurers who assess risk, and make
insurance rates based on that risk. Obviously to mitigate those
rates, you do certain things.
There are sometimes tax incentives. There are a whole host
of things.
Is regulation the only and most effective way we can make
sure that security is built into the Smart Grid? Or do we need
to look at some of these other mechanisms as well?
Ms. Hoffman. If I may start, security is a service. It is a
process that has to be included within the utility or within
the Smart Grid infrastructure.
So, it is a service that must be maintained, just like we
have service on our computers. So, it is a way to--it should be
developed within the electric industry, so that there are
companies, such as the ones you have heard of in the first
panel, to provide the service to the industry as well as to the
customers.
Mr. Lungren. Is there something we need to do to make sure
that the rate structure allows for this?
Ms. Hoffman. Within the Smart Grid technologies, we are in
within specific aspects of utility infrastructure. The rate
structures can be used to support that.
For national security events, which is a public good, there
are probably maybe other mechanisms that could be investigated.
Mr. Lungren. Well, let me ask you this, Mr. McClelland.
This goes to the question of EMP. We have heard low-
probability, high-consequence. I would say the highest
consequence.
Mr. McClelland. Yes.
Mr. Lungren. Almost. How do we ensure? Or, how do we
provide incentives that the private sector and the--let's just
concentrate on the private sector. The private sector will take
seriously these sorts of things.
What I mean by that is this: If you are going to go to your
whatever authority it is you have to go to for your rates, rate
approval, and they say, ``well, to justify your rates, you have
to show us that there is a reasonableness to what you are
doing, and what you want to charge for.''
They go in and they say, ``Well, low-probability, high-
consequence.'' Does a rate-making organization authority in a
State, or even a regional area, understand that? Do we need the
focus of the Federal Government to actually have us take it
seriously?
The reason I say that is, I just don't think we are taking
this seriously enough. When you hear the testimony of the
consequences, I mean, it makes ``Katrina'' look like a day in
the park.
Mr. McClelland. Yes.
Mr. Lungren. Yet, after Katrina, we said, ``Oh my god, we
will never let that happen again. We have got to be more
focused on it. We will put billions of dollars in to make sure
that kind of thing doesn't occur.''
Yet I don't sense that in terms of EMP. You seem to take
EMP seriously.
Mr. McClelland. Yes.
Mr. Lungren. You seem to accept the argument that it could
have devastating consequence.
Mr. McClelland. Yes.
Mr. Lungren. But yet it does not appear to me that we,
either in the Congress or the Executive branch, have taken it
seriously enough to make it the kind of priority that I would
have. So I guess I would ask you, what do we need to do so that
the range of costs that we have seen, the EMP Commission said
that the range of costs to protect critical infrastructure
components would range--could be from $150 million to $9
billion. That is a lot of change.
Do you believe Congress should provide cost recovery to
utilities to cover these expenses through reimbursement by the
rate payers? Is that reasonable? Is it something that Congress
needs to do in terms of subsidies? Tax incentives? I mean, what
do we need to do to make this happen?
Mr. McClelland. I would like to begin by--I will jump back
for a second to your prior question about Smart Grid. Last
week, the commission issued a policy statement under EISA. The
commission's responsibility after NIST develops the standards,
to codify the standard, to put the standards into place, to set
the standards and in order that interoperability is
established.
One of the key elements in the policy statement last week
was that the commission would provide rate recovery and would
even consider stranded costs for an entity that began to
install Smart Grid equipment, but then the equipment was
obsolete. It turned out to be obsolete, if the entity built in
cybersecurity, that was one of the four elements.
So there is a cost recovery mechanism. The same application
can and should be applied to EMP. It is unrealistic to think
that entities, that utilities, will move forward on EMP
mitigation measures in the context of high-risk low-
probability.
If I just might say something about that, on the last panel
there were two different witnesses, and I won't say who they
are, but it was very telling. One witness classified it as
high-risk, low-probability. A second witness, however, said
high-risk low-frequency. There is a very big difference.
Mr. Lungren. Yes.
Mr. McClelland. Probability is not an assessment and I
think you heard that very clearly, that without intelligence,
without information, it is not an assessment that an entity or
a person is qualified to make. That should be left to the folks
that deal with intelligence.
So high-risk, low-frequency is a better way to classify it,
coupled with a rate recovery mechanism. On the very end, I mean
partnership is great, and we all hope that partnership works.
But in the absence of a regulatory mechanism, to Mr. McGurk's
point about trust and verify, in the absence of some regulatory
mechanism to force an entity to take action, some entities just
simply will not take action. Regulation is there for the
entities that won't take action.
So I really believe, a personal perspective on this, and I
was in the electric utility industry for 20 years before I came
to Government for the past 5, that we knew about EMP, we knew
about EMP mitigation measures. I saw a declassified report that
showed a very specific attack vector and we were asked to
evaluate that. I was asked as a controls and relays engineer.
We did our job.
But the chance that industry would move forward, if it
considers it to be a low probability of event, with everything
else that is happening, is really not realistic.
Mr. Lungren. Thank you.
Ms. Clarke. I now recognize Ms. Richardson, of California,
a Member of the subcommittee, for her questions at this time.
Ms. Richardson. Thank you, Madame Chairwoman.
Mr. McGurk, as you saw, I introduced you to one of the
witnesses, who seemed to have made some attempts to reach out
to the Department, but had not been successful. How long have
you been in your position?
Mr. McGurk. [Inaudible.]
Ms. Richardson. Could you turn your microphone on?
Mr. McGurk. Pardon me, Congresswoman.
I joined the Department in January 2008. In September 2008,
I participated in a brief, hosted by the Department of Defense,
for the cross-sector cybersecurity working group on the EMP
process.
We also engaged with the doctors' group to evaluate the
impacts on the critical infrastructure and produced a report in
November, recognizing the importance of not only the impacts on
the electric grid, but the other critical infrastructures
across our country.
So we have been engaging across the board. The doctor has
met with individuals from our infrastructure protection branch,
so the comment about FEMA may have been miscommunications. But
we have been engaged and engaging with his organization,
focusing on EMP.
Ms. Richardson. How much of your time, would you say, is
spent on the issue of what we are talking about today?
Cybersecurity within your jurisdiction?
Mr. McGurk. I have the luxury, if you will, to focus my
entire time on control systems, cybersecurity. That is what my
program was created to do. So in all of the Department of
Homeland Security, my organization focused specifically on
cybersecurity and physical security threats to industrial
control systems.
Ms. Richardson. Who do you report directly to?
Mr. McGurk. I report to the director of the national
cybersecurity division.
Ms. Richardson. Which eventually, who reports to the
Secretary?
Mr. McGurk. The under secretary for national preparedness
and protection.
Ms. Richardson. Is how far away from you?
Mr. McGurk. Two steps removed. It is the director of the
national cybersecurity division reports to the assistant
secretary for cybersecurity and communications, who reports to
the under secretary for NPPD, who reports to the Secretary.
Ms. Richardson. So how often do you have an opportunity to
report to the under secretary or Secretary, if at all?
Mr. McGurk. I have briefed both the previous under
secretary and Secretary and I have had the opportunity to brief
the current deputy under secretary. I have not had an
opportunity to brief the current Under Secretary Beers.
Ms. Richardson. Okay. Did you have an opportunity to read
the testimony of Dr. Graham and Mr. Fabro?
Mr. McGurk. No, I did not have an opportunity prior to this
meeting.
Ms. Richardson. Do you have a copy of their testimony?
Mr. McGurk. I do not.
Ms. Richardson. Okay. I will make sure that you personally
get it. I would be curious for you to read both of their
testimonies. Towards the end of Mr. Fabro, he gives several
specific recommendations and Mr. Graham, on page 5, he gives
very specific recommendations. Would you be willing to read
those?
Mr. McGurk. Oh, absolutely, Congresswoman.
Ms. Richardson. Okay.
Mr. McGurk. Thank you.
Ms. Richardson. Based upon what you heard so far today, is
there anything that you would be in opposition to of what folks
shared, things that we could do better?
Mr. McGurk. I do want to emphasize that the previous
panel's comments on public-private partnership, I think that is
the key element. As was previously mentioned, regulation is
just part of the equation. It is not the final solution. So
there has to be an understanding and a collaborative effort
between the private sector and the Federal Government to ensure
that we address these issues.
We often focus on the critical asset owners. We miss the
responsibility and the opportunity of dealing with the vendor
community.
We actually have a subgroup in the industrial control joint
working group that focuses on the vendors and brings the
vendors to the table so that we can incentivize the development
of more secure products for the future. That was a key part in
developing our procurement standards, which we published in
August of last year, identifying those steps necessary to
develop and distribute and integrate more secure devices.
Ms. Richardson. So do you reach out to traditional
partners, the same ones you have always had? Or what do you use
to reach out to some others? Because unfortunately, the
testimony today was not consistent with what you have said.
Mr. McGurk. We are attempting to reach out. The industrial
control systems working group is following on the efforts that
were established by the process control systems forum. So we
are maturing and growing that activity. Again, much of our
focus in the past was on primarily the energy sector,
specifically the electric sector. Unfortunately, we need to
focus on all 18 critical infrastructures.
So we have invested heavily in developing the partnerships
with water, chemical, transportation, critical manufacturing,
across the board, because when it really comes down to it,
these industrial control systems are pretty much the same
across all these industries.
The components that we use have the same vulnerabilities,
whether it is moving a robotic arm that builds the car or
generating power.
Ms. Richardson. Okay. My last question, I have got 13
seconds, so if you could be brief in your reply.
Mr. McGurk. Yes.
Ms. Richardson. One of the things that stuck out to me was
the procurement process that we have, many private enterprises
that own many aspects of this whole area for us, and yet we are
really not putting the things in place to ensure that they are
doing the security aspect as well. Do you see improvements that
could be made?
Mr. McGurk. Absolutely. We can definitely improve that
procurement process.
Ms. Richardson. So could you provide those comments to this
committee?
Mr. McGurk. I--yes, I can.
Ms. Richardson. Thank you very much. I yield back. Fifteen
seconds.
Ms. Clarke. I now recognize the gentleman from Maryland,
Mr. Bartlett, for 5 minutes.
Mr. Bartlett. Thank you very much, and thank you again for
convening this hearing.
Mr. McClelland, I would like you to help me clear up a
definition problem. On page 2 of your testimony, written
testimony, on page 2 of Mr. Assante's written testimony, there
are definitions of bulk prices and they seem to be different.
You have a fairly restrictive one that exempts all local
distribution facilities, including virtually all of the grid
facilities in certain large cities.
The definition in Mr. Assante's written testimony says bulk
power system is defined by, and he gives the section of the
law, distributes and controls systems necessary for operating
an interconnected electric energy transmission network or any
portion thereof. Electric energy from generation facility
needed to maintain transmission system facilities.
So his would appear to include anything and everything and
yours would appear to exclude large portions of the system.
Which one is correct?
Mr. McClelland. The NERC definition for bulk power system
is defined as generally 100 kv and above. It is actually bulk
electric system.
When EPAct 2005 was passed, it used a new term. Bulk power
system. The commission, as you are probably aware, the
commission issues a notice of proposal making, collects
comments, considers the comments and then issues a final rule.
This was a section or a definition that was heavily
commented on in the industry----
Mr. Bartlett. Could you help us in getting, for your two
agencies, a consistent definition, so we know what we are
dealing with? I would appreciate that. Thank you very much.
I want to make a brief comment about a comment that Dr.
Graham made about a robust EMP attack bringing down the power
grid, and it might be out for several months or a year or more,
and some might wonder how could that be? That is because if the
grid comes down, it is very likely to take out large
transformers. We don't make them. There are no spares. They are
made somewhere overseas. If you order one, they will deliver
one in a year or 18 months or so. That is how long it takes to
make them, which is why that observation--why that observation.
Mr. McClelland, don't you think this might have been a good
place to use the stimulus money, in hardening the grid?
Wouldn't it make a lot of pretty good jobs?
Mr. McClelland. It sounds like a good idea.
Mr. Bartlett. Thank you, sir. I agree. I agree. Okay.
Ms. Hoffman, you had mentioned that--does not have a
program that would allow for private or publicly-owned
facilities to receive Federal grants. What do we need to do to
fix it? Could you fix it administratively? Or does that need
legislation to fix that? Because we certainly ought to be
helpful, don't you think? How much--do we have to do something
or can you do it?
Ms. Hoffman. Within the Department, we set our priorities
and there is no priority at this--or there is no activity at
this time for that effort.
Mr. Bartlett. Well, I would hope after this hearing that
there would be. I would hope.
Mr. McGurk, this strikes me as a great idea, but the
reality is that the more effective we are in producing a Smart
Grid, the less secure we are from an EMP attack. Because that
just increases our vulnerability. We really do need to do
something about that.
You mentioned the state of units that are out there that
are controlling all of this. Many of those components, nobody
is around who made them. I have no idea where we get new ones.
Mr. McGurk. Yes.
Mr. Bartlett. They are saying that those are really, really
old.
You mentioned national strategy to secure cyberspace. Sir,
if there is, if Dr. Graham is correct, then there is a robust
EMP lay down, there will be no cyberspace to secure. Do you
think he is wrong?
Mr. McGurk. Oh, absolutely not, sir.
Mr. Bartlett. Good. Well, then, I hope we are doing
something more than we are now doing because I see us doing--if
it is zero to 100, I see us doing something about 0.05 in terms
of hardening our system.
Ms. Furlani, how is EMP incorporated among the factors for
developing Smart Grid standards? Are you doing that? Is this
new grid going to be hardened for EMP?
Ms. Furlani. It is one of the areas that we have in our
long list. We are certainly taking it under consideration with
our partners in BOE and SBC to understand where the standards
needs might be.
Mr. Bartlett. Well, I hope that this gets higher priority
than it has had because as the testimony today indicated, we
are enormously vulnerable here. Vulnerability encourages
attack. It doesn't have to be a state actor, it could be a non-
state actor.
I had a guy from the Department of Defense tell me there
were no platforms out there from which these guys could launch
this. Any tramp steamer is an adequate platform. A scud
launcher goes up 180 miles apogee, that is plenty high enough
to take out all of New England or all of California and other
territories. A crude nuclear weapon, if you miss the target by
100 miles, it is just as good as a bull's eye. This is clearly,
clearly, the most asymmetric weapon that any potential foe has.
Thank you very much. I yield back.
Ms. Clarke. Thank you, Mr. Bartlett. You certainly have
raised some very key and critical points that we must be
vigilant around. Ms. Hoffman, you may not--we are telling you
that this is really a priority. We want to ask you to please,
take this back to Secretary Chu.
I now recognize, the gentleman from New Mexico, Mr. Lujan
for 5 minutes.
Mr. Lujan. Thank you very much, Madame Chairwoman. My
questions go along the same questions that I asked the first
panel. Around, my question is to if all G&T, generation and
transmission companies, all distribution networks, and best-run
utilities, rural cooperatives are included in this broad
definition of bulk power system, knowing that they are not.
With that being said, what are we doing to prepare to be
able to address all those needs that fall outside of NERC's
authority? I would pose that to the panel.
Mr. McClelland. I guess I would like to start by asking a
clarifying question.
Is the premise that bulk power system includes all the G&T
and distribution facilities?
Mr. Lujan. Well, for the most part, most G&Ts do fall under
bulk power systems, with the exception of, I would say, a few
that do fall out. But, the specific question is, for those that
are not included under the definition of a bulk power system,
G&Ts, IOUs, rural cooperatives, wherever they may be, including
their distribution networks, what is occurring for the
coordination there?
Because, according to some of the testimony from the last
panel, that has already seems to have fallen, to some extent,
under NERC. But, the remaining authority is presumed to fall
upon Fed regulatory authorities or other entities, depending on
the make-up of the utility.
So, what are we doing to include them as we begin to deploy
some of the Smart Grid technologies that will be invested in?
Mr. McClelland. I guess, I would like to start with the
bulk power system definition, is defined per region. So, the
definition of bulk power system is very different in New
England, for instance, than it is in the West that excludes
many more facilities.
Now having said that, even the CIP standard, the NERC CIP
standards for cybersecurity, it is this staff members' position
and our Chairman's position, that Section 215 of the Federal
Power Act, which is the reliability standard, is inadequate to
protect the grid from a national security threat.
It is fine for everyday reliability matters. But, if there
is an emergency action that is necessary to protect the grid
from either a physical or a cyber attack, it is inadequate.
That is why the commission has advocated, the Chairman has
advocated, that the commission receive additional authority if
the expectation is that the commission could protect it.
On the facilities that could fall outside of the bulk power
system, the commission did issue a policy statement last week.
It did say that, one of the items necessary for rate recovery
is its Smart Grid appliances and devices must demonstrate
conformity to cybersecurity. They must be protected from a
cybersecurity standpoint.
So, the commission has used its authority that is
advocating for additional authority to protect against national
security threats.
Mr. Lujan. With that, Ms. Hoffman, if you could address
that question as well? And go on to--based on the position that
has been put out by FERC, with the position that Smart Grid
investments have to comply with cybersecurity technology. Can
grants also be applied for those reasons?
Or, can the funds be used in that way to make sure that
they are investing in necessary cybersecurity preparation, or
tools, platforms, software, whatever the application may be, or
technology may be included in so many investments they will be
making?
Ms. Hoffman. Yes, Congressman, your first question, the
Department of Energy's program does not distinguish between the
bulk power system. So, we are indifferent. So, we look at
projects that will get the cybersecurity for the energy sector,
looks at the energy sector as a whole.
As well as the Smart Grid activity does not distinguish
projects between the bulk power system. We look at the bulk
system as a whole, with respect to the Smart Grid. With respect
to the Smart Grid, projects must look at cybersecurity aspects.
So, it will be baked in, or as part of their proposal.
Mr. Lujan. Mr. McGurk.
Anything that you would like to add in regard there?
Mr. McGurk. Congressman, I would just like to add that we
are working with both the Department of Energy and also with
the private industry to identify those requirements, doing the
end-to-end.
As Ms. Hoffman had identified, we also, in the Department,
look from the end-user, home delivery system back up without
having a regard to any defined division between bulk power or
the distribution networks.
So, we work across the board along with the Department of
Energy to assist in identifying those cybersecurity
vulnerabilities.
Mr. Lujan. Just a clarifying question, Ms. Hoffman. Does
EMP also fall under what can be included with some of the
dollars associated with the Smart Grid implementation? Do those
safety standards, can they be included in some of the
investments that will be made?
Ms. Hoffman. Right now, the Department does not have any
activities for EMP hardening.
Mr. Lujan. Okay, thank you very much.
Then, Madame Chairwoman, just one question that I would
like to pose to Ms. Furlani, and maybe she could submit it into
the record in a written format?
But, just the same question I posed to the panel earlier as
far as the lack of standards that do exist for the platforms,
from a cybersecurity perspective, or some of the data systems
that exist for energy companies. Should some standards be
included there?
What is the Department looking at in order to be able to
facilitate or respond to some of those questions? Or how do
they evaluate them?
Thank you very much, Madame Chairwoman.
Ms. Clarke. Thank you, we will do that.
I now recognize the gentleman from Ohio, Mr. Austria, for
questions.
Mr. Austria. Thank you, Madame Chairwoman. Let me--I will
keep my remarks brief. I know we have votes going on right now.
But, I think we all agree here today in this panel, that
the electric grid remains highly vulnerable to the cyber and
physical attack. That it could possibly disable a wide portion
of the grid for weeks, months, and even possibly years.
As we move into the 21st century, moving towards new
technology, and we push towards making electric infrastructure,
electronic and digital, on the one hand, we are saving money,
billions of dollars possibly, and we are making it much more
quicker, much more reliable, a much more reliable system.
But on the other hand, we are also creating cyber and
physical making vulnerable--the word just wouldn't come out,
becoming more vulnerable.
I am, concerned that we don't have a comprehensive plan in
place with that protection in place right now. Today, most of
the critical electric infrastructure is owned and operated by
the private sector.
Regulators of the electric grid currently have limited
authority and require these electric utilities to secure their
systems against cyber and physical attacks. This hearing has
been very informative and eye-opening.
Just to recap on a couple of things, I want to ask Mr.
McClelland first, and recap on what the Ranking Member started
to go down this route, as far as--first of all, what should
utilities do to better identify those critical cyber assets
that are out there?
Then, the question has come up multiple times, as far as
incentives. Should there be--are statutory requirements
necessary to put those incentives in place to move to that
direction?
Mr. McClelland. I will start starting with the
identification of critical assets, which subsequent comes the
identification of critical cyber assets, which then puts the
facilities under the CIP standards.
NERC, itself, has begun the process to rectify this
problem. The amount of critical assets that were identified was
low. So, Mr. Assante, who is on the power panel, wrote a letter
to industry saying, ``Hey, rather than assume that your one
particular facility in isolation on the whole power grid is not
critical, you need to start from the assumption that you have
to justify that it isn't critical.''
In other words, you have to opt it out of the mix.
NERC is also preparing guidance documents to help entities
review in aggregate, what everyone else is doing, a guidance
document to identify critical assets.
Finally, when the commission approves its CIP standards,
the commission identified this as a deficient area. So, it is
not going to work if the utilities that are under regulation
get to identify what is a critical asset, a critical cyber
asset and what isn't.
Therefore, the commission directed BER to rewrite the
standard, and bring the standards back to the commission. From
that point on, from the time the standards would be revised,
there will be a regional review process. Then those
determinations will be subject to the commissions review.
Unfortunately, it is going to use the standards development
process which can take years for it to get through, ballot
through, and then come back to the commission. It may not be
entirely responsive to the commissions directive.
That is the process under Federal Power Act----
Mr. Austria. I appreciate that. From a time constraint, let
me have, Ms. Hoffman, your perspective on, since acting
assistant secretary for the electricity delivery and energy
reliability, DOE, as a specific sector agency for the energy
sector, are you getting industry member cooperation for
developing risk management strategies? And implementing
security measures to protect their critical infrastructures?
Ms. Hoffman. My apologies. We are getting cooperation. We
have focused on the vendor communities. We have taken several
different approaches to looking at security improvements within
the sector, working with the vendors, and working with the
electric or energy companies directly, in assessing the
technology for vulnerabilities, as well as improving the
technology.
Mr. Austria. Madame Chairwoman, I am going to yield back my
time. Because I know we have votes going. We don't want to miss
the votes.
Ms. Clarke. I want to thank each of you for your valuable
testimony here today. I want to thank the Members for their
questions.
Mr. Bartlett, thank you for your wisdom on this matter.
Also, let the Members of the subcommittee know that if you have
additional questions for the witnesses, we will ask for you to,
you can submit them, and we will get it to you.
We ask that you will respond to us expeditiously in writing
to those questions.
Hearing no further business, I want to thank you once again
for your testimony here today. I know that there is a lot of
inquiry coming from the membership with regard to this matter,
a lot of interest and concern.
So, this is probably what we would call Part 1 of what will
be a number of other hearings around this matter during this
session. So, I want to thank you and just alert you to that.
This meeting is adjourned.
[Whereupon, at 5:42 p.m., the subcommittee was adjourned.]
A P P E N D I X I
----------
Letter From Michael J. Assante, Chief Security Officer, North American
Electric Reliability Corporation
April 7, 2009.
TO: Industry Stakeholders
RE: Critical Cyber Asset Identification
Ladies and Gentlemen: In the interests of supporting NERC's mission
to ensure the reliability of the bulk power system in North America,
I'd like to take this opportunity to share my perspectives with you on
the results of NERC's recently completed self-certification compliance
survey for NERC Reliability Standard CIP-002-1--Critical Cyber Asset
Identification for the period July 1-December 31, 2008 along with our
plans for responding to the survey results. As you may already be
aware, compliance audits on this standard will begin July 1, 2009.
The survey results, on their surface, raise concern about the
identification of Critical Assets (CA) and the associated Critical
Cyber Assets (CCA) which could be used to manipulate them. In this
second survey, only 31 percent of separate (i.e. non-affiliated)
entities responding to the survey reported they had at least one CA and
23 percent a CCA. These results are not altogether unexpected, because
the majority of smaller entities registered with NERC do not own or
operate assets that would be deemed to have the highest priority for
cyber protection. In that sense, these figures are indicative of
progress toward one of the goals of the existing CIP standards: To
prioritize asset protection relative to each asset's importance to the
reliability of the bulk electric system. On-going standards development
work on the CIP standards seeks to broaden the net of assets that would
be included under the mandatory standards framework in the future, but
this prioritization is an important first step to ensuring reliability.
Closer analysis of the data, however, suggests that certain
qualifying assets may not have been identified as ``Critical.'' Of
particular concern are qualifying assets owned and operated by
Generation Owners and Generation Operators, only 29 percent of which
reported identifying at least one CA, and Transmission Owners, fewer
than 63 percent of which identified at least one CA.
Standard CIP-002 ``requires the identification and documentation of
the Critical Cyber Assets associated with the Critical Assets that
support the reliable operation of the Bulk Electric System.'' The
standard goes on to specify that these assets are to be ``identified
through the application of a risk-based assessment.'' Although
significant focus has been placed on the development of risk-based
assessments, the ultimate outcome of those assessments must be a
comprehensive list of all assets critical to the reliability of the
bulk electric system.
A quick reference to NERC's glossary of terms defines a CA as those
``facilities, systems, and equipment which, if destroyed, degraded, or
otherwise rendered unavailable, would affect the reliability or
operability of the Bulk Electric System.''
Most of us who have spent any amount of time in the industry
understand that the bulk power system is designed and operated in such
a way to withstand the most severe single contingency, and in some
cases multiple contingencies, without incurring significant loss of
customer load or risking system instability. This engineering construct
works extremely well in the operation and planning of the system to
deal with expected and random unexpected events. It also works,
although to a lesser extent, in a physical security world. In this
traditional paradigm, fewer assets may be considered ``critical'' to
the reliability of the bulk electric system.
But as we consider cybersecurity, a host of new considerations
arise. Rather than considering the unexpected failure of a digital
protection and control device within a substation, for example, system
planners and operators will need to consider the potential for the
simultaneous manipulation of all devices in the substation or, worse
yet, across multiple substations. I have intentionally used the word
``manipulate'' here, as it is very important to consider the misuse,
not just loss or denial, of a cyber asset and the resulting
consequences, to accurately identify CAs under this new
``cybersecurity'' paradigm. A number of system disturbances, including
those referenced in NERC's March 30 advisory on protection system
single points of failure, have resulted from similar, non-cyber-related
events in the past 5 years, clearly showing that this type of failure
can significantly ``affect the reliability (and) operability of the
bulk electric system,'' sometimes over wide geographic areas.
Taking this one step further, we, as an industry, must also
consider the effect that the loss of that substation, or an attack
resulting in the concurrent loss of multiple facilities, or its
malicious operation, could have on the generation connected to it.
One of the more significant elements of a cyber threat,
contributing to the uniqueness of cyber risk, is the cross-cutting and
horizontal nature of networked technology that provides the means for
an intelligent cyber attacker to impact multiple assets at once, and
from a distance. The majority of reliability risks that challenge the
bulk power system today result in probabilistic failures that can be
studied and accounted for in planning and operating assumptions. For
cybersecurity, we must recognize the potential for simultaneous loss of
assets and common modal failure in scale in identifying what needs to
be protected. This is why protection planning requires additional, new
thinking on top of sound operating and planning analysis.
``Identification and documentation of the Critical Cyber Assets
associated with the Critical Assets that support the reliable operation
of the Bulk Electric System'' necessitates a comprehensive review of
these considerations. The data submitted to us through the survey
suggests entities may not have taken such a comprehensive approach in
all cases, and instead relied on an ``add-in'' approach, starting with
an assumption that no assets are critical. A ``rule-out'' approach
(assuming every asset is a CA until demonstrated otherwise) may be
better suited to this identification process.
Accordingly, NERC is requesting that entities take a fresh,
comprehensive look at their risk-based methodology and their resulting
list of CAs with a broader perspective on the potential consequences to
the entire interconnected system of not only the loss of assets that
they own or control, but also the potential misuse of those assets by
intelligent threat actors.
Although it is the responsibility of the Registered Entities to
identify and safeguard applicable CAs, NERC and the Regional Entities
will jointly review the significant number of Table 3 and 4 entities
\1\ that reported having no CAs to determine the root cause(s) and
suggest appropriate corrective actions, if necessary. We will also
carry out more detailed analyses to determine whether it is possible
that 73 percent of Table 3 and 4 Registered Entities do not possess any
assets that, ``if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the Bulk
Electric System.''
---------------------------------------------------------------------------
\1\ Table 3 and 4 entities refers to those entities identified in
the Implementation Plan for Cyber Security Standards CIP-002-1 through
CIP-009-1.
---------------------------------------------------------------------------
Additionally, NERC plans to host a series of educational webinars
in the coming weeks to help Registered Entities understand CIP
standards requirements and what will be required of them to demonstrate
compliance with the standards once audits begin in July. NERC also
plans to incorporate a set of informational sessions into this series,
designed to allow the industry to share practices and ask questions of
each other in an open, but facilitated, dialogue.
We expect to see a shift in the current self-certification survey
results as entities respond to the next iteration of the survey
covering the period of January 1-June 30, 2009 and when the Regional
Entities begin to conduct audits in July.
I look forward to an on-going dialogue with you on these important
issues. As always, please do not hesitate to contact me, or any of my
staff, with any questions or concerns.
Sincerely,
Michael Assante,
Chief Security Officer.
______
Statement of the National Association of Regulatory Utility
Commissioners
July 17, 2005
The National Association of Regulatory Utility Commissioners
(NARUC) was requested to provide responses to a number of questions
presented to NARUC staff by the subcommittee. The responses provided
below are an attempt by the NARUC staff to provide factual responses to
the questions posed by the subcommittee and do not necessarily reflect
the official policy positions or views of NARUC and or its membership.
We respectfully request that these responses be placed into the record
of these proceedings.
What assets do State utility commissioners have jurisdiction over? How
does this differ from the jurisdiction of FERC? Is there any
cross-over?
The Federal Power Act gives FERC authority over the sale of
electricity in inter-State commerce (``bulk power'') and inter-State
transmission. The States retain jurisdiction over unbundled
transmission, generation, distribution, and retail rates.
There is some jurisdictional overlap. For example, the States and
FERC have concurrent jurisdiction over reliability. Section 215 of the
Federal Power Act provides FERC and NERC authority over reliability,
but simultaneously asserts that this section does not preempt State
authority ``to take action to ensure the safety, adequacy, or
reliability of electric service within the State, as long as such
action is not inconsistent with any reliability standard.'' FPA �
215(i)(3). Similarly, transmission tariffs approved by FERC are folded
into retail rates.
How does cost recovery work?
Cost recovery is generally established through a rate proceeding
whereby a regulatory authority evaluates the costs that the utility
requests to recover through rates. These costs may be initiated by the
utility, or the utility make seek recovery for investments made in
response to a Government mandate for something like increased security.
Through a rate hearing, the regulatory authority evaluates the
requested cost recovery to ensure that the cost conforms to their
standards for approving the costs. These standards vary, including
evaluations of whether the incurred cost was ``used and useful,''
``just and reasonable,'' or prudently incurred. After evaluating the
cost to see if it is recoverable, the regulatory authority generally
specifies a mechanism by which the utility will recover the actual cost
recovery. Cost recovery mechanisms include base rate changes to
tariffs, adjustment clauses, deferral accounts, line item changes, or
closed proceedings that allow for the confidential treatment of
security costs.
What cost recovery mechanisms exist for utilities to recover costs for
physical and cybersecurity protections?
State regulators are committed to allowing cost recovery of
critical infrastructure costs that are prudently incurred. Generally
this cost recovery goes through the standard rate case. Regulators have
found that the existing inventory of cost recovery protocols and cost
recovery mechanisms is sufficient. In some cases, State legislatures
have stepped into reaffirm that required security costs are eligible
for recovery, as long as the costs are reasonable and prudently
incurred.
Does the current FERC/NERC standards-setting process for infrastructure
protection (i.e. NERC writes, FERC approves or remands) make
sense in a national security context? Does NARUC believe that
industry-written standards are appropriate to protect assets as
critical to national security as the electric system?
The NERC standards approval process meets the majority of grid
challenges. The NERC process engages industry in the development of
standards that FERC approves. This process results in mandatory
standards for the bulk power system that are clear, technically sound
and enforceable, and that garner broad support within the industry.
NERC is continually improving its standards; it is striving to draw
from the state-of-the-art in cybersecurity, through consideration of
the National Institute of Standards and Technology (NIST) framework for
cybersecurity, and to integrate that framework into NERC's existing
Critical Infrastructure Protection standards. NERC has also implemented
policies that allow for the confidential and expedient development of
standards, including those related to cyber- and physical security.
Have any States required utilities to meet physical or cybersecurity
standards that go beyond the NERC mandatory standards? If so,
please provide States and standards required.
We are unaware of such State standards, but would be happy to
contact our members and get back to you if we learn of any examples.
What are the key aspects of any piece of legislation that seeks to
secure the electric grid from cyber and physical attack?
Cybersecurity legislation should not reinvent the wheel. It should
continue to recognize and, if necessary, make more robust the FERC-NERC
standards-setting process. It should also recognize and respect the
power system's existing State and the Federal jurisdictional
boundaries.
The legislation should create a framework for improved information
flow from the Federal Government to State regulators and industry of
any known threat or vulnerability. This information flow would
facilitate increased security for the grid infrastructure. It is
critical that any information conveyed from the Federal Government to
States or industry about a specific threat be timely and actionable to
best enable a response. This information can enable a utility's expert
operators and cybersecurity staff to make the needed adjustments to
systems and networks to ensure the reliability and security of the bulk
power system.
In the case of actionable intelligence about an imminent threat to
the bulk power system, it may be necessary for Government authorities
to issue an order, which could require certain actions to be taken by
the electric power industry. In these limited circumstances, when time
does not allow for classified industry briefings and development of
mitigation measures for a threat or vulnerability, FERC should be the
Government agency that directs the electric power industry on the
needed emergency actions.
Do the commissioners that comprise NARUC maintain any existing
authorities that would allow them to require owners and
operators of electric facilities to harden their equipment to
mitigate the effects of an electromagnetic pulse?
Commission-authorized reliability investments generally require
that the utilities protect against ``all hazards.'' Although
commissions generally do not prescribe against specific threats, ``all
hazards'' standard of review mandates that utilities protect against,
or create mitigation measures to limit detrimental reliability effects,
from any anticipated threat, including an electromagnetic pulse.
Do the commissioners that comprise NARUC maintain any existing
authorities that would allow them to require owners and
operators of electric facilities to harden their equipment to
mitigate the effects of a cyber attack?
Again, State regulatory authorities generally require utilities to
protect against all hazards. NERC sets the cybersecurity standards. The
commissions, including FERC within its authority over transmission,
approve costs based on investments the utilities make to conform to
these standards.
How many Smart Grid projects have been funded by commissioners thus
far? In general terms, what are the security requirements for
these projects?
California and Texas have approved the rollout of advanced metering
infrastructure (AMI) with cost recovery. Texas requires that the
electric utility have an independent security audit of the advanced
meters and report the results of the security audit to the commission.
(See Texas Substantive Rule � 25.130, http://www.puc.state.tx.us/rules/
subrules/electric/25.130/25.130.pdf). I believe that California is
still evaluating the rules for the AMI rollout.
There may be additional Smart Grid projects that have qualified for
cost recovery of which we are not aware.
With the rollout of the Smart Grid investment grants and Smart Grid
demonstration projects under the American Reinvestment and Recovery Act
of 2009, there will be a larger number of Smart Grid projects
developed. These funding opportunity announcements discuss and
prioritize security, and will certainly be a factor for consideration
in the selection of these projects. Smart Grid projects, like all
projects, must meet NERC's cybersecurity requirements. Additional
security requirements and standards are under development. For example,
NIST is working to develop cybersecurity standards for the Smart Grid,
with a domain expert working group dedicated to the task. State
commission staffs participate in the NIST cybersecurity working group.
State commissions may choose to adopt and mandate the standards NIST
develops for Smart Grid deployment within its jurisdiction.
Further, NARUC Critical Infrastructure Committee continues to
monitor and educate its members on security threats and the evolution
of the Smart Grid.
______
Statement of William Radasky and John Kappenman
introduction
We wish to thank the House Homeland Security Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology for
inviting us to submit this written statement with regard to the
protection of the critical electric infrastructure of the United States
against cyber and other physical threats.
While this statement will draw upon the experience and capabilities
of Metatech Corporation, headquartered in California with its largest
operation in New Mexico, the opinions expressed in this statement are
those of Dr. William Radasky, Ph.D., P.E., President of Metatech and
Mr. John Kappenman, P.E., Metatech Consultant.
our capabilities and experience
Metatech Corporation was founded in 1984, and in its early years
focused its work completely on the understanding of the various forms
of electromagnetic pulse (EMP) created by nuclear detonations (HEMP,
SREMP, SGEMP, etc.). The purpose of understanding these intense
electromagnetic fields was to determine the appropriate protection for
military electronic systems so that these systems could still operate
in the case of a nuclear burst. A burst at high-altitudes (defined as
above 30 km) can create a high-altitude electromagnetic pulse (HEMP)
that can illuminate the Earth within a line of sight. Two bursts at
several hundred kilometers altitude could fully expose the entire
United States. This type of EMP is considered one of the most severe
due to its wide area of coverage and it near simultaneous illumination
of electronic equipment and systems.
With the end of the Cold War and the subsequent reduction of
nuclear stockpiles in the world, the threat of a major nuclear war has
been reduced. On the other hand, the possibility of one or two nuclear
bursts at high-altitudes launched by a terrorist organization over the
United States seems to have increased (as suggested by the EMP
Commission). In the early 1990s, Dr. Radasky began his work with the
International Electrotechnical Commission (IEC) to examine the threat
of HEMP to civil society. He has chaired IEC SC 77C since 1991, and
this subcommittee has produced 20 voluntary standards and publications
covering both HEMP and more recently the threat of electromagnetic
weapons to civil society (known as IEMI). This committee has drawn upon
the standard types of protection that are available within the
electromagnetic compatibility (EMC) community and extended them to
these more severe threats.
In the 1990s Dr. Radasky and Mr. Kappenman joined forces to examine
the threat of geomagnetic (solar) storms on high voltage power grids.
Mr. Kappenman had worked in this field for many years with the power
industry, studying the impacts of storms on power grids, and Dr.
Radasky and his colleagues had worked on advanced forms of
electromagnetic numerical analysis stimulated by their earlier work on
EMP. It was during this time that we discovered the very strong
relationship between the impacts of geomagnetic storms and the late-
time portion of the HEMP (known as E3) on the electric power grid.
While the generation mechanisms of these disturbances are completely
different, the waveforms produced and their impacts on the power grid
are very similar.
At the present time Metatech Corporation is the leading company
worldwide providing new developments and understandings relating to
space weather (geomagnetic storms due to intense solar activity) and
its impact on large power grids. Our company has in fact been involved
in the vulnerability and risk assessment for the power grids in England
and Wales, Norway, Sweden and portions of Japan. Metatech developed and
provided continuous space weather forecasting services for the company
that operates the electric power grid for England and Wales. Since May
2002, Metatech has been providing similar vulnerability and risk
assessments for the U.S. electric power grid to the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP
Commission). Metatech has carried out investigations for FEMA under
Executive Order 13407 to examine the potential impacts on the U.S.
electric power grid for severe geomagnetic storm events. In addition,
Metatech work has been formative in the January 2009 Report by National
Academy of Sciences ``Severe Space Weather Events--Understanding
Societal and Economic Impacts Workshop Report''. The assessments
performed by Metatech indicate that severe geomagnetic storms pose a
serious risk for long-term outages to major portions of the North
American grid. While a severe storm is a low frequency of occurrence
event, it has the potential for long-duration catastrophic impacts to
the power grid and the country. The impacts could persist for multiple
years with the potential of significant societal impacts; in addition
the economic costs could be measured in the several trillion dollars
per year range and could pose the risk of the largest natural disaster
that could affect the United States.
what is hemp and how does it impact the power system?
As indicated earlier, HEMP is produced by a nuclear detonation
above 30 kilometers altitude. Intense electromagnetic fields are
produced in space by the high-energy radiation leaving the detonation,
and these fields propagate downward to the Earth's surface. Because of
different types of interactions, there are actually three main pulses
created, covering three time frames: Less than 1 microsecond, from one
microsecond to 1 second, and beyond 1 second. These time regimes have
been given the notations of E1, E2, and E3, respectively. As we will
discuss in this statement, each of these ``pulses'' creates different
types of problems in modern electric and electronic equipment and
systems; this is due to the ``coupling'' of the electromagnetic fields
to the electric power lines themselves and to the control wiring in
substations and power generation facilities.
what are other similar em threats that can be dealt with at the same
time?
There are two other significant power system electromagnetic
threats of concern to power systems. One is a geomagnetic storm, which
begins with the ejection of charged particles from the Sun; these
particles travel to the Earth and create large current flows in the
ionosphere at levels of up to millions of amperes for a severe storm.
The frequency of occurrence of geomagnetic storms follows the solar
cycle (�11 years), but it is expected that severe storms with the
potential for catastrophic impacts to power grids in the United States
occur once every �30 years, based on historical evidence. As in the
case of the E3 HEMP, this electromagnetic disturbance couples well to
long transmission lines and creates geomagnetically induced currents
(GICs) that can create power blackouts and damage to large
transformers.
Another electromagnetic threat of concern is that produced by
electromagnetic weapons used by criminals or terrorists producing
intentional electromagnetic interference or IEMI. These weapons have
become more powerful and easier to obtain in recent years due to
advances in solid-state electronics. These electromagnetic fields are
very similar to those produced by E1 HEMP and will impact the electric
power system in a similar fashion. The main difference is that the area
affected by IEMI is much less than for HEMP, although the attack is
silent and would not be understood in the same way as a cyber attack.
In addition an IEMI attack would not leave any trace to determine how
the attack occurred, since the electromagnetic fields would arrive
simultaneously at several locations in a system, creating multiple
failures of hardware and software.
what effects are expected on the power grid from hemp?
For the operation of the electric power grid, the HEMP E1 and E3
pulses are the most important. Research performed for the EMP
Commission clearly indicates the following concerns:
(1) Malfunctions and damage to solid-state relays in electric
substations (E1);
(2) Malfunctions and damage to computer controls in power
generation facilities, substations, and control centers (E1);
(3) Malfunctions and damage to power system communications (E1);
(4) Flashover and damage to distribution class insulators (E1);
(5) Voltage collapse of the power grid due to transformer
saturation (E3);
(6) Damage to HV and EHV transformers due to internal heating (E3).
It should be noted that these effects could result in widespread
blackouts due to the large geographic footprint of these environments
and the fact that they are simultaneous in nature. In particular a
single high-altitude burst above the United States would create an E1
pulse that would arrive at all locations within one power cycle. In
addition, widespread damage, especially to HV and EHV transformers
could require years to recover due to worldwide production limits.
costs of hardening
Given the potentially enormous implications of power system threats
due to space weather, it is important to develop effective means to
prevent a catastrophic and crippling failure of the electric power
grid. Recent detailed examinations also conclude that the United States
and other world electric power grid infrastructures are becoming more
vulnerable to disruption from geomagnetic storms and E3 HEMP
environment interactions for a wide variety of reasons. This trend line
suggests that even more severe impacts can occur in the future for
reoccurrences of large geomagnetic storms. These trends of increasing
vulnerability remain unchecked, as no design codes have been adopted to
reduce geomagnetically induced current (GIC) flows in the power grid
during such a storm. Present operational procedures utilized by U.S.
power grid operators largely stem from experiences in recent storms,
including the March 1989 storm, while storms as much as ten times
larger than this storm are only recently understood to have occurred
before with the certainty they will occur again. In retrospect, it is
also now clear that present U.S. power grid operational procedures are
based largely on this out-of-date storm experience, and these
procedures will not reduce GIC flows sufficiently; therefore these
current procedures are unlikely to be adequate to prevent widespread
blackout or damage to key equipment for historically large disturbance
events in the future. The same trend line and theme of increasing
vulnerability is also true with respect to the fast transient effects
of the HEMP E1 and IEMI threat conditions.
Since both hardening and improved operational mitigation
development is necessary, it may be helpful to define these terms more
clearly. Hardening is a process of modifying the power grid in order to
block or reduce GIC in key transformer assets. Operational mitigation
is the action of taking various operational actions for the purpose of
posturing the power grid (or key assets) to minimize GIC exposure
(e.g., removing spare transformers from service based upon an alert/
forecast of a severe storm). This combination provides a layered and
complimentary approach, in that both act to improve the security of the
grid. It is also important that both actions are functionally
independent, in that failure to enact a timely or proper operational
procedure does not defeat the hardening measures, which reduce the GIC.
Infrastructure hardening is clearly the more effective and reliable
approach; operational mitigation is highly dependent on the quality of
alert/forecast capability and the fact that the varying states of power
system operation during a storm may limit the range of effectiveness
and flexibility for taking meaningful actions.
E1 HEMP standards and network upgrades
Presently in substations and other power grid facilities, relay and
control devices span many generations of designs from
electromechanically operated relays to multi-function microprocessor
based relays and control devices. The widespread applications of multi-
function devices are being used to provide added capabilities to the
operation of the power grid; however these devices introduce new
vulnerabilities to the E1 HEMP environment. Existing standards have
taken into consideration the unique and harsh electromagnetic
environment common in a high-voltage substation. As a result there are
a variety of standards for substation-based protective relays and relay
support systems that have evolved over the years. While these
evolutions provide protection against some of the threats posed by the
E1 HEMP environment, some gaps and shortfalls in immunity test
threshold levels continue to exist that if filled would make these
devices more robust in their ability to withstand the E1 HEMP or IEMI
threats. While the current electromagnetic transient test levels of
concern are from sources not related to the E1 HEMP or IEMI
environments, some of the similarities illustrate the significant
opportunities that are possible for dual application.
Many activities are currently underway within the IEEE and
International Electrotechnical Commission (IEC) to update and improve
the EMC immunity of electronic equipment used in factories, power
substations and power-generating stations including nuclear power
plants. The IEC has developed a set of electric fast transient (EFT)
tests that are very similar to the waveforms coupled by E1 HEMP to
cables. The EFT test pulse has a rise time of 5 ns and a pulse width of
50 ns. The typical EMC test levels suggested are between 1 and 4 kV. As
noted in Metatech's work, EI HEMP can under some circumstances produce
more than 10 kV, with a similar waveform. Of particular interest is the
fact that some companies in the European power industry have suggested
that higher levels of immunity test standards be applied to power
system control electronics. It is clear that if EM standards are
developed that have a dual application (normal usage and HEMP), then
the possibility of acceptance of these standards will be more positive.
In addition, recent work led by Metatech with Cigre is examining the
additional protection that would be required in substations to
eliminate the threat of IEMI. Protection against IEMI would provide
protection against E1 HEMP.
Given the on-going work and the fact that the United States has
several HEMP and power system experts involved in the work of the IEC,
these new international standards could be analyzed for their
application to power system equipment in the United States to improve
the hardness of the overall power system to HEMP. In addition to the
EMC work, there is also continuing work in the IEC to develop further
HEMP standards for the civil infrastructure with heavy participation of
several U.S. HEMP experts. This work should be directly supported
through research funding to develop cost-effective ways to apply the
new IEC standards to improve the hardness of important civil systems.
As the EMP Commission Report has noted, there are several thousand
major substations and other high-value components on the transmission
grid. With the development of standardized and hardened equipment, a
continual program of replacement and upgrade with HEMP-hardened
components will substantially reduce the cost. The estimated cost for
HEMP-hardened replacement units and HEMP protection schemes is in the
range of $250 million to $500 million. Approximately 5,000 generating
plants of significance will need some form of added protection against
HEMP, particularly for their control systems. As the EMP Commission
noted, these costs are in the range of $100 million to $250 million.
Power grid hardening and mitigation for E3 HEMP and geomagnetic storms
Both the E3 portion of a HEMP environments and naturally occurring
geomagnetic storms can cause the flow of geomagnetically induced
currents (GIC) through transformers in an exposed power grid. The GIC,
if large enough, can disrupt the AC performance of the grid causing
initial blackouts and also creating the potential for permanent damage
to large transformers, which can lead to restoration delays of the
power grid. Hardening of the power system is optimally done through the
application of passive devices or circuit modifications that block or
reduce the flow of GIC in a power grid. Because GIC accesses power
systems through the multiplicity of grounded neutral leads of wye-
connected transformers, the most effective point at which to place
blocking or limiting devices is also in these neutral-to-ground leads.
Neutral GIC blocking devices have been actively researched since the
early 1990s, and several hardware versions have been successfully
deployed for blocking stray DC or GIC flows into exposed transformers.
The analysis performed to date for the EMP Commission by Metatech
indicates that the conceptual design of installing neutral resistors on
the transformer neutral-to-ground connections is the preferred option
of protection. These resistors would be low resistance--on the order of
5 ohms. Even though small, they would substantially increase the
resistance in the power line network; since they are located in the
neutral to ground connection, they would not substantially decrease the
efficiency of operation of the power grid. These devices would allow a
significant reduction of the GIC currents induced (around 60% reduction
in overall GIC levels are estimated from the studies). The advantage of
this design is that it will be relatively simple to develop with lower
engineering trade-off risks and lower overall installed costs compared
other more exotic devices. In order to evaluate this option more
completely, it will be necessary to carefully study the economic
aspects of this approach and to move forward with a funded R&D effort
to fully engineer and test the prototypes.
The EMP Commission in their report estimated costs for switchable
ground resistors for high-value transformers are estimated to be in the
range of $150 million. Further studies are needed to determine the
number and location of high-value transformers, but preliminary
estimates are for some �5,000 such transformers to be considered on the
230 kV, 345 kV, 500 kV and 765 kV networks. These cost estimates are
based upon simple devices that are still at a conceptual stage of
development. Metatech has been briefing various interested Government
agencies and organizations on a comprehensive R&D program that would
finalize the design requirements for the protection system and would
develop better estimates of costs; therefore total costs several times
larger than the previous EMP Commission estimate might be foreseeable.
With respect to the overall cost of hardening, it is also important
to keep in mind the cost of outages, even when they are of short
duration. A hardening program that expends even as much as �$1 billion
to protect the U.S. power grid against a severe geomagnetic storm, an
event that has occurred before and is certain to occur again, is still
far cheaper than the costs of a widespread blackout to the U.S.
economy. For example the DOE estimated that the August 2003 blackout,
(affecting �60 million people in Midwestern and NE United States) cost
about $10 billion. If we instead only elect to black out or shut down
the power grid based on forecast alerts of this sort of event, it would
cost more than 10 times the hardening cost just in terms of the
economic impact to the United States. When one factors in that
forecasts will no doubt come with false alerts, then the costs of
hardening are indeed quite prudent.
operational mitigation training
The EMP Commission also recognized the importance of developing a
capability to monitor and evaluate the unique set of adverse effects on
critical systems and to speed their restoration. Operators and others
in a position of authority must be trained to recognize that a HEMP
attack, an IEMI attack or a severe geomagnetic storm is occurring or is
about to take place. This should be done in order ``to understand the
wide range of effects it can produce, to analyze the status of their
infrastructure systems, to avoid further system degradation, to
dispatch resources to begin effective system restoration, and to
sustain the most critical functions while the system is being
repaired''.
The detailed power grid models that have been employed by Metatech
for the EMP Commission and FEMA studies provide an excellent starting
point to develop a comprehensive training program and operational
avoidance procedures for the U.S. power industry to counter the harmful
impacts from the E3 HEMP and severe geomagnetic storm environments.
As the EMP Commission and others have suggested, efforts to promote
training centers that would have the mission of simulating, training,
exercising, and testing both operational avoidance and recovery plans
are important for the country. These training centers would allow the
comprehensive simulation of HEMP and other major system threats, such
as geomagnetic storms or coordinated terrorist attacks, whether they
are physical or electromagnetic in nature (IEMI). These training
centers would aid in the development of procedures for addressing the
impact of such attacks to identify weaknesses, to provide training for
personnel and to develop HEMP response procedures and coordination of
all activities across appropriate agencies and industry.
Better and more appropriate procedures can be developed such as:
Making decisions to remove certain high-value assets (such
as EHV transformers) from operation in the network to reduce
their exposure to damaging GIC levels.
Making decisions to remove key generating plant transformers
from operation again to reduce their exposure to damaging GIC
levels.
Making decisions to reduce or shed load (or to create
limited blackouts) in portions of the grid to reduce exposure
of high-value assets to damaging E1, E3, or severe geomagnetic
storm environments.
Making decisions on additional staffing under alert
conditions to perform manual overrides, where possible, of
operational controls that could be compromised due to E1
impacts.
alert capabilities
In 1998, the National Grid Company, which operates the power grid
for all of England and Wales, awarded Metatech a contract to develop
and operate the world's first geomagnetic storm forecasting service
using solar wind electrojet models. These operational electrojet models
are driven by solar wind data from the ACE L1 satellite. This detailed
electrojet model provided a predictive forecast capability needed by
the electric power industry. Large and sudden storm onsets can erupt on
a planetary scale within a matter of minutes, meaning that power
systems that are concerned about the impact of these disturbances will
not have any meaningful lead-time available if they depend upon local
real-time monitoring alone. In the famous geomagnetic storm of March
13-14, 1989, the Hydro Quebec power grid went from completely normal
operating conditions to complete province-wide blackout in an elapsed
time of only 90 seconds. The electrojet predictive model will instead
provide these power system operators a nominal lead-time of
approximately 45 minutes for most storm events, and a somewhat smaller
lead-time for major events.
The advanced geomagnetic storm forecasting system was developed to
provide forecasts for the entire Northern Hemisphere, and detailed
impacts of these storm conditions were further assessed for the NGC
power grid across England and Wales. This system updated the forecast
on a continuous 1-minute cadence and became operational in May 1999.
This system was deployed in the NGC System Control Room in Wokingham,
England where it was continuously used as the primary space weather
tool for the control of the entire national grid. In addition to these
forecast capabilities, Metatech with NGC deployed 16 real-time remote
monitoring locations throughout England and Wales to monitor the storm
environment and impacts on the power grid. Nearly 2,000 channels of
data are continuously collected in real-time from this sophisticated
network and made available for nowcast and system status displays in
the NGC System Control Room. This geomagnetic storm forecasting system,
which is highly tailored to electric power grids, is the most-advanced
in the world, even exceeding the capability of the NOAA-SEC.
In addition, Metatech has successfully modeled and validated
detailed power grid models throughout the world. A complete U.S. Power
grid model has been fully developed for the United States. EHV Power
Grid infrastructure and was employed in both the EMP Commission studies
and also in FEMA investigations under Executive Order 13407.
While it is possible to install a geomagnetic storm forecasting
system in the United States using the approach applied in the case of
England and Wales, it should be noted that this system provided the
forecast to a single location, where action could be taken for the
entire grid. In the United States the situation is different, and both
for geomagnetic storms and a HEMP attack, it is necessary to develop a
procedure to send the geomagnetic forecast or information concerning a
missile launch at the United States to all power grid operators within
minutes. In addition a coordinated response of the power grid operators
needs to be determined ahead of time for different scenarios. It is
important that action be taken to allow this information to be sent to
those who require it.
concerns about smart grid security
While the current situation with regard to the vulnerability of the
power grid to HEMP and other high-level electromagnetic disturbances is
serious, national discussions of future changes to the power grid could
well make things worse. In particular the concept of the ``Smart Grid''
is under active consideration, and while the precise details of such a
plan are not clear, it is clear that a major objective is to collect
more data on the grid and to provide that data to the operators of the
grid.
The problem with many proposals for the Smart Grid is that there
will be a proliferation of millions of computers (Smart Meters), which
will be placed at homes and businesses to monitor the use of power in
real time. These data will allow the system operators to operate their
grids more efficiently and to eliminate the need for extra margins.
These distributed computers will be vulnerable to the threat of
radiated and conducted high frequency threats (such as E1 HEMP and
IEMI) and will be impacted by severe harmonics created during E3 HEMP
and geomagnetic storms. It is clear that very high levels of
electromagnetic protection should be required for these meters, yet in
discussions concerning Smart Meters today, security seems to be a
second thought. We recommend that the physical and electromagnetic
security of Smart Grid components be raised to the highest level of
consideration.
Another area of concern is the plan to build a new super-grid to
connect wind power in the Midwest with the Eastern and Western grid
with the construction of a new 765 kV grid. It is important to
recognize that the higher voltage levels of this transmission network
(relative to the 500 kV grid in most of the country) increase its
vulnerability to E3 HEMP and geomagnetic storms, potentially increasing
the vulnerability of the grid by a factor of 2 or more over what exists
today. Plans to build such a grid should definitely consider the
protection of the high voltage transformers.
role of standards
As alluded to at several points in this statement, it is first
important to make a decision that the power grid needs to be protected
against HEMP and other similar electromagnetic threats such as
geomagnetic storms and IEMI. Once this is done then the means to
accomplish the goal should be through standards. While standards often
take years to develop, in this case much of the HEMP and IEMI work has
already been done in the IEC for generic systems (e.g., computers).
Standards can therefore be developed rapidly to improve the hardening
of hardware currently in service and also for the development of new
products. This approach will allow the fastest time to reach a hardened
state, while keeping the costs at a reasonable level.
conclusions regarding ferc regulatory authority
Given that the United States has a very diverse, mostly private
ownership of the power grid, it is difficult for industry to deal with
the threats of HEMP, geomagnetic storms and/or IEMI on their own and
certainly not in a piecemeal fashion. There is an argument that if a
power company makes improvements to their portions of the grid and
others do not, then wide area geographic threats can still have a
catastrophic impact.
During the beginning of the power system work in the EMP
Commission, NERC was invited to provide its recommendations regarding
which power system electronics were the most important to the operation
of the grid. A prioritized equipment list was provided and used by the
EMP Commission to perform susceptibility tests. While this part of the
collaboration was successful, follow-up discussions with NERC were not
as successful. It seemed that the working level people within NERC were
not willing to recommend protection standards against HEMP in spite of
overwhelming evidence that this threat falls into the low-probability,
high-consequence area. Indeed the potential consequences are so serious
that it should be viewed as a Systemic Risk, one that could threaten
the lives of many and alter the course of the history of this country,
if ever allowed to unfold.
For this reason, we would recommend that FERC, which has already
shown a strong interest in the protection of the power grid from HEMP,
be given the regulatory authority to deal with the threat of HEMP and
other related electromagnetic threats.
______
Statement of Emprimus LLC
July 21, 2009
Chairwoman Clarke, Ranking Member Lungren, Chairman Thompson,
Ranking Member King, and Members of the subcommittee: Thank you for the
opportunity to share with you our thoughts about the present
vulnerability of the U.S. electric grid and other critical civilian
infrastructure to growing electromagnetic threats, and our
recommendations for steps towards remediation of these threats.
Emprimus is deeply concerned about our national infrastructure
electrical, electronic, and cyber vulnerabilities in a number of areas,
and has already been involved in several discussions with Congressional
members and their staffs, and other agency personnel about these
issues, as well as providing briefings to relevant industry and
technical associations in recent months. Emprimus has a multi-
disciplined background which includes a private testing program to
evaluate and understand the vulnerability of many types of civilian
electronic equipment to these growing threats, as well as new ways to
remediate them.
We strongly support legislation to amend the Federal Power Act to
provide additional authorities to adequately protect the critical
electric infrastructure against cyber attack and the related
intentional electromagnetic interference (IEMI) attacks, as well as
hardening the electric grid against high altitude electromagnetic pulse
(EMP) and severe geomagnetic storms. For conciseness in this record, we
will generically refer to all electromagnetic threats as ``EMP.'' As we
will show, all three of these threats are related in that they have
similar effects and share common remediation solutions. It is important
to note at the outset that EMP is also a cyber threat just as surely as
internet hackers are, since data states can be destructively altered.
1. What are the severe electromagnetic threats to our electric system
and other critical infrastructure?
Every year, the modern infrastructure of the United States becomes
increasingly dependent on integrated circuit-based electronic control
systems, computers, servers and burgeoning masses of electronically
stored data. The emerging threat and growing use of non-nuclear EMP/
IEMI (Intentional Electromagnetic Interference, including Radio
Frequency [RF] weapons) poses grave dangers to all of our civilian
infrastructure, including our national electric grid, civilian
facilities' data and data assets, and can damage computer systems,
their electronic equipment and the data they contain, control and
monitoring systems, and support systems which would impede operations
of most critical civilian infrastructure installations. Support systems
at risk range from security systems to communication links to fire
protection to all HVAC systems.
For instance, recent research and testing shows how power
distribution can be shut down for a multi-State area by mobile non-
nuclear EMP attacks. Major metropolitan areas in the United States have
a number of critical choke points. For example, some electrical
substations in each area of the country connect a large amount of
electric generation to the bulk electric transmission system, and
similar electrical substations are used to connect the transmission
system to the metropolitan distribution system. A mobile non-nuclear
attack perpetrated by terrorists or other parties in an innocent-
looking truck at the typically unguarded perimeter of a single
substation would cause connection faults and trips, resulting in
dropping generators off-line similar to recent blackouts in New York
and Florida. A coordinated attack at several of these substations could
lead to a cascading collapse condition, leading to prolonged large
multi-State power outage conditions. A multi-city coordinated attack
could have an even more serious national effect. With proper attention
to shielding and filtering of substation electronics controls,
communications equipment, and data centers as part of a mandated
improvement program, the impacts of these intentional EMP events can be
minimized.
The military has shielded their facilities for decades against EMP.
Now, high levels of EMP can be delivered locally by either hand-held
devices, or via more powerful vehicle-borne weapons, and create
disruption and damage similar to that caused by high-altitude EMP, but
on a local scale. The threat of a severe geomagnetic storm is always
with us, and will occur at some time in the future with near certainty.
(A solar event similar to the 1859 storm would cause catastrophic
damage to our modern electricity-based infrastructure.) The recent
Quebec grid collapse as a result of a serious solar storm has resulted
in Canadian action to improve its grid.
The following chart shows how all three types of electromagnetic
threats to our infrastructure are related with regard to their damage
and disruption effects.
----------------------------------------------------------------------------------------------------------------
Damage to Grid Damage to Other
Damage to Electric Electronic Controls Infrastructure
Grid Transformers and Data Electronics and Data
----------------------------------------------------------------------------------------------------------------
High-altitude Electromagnetic Pulse Yes, National Scale.... Yes, Serious........... Yes, Serious.
(EMP).
Intentional Electromagnetic Local or Regional Yes, Serious Local..... Yes, Serious Local.
Interference, or Non-nuclear EMP. Effects.
Severe Geo-magnetic Storms........... Yes, Regional or Sporadic............... Sporadic.
National Scale.
----------------------------------------------------------------------------------------------------------------
This chart shows how the impacts of these threats are related.
Fortunately, appropriately mandated national action can significantly
reduce the impacts of all three threat classes.
The International Electrotechnical Commission (IEC) has defined
non-nuclear EMP/IEMI as the ``intentional malicious generation of
electromagnetic energy introducing noise or signals into electric and
electronic systems thus disrupting, confusing, or damaging these
systems for terrorist or criminal purposes.'' The insidious aspect of
this class of EMP for the energy sector and other key sectors of our
national infrastructure is that it attacks both cyber- and physical
security aspects of our electronics-based systems in manners that can
completely circumvent firewalls, tier structures, layered networks,
passwords, physical barriers, security procedures, etc. Unlike
traditional cyber threats to data security, non-nuclear EMP may be
extremely covert and difficult to detect and trace with forensics, and
with the ability to impede digital forensics by corrupting the data.
There are remediation approaches to help diminish this threat class if
appropriate steps are taken.
2. What are the effects of an EMP event on the electric system?
Non-nuclear EMP attack.--As demonstrated in the example above of a
relatively modest attack by a small number of individuals on several
critical electric power substations, substantial damage and disruption
can be inflicted by the use of these uncontrolled and easy-to-deploy
electromagnetic weapons. The U.S. Navy has shown how plans for many of
these devices are available on the internet, has tested and
demonstrated the vulnerability of computer and SCADA systems, and has
demonstrated the fabrication and use of such a device built with a
total parts cost of $500.00. These man-portable or vehicle-borne
weapons are becoming a modern tool of those wishing to conduct highly
asymmetrical warfare, including disgruntled employees, criminals,
extremists, and terrorists. These devices can be deployed against
electric power substations and other electronics, and in fact against
all 18 segments of the DHS sectors of critical civilian infrastructure
with similar results.
High-altitude EMP attack.--A high-altitude EMP event detonated
several hundred miles above the center of the contiguous United States
would cause catastrophic damage to the present national electrical
grid, as was detailed by the recent Congressional EMP Commission:
``Report of the Commission to Assess the Threat to the United States
from Electromagnetic Pulse (EMP) Attack,'' April 2008. An EMP event of
this type has an initial fast burst lasting nanoseconds that will
damage or destroy most modern electronics within line of sight that are
based on integrated circuitry, and a slower burst lasting up to several
minutes that will create very large voltages over hundreds and
thousands of miles that will result in disastrous damage to the high-
voltage transformers and electronics that power our national electric
distribution system. As the EMP Commission states, ``The
electromagnetic pulse generated by a high altitude nuclear explosion is
one of a small number of threats that can hold our society at risk of
catastrophic consequences. The increasingly pervasive use of
electronics of all forms represents the greatest source of
vulnerability to attack by EMP. Electronics are used to control,
communicate, compute, store, manage, and implement nearly every aspect
of United States (U.S.) civilian systems. When a nuclear explosion
occurs at high altitude, the EMP signal it produces will cover the wide
geographic region within the line of sight of the detonation. This
broad-band, high-amplitude EMP, when coupled into sensitive
electronics, has the capability to produce widespread and long lasting
disruption and damage to the critical infrastructures that underpin the
fabric of U.S. society.'' This is not a short duration problem: The
high voltage grid transformers that will be destroyed have few spares,
little commonality, and most are now manufactured offshore. Lead times
for small quantities of these transformers are years, but hundreds or
thousands would be destroyed.
Severe geomagnetic storms.--The impact on electric power
transformers deployed at the ends of our long high-voltage transmission
lines would be essentially the same as that from a high-altitude EMP
event described above. The geomagnetic induced currents (GIC) from
these events will also generate high, damaging voltage surges over any
long conductive paths (communications, telecom, data lines, etc.)
leading to computer systems, data storage, and any other electronic
equipment. An expert in GIC has indicated that uninterruptable power
supplies are especially vulnerable. An 1859-class event would shut down
most of our grid for years, if our critical transformers remain
unprotected.
3. What technological fixes are required to secure infrastructure from
an EMP event?
Electronic and data dependent infrastructure.--The 18 Department of
Homeland Security sectors of Critical non-military Infrastructure all
have a vital dependence on digital data, electronic sensing, computing,
controls, and data storage that can be corrupted and/or damaged by both
high-altitude EMP and non-nuclear EMP. It is important to point out
that these threats are CYBER threats, since they can corrupt and
destroy data just as surely as the more publicized internet hacker
attacks we are so familiar with these days. In fact, EMP is probably
more insidious, since these attacks leave no network footprints and
destroy evidence amenable to digital forensics, and they can cause
physical damage to the electronic equipment attacked. It is conceivable
that EMP could be used to cover up traditional cyber attacks. Critical
equipment in the DHS Critical Infrastructure segments such as data
centers, supervisory control and data acquisition (SCADA) systems,
process control equipment, etc. can be protected by appropriate
electromagnetic shielding, filtering, and security procedures, along
with enhanced threat detection. It is especially important that
facilities responsible for meeting regulatory data retention
requirements rapidly acquire this protection, especially trading
institutions and banking data centers. The 2008 EMP Commission Final
Report has much more detail on the effects of EMP on
telecommunications, banking, refineries and pipelines, and other
infrastructure, recommending that mandated fixes proceed promptly.
High-voltage transformers.--The national power grid high-voltage
transformers must be remediated to withstand the huge direct current
voltages they would be exposed to in a high altitude EMP event or
severe geomagnetic storm. The 2008 EMP Commission Final Report has a
number of specific recommendations regarding transformer protection,
improving grid communications and control, safer islanding of grid
segments (permitting a damaged portion of the grid to be safely
isolated), and other key remediations. Some of these critical fixes can
be started immediately and at relatively low cost, especially with
regard to high-voltage transformer protection. These protections are
needed to protect against severe geomagnetic storms, as well as EMP,
since at least a severe storm will occur sooner or later.
4. Why does the modernization of the American electric grid create new
vulnerabilities that may not have existed before?
There are several factors that are working to increase the
vulnerability of our critical electric grid.
Interconnectivity
Heavy reliance on interconnectivity to meet peak load demands has
increased the probability of cascading failures in the event of an EMP
event. This is related to the existence of choke points or critical
substations which present attractive asymmetrical targets.
Longer transmission lines
Increasing distances encourage use of very high voltage
transmission of power from generation source to point of use, and both
the high voltage and distance make the system more susceptible to the
high-altitude EMP and geomagnetic storm threats.
Renewable power sources
As more long distance lines are added to deliver power from
renewable sources of wind and solar located in sparsely populated areas
to distant high-population-density areas, the exposure of the grid to
high-altitude EMP and geomagnetic storm damage will be significantly
increased. Intelligent planning now can mitigate this danger.
Smart Grid
The addition of ``Smart Grid'' electronic processing and
communications between users and generation sources adds many
additional points of failure to the operation of the grid if it is
attacked by an EMP event.
Electric utility operation
Electric utility data centers and control centers for grid
operation, customer account management, and business management
including regulatory data retention requirements are highly dependent
on the operation of electronic equipment, which is at serious risk of
data corruption and equipment damage from the fast EMP transients and
from more localized EMP/IEMI attacks.
Critical substations
These substations transmit huge blocks of power from large
generating plants which, if the controls are damaged, could disrupt
large multi-State areas.
As reported by the EMP Commission, each of these vulnerabilities
can be greatly diminished by timely action, but the solutions need to
be initiated now.
5. Why is the U.S. electric grid different from other nations?
The size and technology of the U.S. electric grid differentiates it
from most other third-world nation grids. For example, differentiating
features include:
Longer transmission lines due to lower population density
and large area;
More critical substations;
More prevalent conversion from coal to natural gas, in more
vulnerable automated and unmanned facilities;
Many more high-voltage transformers susceptible to EMP
damage.
As described previously, each of these factors contributes to
increased EMP risk.
In contrast to most other developed countries that have one or two
electrical power entities, the United States has over 400 transmission-
owning entities, greatly complicating coordinated remediation efforts.
Also, the R&D and electrical infrastructure capital improvement
expenditures have been in serious decline in recent years. These
factors complicate implementing a coordinated remediation of our
Nation's electrical power system against the three EMP threats. It will
require additional Federal authority to mandate swift and coordinated
action, along with appropriate Federal funding to initiate these
appropriate steps.
6. What is the cost of securing our electric and other critical
infrastructure from an electromagnetic event such as EMP,
severe geomagnetic storms, or non-nuclear EMP/IEMI?
On June 10, 2009, Emprimus gave a briefing on the subject at a
meeting sponsored by the National Defense University and the National
Defense Industrial Association on Capitol Hill. The following estimates
for infrastructure protection were presented:
REQUESTED CONGRESSIONAL ACTION AND FUNDING FOR CRITICAL INFRASTRUCTURE
REMEDIATION
------------------------------------------------------------------------
Amount
------------------------------------------------------------------------
Protect High-Voltage Transformers and Critical $1,000,000,000
Substations.........................................
Pipelines, Water, and Waste Water.................... 1,000,000,000
Utilities' Data Centers and Control.................. 2,000,000,000
Smart Grid Remediation for Electromagnetic Threats... 500,000,000
911 & State Emergency Ops (EOC) State Fed and County 2,000,000,000
Data Centers........................................
Key Financial Data Centers........................... 2,000,000,000
Infrastructure Research.............................. 500,000,000
EMP Threat Detectors and Other External Threat 750,000,000
Security............................................
------------------------------------------------------------------------
MINIMAL CONGRESSIONAL ACTION AND FUNDING FOR THE MOST CRITICAL
FACILITIES IN EACH INFRASTRUCTURE
------------------------------------------------------------------------
Amount
------------------------------------------------------------------------
Most Critical HV Transformers........................ $150,000,000
Pipelines, Water, and Wastewater..................... 100,000,000
Utility Data Centers and Controls.................... 150,000,000
Key Smart Grid Remediation........................... 100,000,000
911 & State Emergency Ops (EOC) State Fed and County 200,000,000
Data Centers........................................
Critical Financial Data Centers...................... 150,000,000
Key Infrastructure Research.......................... 75,000,000
EMP Threat Detectors and Other External Threat 75,000,000
Security............................................
------------------------------------------------------------------------
The first column shows the levels required to reduce our
infrastructure risks to acceptable levels from the physical and cyber
threats imposed by the subject electromagnetic threats, and the second
column shows a minimal initial program to start actions on the most
critical infrastructure reinforcement needs. Although it partitions the
problem slightly differently, the Congressional EMP Commission Final
Report of April, 2008, has similar numbers for the electric supply
portion of the infrastructure hardening. The highest priority objective
is to protect a subset of the most critical national infrastructure so
that minimal services can be restored after a severe event to allow
recovery to begin. The initial costs are obviously a function of the
level of critically definition, numbers of protected facilities, and
levels of protection.
The Final Report of the Congressional Commission on the Strategic
Posture of the United States, May 2009, states that:
Findings: ``The United Stated is highly vulnerable to attack with
weapons designed to produce electromagnetic pulse effects.''
Recommendations: ``EMP vulnerabilities should be reduced as the United
States modernizes its electric power grid.''
Mme. Chairwoman, it is our hope that this has been useful
information for the subcommittee on the serious national issue of EMP.
Again, we strongly support legislation to amend the Federal Power Act
to provide additional authorities to adequately protect the critical
electric infrastructure against cyber attack and the related non-
nuclear EMP/IEMI attacks, as well as hardening the electric grid
against high-altitude EMP and severe geomagnetic storms. We would look
forward to answering any questions you may have, and we thank you,
Ranking Member Lungren, and the Members of the subcommittee for your
support in addressing this electric power vulnerability and the broader
issue of the vulnerability of our critical national infrastructure
sectors to these electromagnetic Achilles heels.
______
Statement of the EMP Commission
July 21, 2009
My name is Mike Frankel and I served as the executive director of
the EMP Commission for the entire span of its activities, commencing
with its authorization in the Floyd Spence National Defense
Authorization Act of 2001 and culminating with the delivery of our
final, classified, report to the Congressional oversight committees in
February of this year. Presently, I am chief science officer for L-3
Communications/Applied Technologies Group. I am a physicist by training
and avocation, and have spent many years developing technical expertise
in nuclear weapon effects and managing WMD related programs for the
Department of Defense in a career that spanned research work for the
Navy, the Defense Nuclear Agency, the Defense Threat Reduction Agency,
and the Office of the Secretary of Defense. The perspective of the EMP
Commission is being more than adequately represented to this committee
today by our very distinguished chairman, Dr. William Graham. I should
like to submit instead complementary background information that
addresses in part a topic that was not emphasized in our final report,
and that is the nexus between cyber threats and EMP.
This committee is to be commended for holding this hearing which
specifically includes the full spectrum of electronic threats to the
power grid. While ``ordinary'' cyber and EMP are not usually thought of
as coupled, this has been a mistake. The cyber threat is much in
everyone's consciousness with an immediacy as current as yesterday's
headlines, in this case the alleged North Korean source of cyber
attacks on networks in South Korea and the United States. This
committee has previously rendered valuable service by highlighting the
dangerous cyber vulnerabilities of the power grid exposed in the
``Aurora'' test series conducted at the NNSA's Idaho National
Laboratory. The EMP threat has been much less in the public
consciousness to date, although the range of potential damage from such
an event may, as described in the public portion of the EMP
Commission's report, exceed that realizable from most cyber attack
scenarios. I should like to advance the somewhat new perspective that
electromagnetic pulse threats to our critical infrastructures,
specifically including the power grid, need to be thought of as but a--
hitherto neglected--component of the cybersecurity threat. More broadly
speaking, there is a spectrum of electronics threats to the power grid,
that range from conventional notions of cyber to different forms of
EMP--both nuclear and non-nuclear, and even natural disasters--an
electronic Katrina if you will.
The nature of a cyber threat is to reach out and touch something,
electronically, through its connected network. This may be thought to
occur through delivery of intelligent messages which encode information
and/or instructions that direct a system to some unwanted activity that
may prove very harmful to its owners' interests. A SCADA may be reached
and instructed to open or close a valve controlling pressures in a
natural gas pipeline, with a disastrous pipeline explosion as a result.
Indeed, this has already happened through SCADA malfunction, albeit not
deliberately intentioned. The Aurora test series exposed by this
committee which destroyed an electrical generating system, at its base
demonstrated the disastrous effects of the mischievous at-a-distance
control of an electronic control system. EMP--both nuclear and non-
nuclear--will also reach out and impress unwanted signals through the
connected network. But in the case of EMP, the signals do not contain
specific information or instructions. They are simply shot-gunned
electronic pulses, without encoded information, which nevertheless, at
low power levels, upon encountering vulnerable systems such as SCADAs,
change their bit settings in unpredictable ways guaranteeing they will
not operate as planned. Of course at higher power levels, as documented
by the EMP Commission, they may cause actual physical damage to any
encountered electronic system, up to the point of burning out and
melting critical circuit elements. Thus, at low levels of intensity,
EMP may rightly be thought of as a ``stupid cyber'' threat.
These hearings are also particularly timely in light of the current
intellectual energy being invested in the pursuit of energy
independence, in particular the development of ``Smart Grid''
technology as well as alternative energy sources such as wind and
solar. While Smart Grid is an evolving concept and its architecture
still a moving target, some outlines of its ultimate shape are emerging
and it is clear that it will depend, to a much a greater degree than
present, on the ability to fine tune the delivery of energy to where
and when it will be needed. And this will necessitate the proliferation
of more, and smarter, sensors and control systems than their already
ubiquitous presence, to exercise the real-time capabilities of the
newer and more agile grid architecture. With such a proliferation comes
enhanced vulnerabilities, to both cyber and EMP threats. Similarly,
commercial introduction of new technologies, such as ultra-high-
voltage-->1,000 KV--transmission line systems as has been discussed in
the context of exploitation of wind power and its delivery from the
point of generation to where it's needed, entails critical new
vulnerabilities as well. It is appropriate, that precisely now, at the
cusp of such significant technological transformation, that proper
attention be paid as well to new vulnerabilities which may be
introduced in the rush to innovate. The historical economic lesson from
the military systems development world is that designing protection
into a system from scratch is more effective and much cheaper than
attempting retrofit solutions when problems are discovered later on.
Finally, I'd like to return to the theme of a spectrum of
electronic threats to the power grid which merit attention, of which
``ordinary'' cyber is but one component. We've discussed another
component as well, electromagnetic pulses due to either nuclear or non-
nuclear (RF) sources. But there are also electromagnetic pulses
stemming from natural events which pose a grave danger and to which the
present power grid remains highly vulnerable--the ``electronic
Katrina'' attending a very massive geomagnetic solar storm. Solar
storms--fluctuations induced in the earth's magnetic field due to
eruptions of charged solar matter from the surface of the sun
(``coronal mass ejections'' in the astronomer's language) which are
flung out in the direction of the earth, are rather common events. Most
are of an intensity that present no danger to anything. Some however
are significantly larger and, again on a fairly regular basis, may
couple electromagnetic pulse energy to long transmission lines. These
induced currents are thus a natural EMP and may overwhelm and
physically damage (melt) huge and hard to replace components of the
electrical grid. Just such a scenario played out in the huge solar
storm of 1989 which took down the Hydro Quebec company system, rendered
its many millions of Canadian customers powerless, and irreparably
damaged one of their multi-million dollar extremely high-voltage
transformers (house-sized units no longer manufactured domestically and
which may take up to a year to deliver following a purchase).
But those are ``ordinary'' events. The EMP Commission also examined
the results of a ``100-year storm'', a Katrina analog in the world of
``space weather''. Such an extreme event is guaranteed to come, it is
only a question of when. Indeed such storms have already visited us
during the last 100 years but they occurred at a time previous to the
deployment of our modern electric power grid with its long transmission
lines capable of absorbing the unwanted solar EMP energy. Since the
``receiving antenna'' did not yet exist, except for the spectacularly
unusual auroral displays--the aurora borealis was reportedly sighted
near the equator--no harm was done. Absent some preparations which have
not yet been taken, the next time will be very different with
extraordinary permanent damage to hard to replace components and untold
suffering lasting for extended periods in its wake. So taking steps to
protect the system from cyber and EMP should proceed hand-in-hand with
protection against the full spectrum of such electronic threats. And
steps which are taken to protect against a singular threat should be
considered from a perspective which seeks, as far as possible,
solutions that confer dual or multi-benefits against a spectrum of
threats. Understanding the need to approach EMP as one of a spectrum of
electronically related insults and as a component of the more
generalized cybersecurity problem, and a serious consideration of the
prospects for remedies that confer multiple protective benefits, is the
proper path forward to protect our uniquely valuable power grid from
all electronic threats. And the time for such planning is now.
Unfortunately, it is hard to detect signs of concern, or even
interest just yet on the part of those charged with reducing the
vulnerability of the electric grid. Unlike the Department of Defense
which considered the (classified) recommendations of the EMP Commission
report seriously and initiated certain (classified) remedial
activities, it hard to detect any similar resonance to date on the part
of our civilian agencies.
I wish to thank the committee for this opportunity to present my
views of this most important issue.
______
Statement of Applied Control Solutions, LLC
I appreciate the opportunity to provide the following statement for
the record. I have spent more than 35 years working in the commercial
power industry designing, developing, implementing, and analyzing
industrial instrumentation and control systems. I hold two patents on
industrial control systems, and am a Fellow of the International
Society of Automation. I have performed cybersecurity vulnerability
assessments of power plants, substations, electric utility control
centers, and water systems.\1\ I am a member of many groups working to
improve the reliability and availability of critical infrastructures
and their control systems.
---------------------------------------------------------------------------
\1\ Because much of my information is not in the public domain, I
am not at liberty to identify specific utilities on the record.
---------------------------------------------------------------------------
On October 17, 2007, I testified to this subcommittee on ``Control
Systems Cyber Security--The Need for Appropriate Regulations to Assure
the Cyber Security of the Electric Grid''.\2\
---------------------------------------------------------------------------
\2\ http://homeland.house.gov/SiteDocuments/20071017164638-
60716.pdf.
---------------------------------------------------------------------------
On March 19, 2009, I testified to the Senate Committee on Commerce,
Science, and Transportation on ``Control Systems Cyber Security--The
Current Status of Cyber Security of Critical Infrastructures''.\3\
---------------------------------------------------------------------------
\3\ http://commerce.senate.gov/public/_files/WeissTestimony.pdf.
---------------------------------------------------------------------------
I will provide an update on cybersecurity of the electric system
including adequacy of the NERC CIPs and my views on Smart Grid
cybersecurity. I will also provide my recommendations for DOE, DHS, and
Congressional action to help secure the electric grid from cyber
incidents.
background
First of all, I believe it is any utility's obligation to maintain
a high level of electric service reliability. For the most part, the
utility industry takes this responsibility very seriously and focuses
very strongly on electric system reliability. The grid has been
designed to be resilient and accommodate failures (the N-1 criteria).
The equipment in place (older legacy and new equipment) has
demonstrated a high level of reliability. However, as the older
equipment is replaced with new equipment such as for Smart Grid
applications an interesting paradox occurs--as reliability increases
from the installation of new equipment, the cyber vulnerability also
increases.
First, I believe a major point of discontinuity has been the
unsuccessful equating of the terms Critical Infrastructure Protection
(CIP) and cybersecurity.
CIP (or ``functional security'') is focused on the function of the
electric grid being maintained regardless of the status of the
computers. Cybersecurity, on the other hand, focuses on protecting the
computers independent of whether electric reliability is being
maintained. For the sake of semantics, I will use the term
``cybersecurity'' but my intention is that the operation of the
computers is focused on ``keeping the lights on,'' or what is becoming
increasingly referred to as ``functional security.''
Secondly, cyber events can be either intentional attacks or
unintentional incidents.
NIST defines a cyber incident as ``An occurrence that actually or
potentially jeopardizes the Confidentiality, Integrity, or Availability
(CIA) of an information system or the information the system processes,
stores, or transmits or that constitutes a violation or imminent threat
of violation of security policies, security procedures, or acceptable
use policies. Incidents may be intentional or unintentional.''\4\
---------------------------------------------------------------------------
\4\ FIPS PUB 200, Minimum Security Requirements for Federal
Information and Information System, March 2006.
---------------------------------------------------------------------------
Cyber incidents are also more than just malware or botnet attacks.
Cyber incidents include all forms of impacts on electronic
communications.
Man-made Electromagnetic Interference (EMI) has already impacted
North American and European electric and water Supervisory Control and
Data Acquisition (SCADA) systems and ruptured a natural gas pipeline.
In industry control systems, the most probable cyber incident is
unintentional. Moreover, in a stellar application of the ``law of
unintended consequences,'' I believe that ``blindly'' following the
NERC CIPs \5\ will result in more unintentional cyber incidents.
---------------------------------------------------------------------------
\5\ http://www.nerc.com/page.php?cid=2|20.
---------------------------------------------------------------------------
Unintentional cyber incidents have already killed people, caused
significant outages, and large economic impacts. Additionally, if the
incident can be caused unintentionally, the same type of incident, if
intentional, could have even more damaging effect.
recent history
What has been happening since I testified to this subcommittee in
October 2007? It is not a pretty picture and the power industry clearly
needs Congress's help.
Knowledge Base.--Figure 1 characterizes the relationship of the
different types of special technical skills needed for control system
cybersecurity expertise, and the relative quantities of each at work in
the industry today.
Most people now becoming involved with control system cybersecurity
typically come from a mainstream business Information Technology (IT)
security background and not a control system background. This trend is
certainly being accelerated by the Smart Grid initiatives, where the
apparent lines between IT and control systems are blurring. Many of the
entities responsible for control system cybersecurity, industry,
equipment suppliers, and Government personnel (e.g., DHS NCSD and S&T,
DOE, EPA, etc.) do not entirely appreciate the difficulties created by
this trend.
This lack of appreciation has resulted in the repackaging of IT
business security techniques for control systems rather than addressing
the needs of field control system devices that often have no security
or lack the capability to implement modern security mitigation
technologies. This, in some cases, has resulted in making control
systems less reliable without providing increased security. An example
of the uninformed use of mainstream IT technologies is utilizing port
scanners on Programmable Logic Controller (PLC) networks. This has the
unintended consequence of shutting them down. This specific type of
cyber incident has occurred more than once in both the nuclear power
and conventional power portions of the industry, with negative
consequences.
As can be seen in Figure 1, IT encompasses a large realm, but does
not include control system processes. Arguably, there are less than
several hundred people world-wide that fit into the tiny dot called
control system cybersecurity. Of that very small number, an even
smaller fraction exists within the electric power community.
Control System Cyber Incidents.--Since I testified to this
subcommittee in October 2007, I have documented more than 30 control
system cyber incidents, more than 20 of which were in the North
American electric power industry! These incidents affected nuclear and
fossil plants, substations, and control centers. Impacts ranged from
loss of displays, controller slowdowns and shutdowns, plant shutdowns,
and a major regional power outage. Geographically, these incidents
occurred in more than ten States and a Canadian province. None of the
incidents were actually identified as ``cyber''.
Meeting the NERC CIPs would not have prevented many of these
incidents. In fact, some could have actually been caused or exacerbated
by following the NERC CIPs.
Equipment Suppliers.--It is important to understand that suppliers
provide equipment with the features their customers' request. Given
that fact, the report card on our control system suppliers is a mixed
bag. Responding to industry requests, the major Distributed Control
System (DCS) and SCADA suppliers have been addressing security at the
master station level. However, suppliers of field control and equipment
monitoring systems have not had those industry requests and thus are
continuing to include dial-up or wireless modems, Blue Tooth and Zigbee
connections, and/or direct Internet connections as part of their
product offerings. This also applies to equipment used in the Smart
Grid and nuclear plants.
Business IT-focused suppliers continue to supply equipment and
testing tools designed for IT applications not for legacy control
systems applications. This has resulted in control system equipment
impacts including shutdown or even hardware failures.
Consultants and System Integrators.--Most of the consultants and
system integrators that are focusing on ``cybersecurity'' are really
focusing on compliance for NERC CIPs. Most are focusing on the SCADA or
DCS master stations as they are IT-like systems that non-control system
personnel can understand. That leaves the legacy field equipment that
has essentially no security hardly even addressed as part of the NERC
CIP process. The consultants and system integrators that are focused on
equipment upgrades or new equipment installation generally do not
address security.
Utilities.--The original intention of the NERC CIPs (even before
they were called the CIPs) were to make the bulk electric grid secure.
Unfortunately, the ``letter of the law'' of the NERC CIPs is not
security, but compliance. It is a critically important distinction to
make, and to understand. I know of only one utility that is trying to
assure their systems are secure independent of compliance
considerations. Almost all utilities are playing the game of compliance
rather than securing their systems. This has resulted in industry's
lukewarm attempt to meet NERC Advisories such as Aurora.\6\ This lack
of will has directly led to the significant number of actual electric
industry cyber incidents many of which were not even addressed by the
NERC CIPs!
---------------------------------------------------------------------------
\6\ http://homeland.house.gov/SiteDocuments/20080521142118-
53954.pdf.
---------------------------------------------------------------------------
NERC.--The North American Electric Reliability Corporation (NERC)
was established in 1968 to ensure the reliability of the bulk power
system in North America. NERC is a self-regulatory organization,
subject to oversight by FERC and governmental authorities in Canada. As
of June 18, 2007, FERC granted NERC the legal authority to enforce
reliability standards with all U.S. users, owners, and operators of the
bulk power system, and made compliance with those standards mandatory
and enforceable making NERC the Electric Reliability Organization
(ERO). NERC's status as a self-regulatory organization means that it is
a non-Government organization which has statutory responsibility to
regulate bulk power system users, owners, and operators through the
adoption and enforcement of standards for fair, ethical, and efficient
practices.\7\ Prior to becoming the ERO, NERC was an American National
Standards Institute (ANSI)-accredited organization meaning it was a
consensus standards organization and was subject to the direction of
its member utility organizations. The ANSI accreditation requires
standards need to go through a formal ballot process. This is a time-
consuming effort and tends to favor setting a ``very low bar.'' This
consensus process has resulted in cybersecurity standards that are very
weak and ambiguous assets and even exclude some of the most important
recommendations from the Final Report of the Northeast Outage.\8\ In
the past, NERC has been a clear obstructionist to adequately securing
the electric grid. NERC has used the ANSI process to reject more
comprehensive requirements. That obstructionism included public
responses denigrating Project Aurora.\9\ The consensus approach is
adequate for subjects like tree-trimming but is not appropriate for
critical infrastructure protection.
---------------------------------------------------------------------------
\7\ http://www.nerc.com/page.php?cid=1.
\8\ https://reports.energy.gov/BlackoutFinal-Web.pdf.
\9\ http://www.cnn.com/2007/US/09/27/power.at.risk/index.html.
---------------------------------------------------------------------------
I was part of the NIST/MITRE team that performed a line-by-line
comparison of the NERC CIPs to NIST Special Publication (SP) 800-53
\10\ which is mandatory for all Federal agencies including Federal
power agencies.\11\ The report demonstrates that NIST SP800-53 is more
comprehensive than the NERC CIPs. However, NERC and many utilities are
fighting the implementation of NIST SP800-53. Are the utilities trying
to say that the computers at the Department of Housing and Urban
Development need a more comprehensive set of cybersecurity rules than
every non-Federal power plant, substation, and control center in the
United States? Unless an asset is classified as ``critical'' in CIP-
002, no further cybersecurity evaluation is necessary. A large segment
of the utility industry is using the amorphous requirements in CIP-002
to exclude most of their control system assets from even being
assessed. Michael Assante, Vice President and Chief Security Officer of
NERC wrote a public open letter on April 7 \12\ in which he makes it
very clear that the industry is not doing an adequate job of even
meeting the weakened intent of the NERC CIPs. Specifically, Assante's
letter states that only 29 percent of Generation Owners and Operators
identified at least one Critical Asset and fewer than 63 percent of the
transmission owners identified at least one Critical Asset. This means
that 71% of generation owners did not identify a single critical asset
and 37% of transmission owners did not identify a single critical
asset. I am personally aware of utilities that have identified ZERO
Critical Assets even though they have automated their plants and
substations and have control centers.
---------------------------------------------------------------------------
\10\ http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-
Rev.%203.
\11\ Marshall Abrams, MITRE Technical Report, MTR70050, Addressing
Industrial Control Systems in NIST Special Publication 800-53, March
2007.
\12\ Letter from Mike Assante to NERC Industry Stakeholders,
``Critical Cyber Asset Identification'', April 7, 2009.
---------------------------------------------------------------------------
Despite Assante's attempts to change NERC's approach on
cybersecurity, NERC has continued its focus as a utility-directed
organization. NERC's Board of Trustees approved revisions to the NERC
CIPs on May 6, 2009 after passage by the electric industry with an 88
percent approval rating. However, the revisions did not address any of
the technical limitations such as exclusions of telecom, distribution,
non-routable protocols or strengthening CIP-002 to address Assante's
April 7 letter. A second example would be the June 30, 2009 Alert on
the Conficker Worm.\13\ The Alert states the ES-ISAC estimates the risk
to bulk power system reliability from Conficker is LOW due to the
limited exploitation of this vulnerability and generally widespread
awareness of the issue even though NERC acknowledges the potential
consequence is high and the awareness among control system users is
very low.
---------------------------------------------------------------------------
\13\ http://www.nerc.com/page.php?cid=5%7C63.
---------------------------------------------------------------------------
Smart Grid.--The intent of the Smart Grid is to embed intelligence
into the electric grid to allow two-way communications between devices
and control centers for monitoring and control. The Smart Grid's use of
the Internet and Internet Protocols (IP) is blurring the line between
business IT and control systems resulting in more people without
knowledge of the electric system being involved in securing these
systems.
This is a recipe for disaster--there has already been at least one
case of a denial of service attack (DDOS) to a distribution automation
system.
From a Regulatory standpoint, the situation is convoluted because
the NERC CIPs explicitly exclude electric distribution which is the
heart of the Smart Grid and yet the NIST Smart Grid security efforts
point to the NERC CIPs.
Unless Congress passes legislation to allow FERC to include
distribution or the individual public utility commissions mandate that
the NERC CIPs must be followed for their distribution systems, there
are no regulations for securing the Smart Grid.
Education.--To the best of my knowledge, there are no technical,
interdisciplinary university curricula for control systems
cybersecurity. There are universities starting to address this subject
in an ad hoc manner such as the University of Illinois and Mississippi
State University. Congress might well seek ways to encourage and fund
more such curricula as a significant way to improve cybersecurity in
all control systems.
Certifications.--There are no personnel certifications for control
system cybersecurity.
IT certifications such as the Certified Information Systems
Security Professional (CISSP) and the Certified Information Security
Manager (CISM) do not address control systems. Professional engineering
examinations do not include security.
There needs to be a certification demonstrating knowledge of
control systems as well as security by organizations competent to
oversee this requirement. One organization could be the CSFE \14\ which
certifies Functional Safety experts. There are on-going efforts by
individual companies and organizations such as ISA to certify
industrial control systems for cybersecurity.
---------------------------------------------------------------------------
\14\ www.csfe.org.
---------------------------------------------------------------------------
Government R&D.--R&D has been focused on effectively ``repackaging
IT''. Very little work has been devoted to legacy and even new field
equipment, even though these devices have limited or no security, and
can cause the biggest impacts.
There has also been no attempt to analyze actual cyber incidents to
learn what policies and technologies should be developed to protect
them.
NIST.--NIST has effectively two disjointed programs on
cybersecurity that impact the electric grid. The NIST Information
Technology (IT) Laboratory has been responsible for updating NIST
SP800-53 and the daughter standard NIST SP800-82.\15\ There has been a
significant amount of effort addressing industrial control systems and
applicability to the electric industry. NIST is also acting as the
standards coordinator for the Smart Grid.
---------------------------------------------------------------------------
\15\ http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-
82-fpd.pdf.
---------------------------------------------------------------------------
As a member of the Smart Grid Cyber Security Working Group and the
Industry-to-Grid Working Group, I see a dichotomy that troubles me.
Instead of mandating NIST SP800-53 for the Smart Grid, it appears as if
NIST doesn't want to be seen as pushing their own standards. Not only
is NIST SP800-53 the best cybersecurity standard currently available,
it is mandatory for all Federal power agencies. Why shouldn't NIST
SP800-53 be mandated for all power utilities, not just Federal ones?
recommendations
Traditional reliability threats such as tree trimming to prevent
power line damage could be handled by private industry. However cyber
is a new threat that requires a joint effort by the Government and
private industry. I believe there are a number of roles for the Federal
Government to play in defending against cyber incidents and/or physical
attacks against electric facilities.
Articles such as the recent Wall Street Journal article on Chinese
and Russian hackers imply that the electric industry is unaware of
computer intrusions.\16\ This is probably true on several accounts. As
mentioned, the electric industry is not doing an adequate job of even
looking. Additionally, there is a lack of adequate cyber forensics for
control systems. This leads to the fact that is it difficult to have an
early detection and warning capability for cyber threats for the
electric industry today. However, that same difficulty is also an
opportunity for the Government and private industry to develop
appropriate forensics. A non-technical challenge is the industry's
continuing reticence to provide control system cyber incident data to
the Government and for law enforcement to share relevant information on
actual attacks to the industry so they can protect themselves.
---------------------------------------------------------------------------
\16\ http://online.wsj.com/article/SB123914805204099085.html.
---------------------------------------------------------------------------
What can DHS and DOE do?
I cannot speak for the division in responsibilities between DHS and
DOE, but I can point out what needs to be done:
Provide intelligence on threats to those needing to know--
that does not mean only security-cleared individuals, but all
individuals working in the area;
Make use of available technical talent--there is very
little, and the safety and security of our country depend on
these efforts;
Analyze actual control system cyber incidents to develop
appropriate cyber technologies and policies--there are few
places to get the information as most of it has not been
provided to the Government--and what has is often classified
and unavailable;
Establish benchmarks for how much security is enough, what
is an acceptable vulnerability assessment, what is an
acceptable risk assessment, audit metrics, trade-offs between
security and functionality, etc.;
Support first-of-kind technology development, particularly
for legacy field devices;
Support development of college technical as well as policy
curricula;
Support the establishment of a CERT (Computer Emergency
Response Team) for control systems that is not under the
purview of the Government, because industry is still
uncomfortable about providing what they consider to be
confidential data to Government agencies like the FBI.
What can Congress do?
Currently FERC is constrained by the Energy Policy Act of 2005.\17\
It cannot write standards and its scope is restricted to the bulk
electric system. There are several steps that Congress can take to help
maintain the reliability of the electric system from cyber threats:
---------------------------------------------------------------------------
\17\ http://en.wikipedia.org/wiki/Energy_Policy_Act_of_2005.
---------------------------------------------------------------------------
1. Provide cybersecurity legislation that gives FERC the scope to
write standards including mandating NIST SP800-53 for the bulk
electric grid and the Smart Grid.
2. For cybersecurity, increase FERC's scope to include electric
distribution. There are technical as well as administrative
reasons. Low voltage transmission and high voltage distribution
systems electronically communicate with each other; utilities
electronically communicate with each other; and the utilities
use common systems. We cannot afford to have a ``Tower of
Babel'' set of rules for each State and for the same equipment.
3. NERC is in a conflict-of-interest position because its
fundamental purpose has changed. If NERC can not do the job of
assuring cybersecurity of the electric grid, find an
organization with the will power and authority to do so.
4. HR 2195 \18\ would go a long way toward providing effective
legislation. I would add the following: Mandate the NIST FISMA
guidance documents, such as SP800-53 and require the
establishment of a program to develop expertise in electric
grid cybersecurity. The expertise gained from this program
should be shared with every electric grid owner and operator.
---------------------------------------------------------------------------
\18\ http://www.opencongress.org/bill/111-h2195/text.
---------------------------------------------------------------------------
summary
It has been almost 10 years since I helped start the control system
cybersecurity program at the Electric Power Research Institute (EPRI).
Ten years should have been sufficient time for the industry to make
significant progress. Unfortunately, it has not happened. Actual
control system cyber incidents continue to occur--in fact, they appear
to be getting more numerous. An unsecured electric grid is dangerous to
the safety and economic well-being of this country. Congress needs to
step in and provide regulation to give FERC the additional powers
necessary and mandate NIST SP800-53.
______
Statement of Advanced Fusion Systems, LLC
July 19, 2009
My name is Curtis Birnbach and I am the president of Advanced
Fusion Systems. While the main thrust of my company is fusion energy
research, one of our subsidiaries has developed technology to protect
the electric power grid from EMP attack. I wish to address the threat
to our Nation posed by both electromagnetic pulse (EMP) and solar
storms. At the risk of sounding glib, I bring you good news and bad
news.
The bad news is that this threat is all too real. I have been
working on EMP-related technologies for many years. I have built
electrically-driven EMP generators and have extensively studied the
phenomenology of intense ultra-short pulses. I would like to summarize
this work to help bring focus to the critical aspects of this problem.
EMP from a nuclear detonation or solar storms poses a unique threat in
that it can instantly destroy our civilization. I do not make this
statement lightly. Our society is totally dependent on the continuous
supply of electricity. Should our electricity be suddenly withheld, our
society would immediately collapse.
While I am sure that you have already been briefed on the general
aspects of this problem, I wish to focus on the two most critical
components we use to deliver: Transformers and generators. If they
don't function, we can't deliver electricity and life as we know it
stops. The generators and transformers have two very important things
in common: They are very expensive and they take years to replace. The
worst-case victims of either an EMP attack or a solar storm are our
generators and large substation transformers.
This brings me to the first of two points in my testimony: The
United States does not have a domestic transformer manufacturing
capability for large substation-class transformers. These devices are
made exclusively on the Pacific Rim and in Europe. Large transformers
typically take 3 to 5 years to obtain and put into operation. The
production capacity of existing overseas manufacturers is quite
limited. Should the sudden need for rapid delivery of a couple of
hundred transformers occur, these manufacturers would be unable to
supply our requirement. Further, as they are not U.S. corporations,
they have no incentive to delay other existing customers to supply our
needs in the event of an emergency. Also, a solar-sourced EMP event may
well affect electric power equipment in many other countries
exacerbating the supply situation.
The situation with generators has common elements. While we do have
some manufacturing capacity for large generators in the United States,
it is limited and should a large number be suddenly needed, it would
take years to meet that need. If equipment manufacturers are also
unable to function because of a lack of electricity we end up with a
chicken-and-egg situation; we can't have one without the other.
There is no way that this country can exist for a couple of months,
no less many years without electricity. To compound this situation, our
utilities may not be insured against this type of loss. Even if they
were insured, the insurance companies would suffer potentially
crippling losses if utilities were destroyed over a wide area. Our
financial system, our medical system, our communication systems, our
public safety systems--none could function without electricity. Most
companies including utilities would simply cease to exist. There is a
real likelihood of civil unrest.
Stockpiling transformers will not work. According to Platts Energy
Reporting, there are over a quarter of a million large transformers,
and close to 20,000 generators. The transformers are not standardized
so the number that would have to be stockpiled is prohibitively large.
For every large transformer there are about a thousand smaller
transformers, of which only a small fraction are produced domestically.
DARPA tried to run a program to build ``universal transformers'' that
could be stockpiled. This effort proved impractical as there is too
much variation among transformers.
I did promise some good news. My company has developed a grid-level
protection system. This system can protect our country from these
threats. We have developed an EMP Protective System (EPS). Each EPS
unit will protect a single phase which is one of three wires (phases)
that are typically used in high-power electrical devices. Generators
have three wires while transformers have 6 wires. Once an EPS is
installed, it will detect the pulse of an EMP, safely conduct it to
ground, and immediately be ready for the next pulse. These switches
were originally designed to operate under conditions similar to those
encountered in an EMP attack or solar storm. They are totally
autonomous and react in a small fraction of a billionth of a second.
They contain a built-in detection system which is the only way you can
get a protective device to work quickly enough to be of use.
We have looked at some representative sites for installation of
these protective devices. As an example, I would like to discuss
protection of the Niagara Hydroelectric Plant. This is one of the most
important power stations in this country. While I will not go into
specific details for security reasons, based on what limited
information is available to me, I have estimated that the entire
complex could be protected for somewhere between $75 million and $100
million. The cost of this protection would also be expected to be
included in the rate base for the utility so that ultimately the small
cost of the protection is borne by consumers who will be receiving a
more secure supply of electricity. Compared to the $10 billion that
this station might be expected to cost to replace, this one-time cost
of 1% is a small cost to protect the plant. This one-time cost of the
equipment to protect the plant is all or partially offset by the
reduced insurance premiums for a plant that has this protection in
place. Obviously, a detailed engineering study would be necessary to
refine this number, but it provides an order of magnitude of the cost
of this protection.
I have also done estimates on transmission substations. Large
transformers cost around $1.5 million to protect. All incoming and
outgoing lines in a substation must be protected, but in most cases,
this protection is also the same devices that are protecting the
transformers. A typical large substation, has at least ten lines of 115
KV or more, and dozens of transformers. When balanced against the cost
of a large substation, which can cost a half billion dollars, the cost
of protection is typically 10% of the total cost. In either case, the
cost is a fraction of the replacement cost of substations or
generators, or the lost revenues that the utilities would suffer over a
period of several years as a result of the attack. The loss of revenue
far exceeds the replacement cost of the equipment. The economic and
societal costs of being without electricity are of course far greater
than the losses of the utility.
While these numbers may seem large, remember that this is not a
single-year expenditure. It will take several years to fully implement
this type of protection. Implementation of EPS protection is cheap
insurance in the face of such losses. These estimates do not include
the deaths, injuries, civil unrest and such that would be likely
consequences of these events, particularly once it became clear that
the disruption would last for extended periods of time.
My company is committed to help resolve this problem. By making
these protective devices available, we are offering a viable option to
the unthinkable scenarios I have described. We are funded through the
private sector. We are only looking to have the Government support the
purchase of these devices. There has been significant interest in this
technology overseas.
In order to make grid protection available and affordable in a
reasonable period of time, State and Federal legislation encouraging
the purchase of EPS technology for critical elements of the electric
grid is needed. Three legislative measures should be considered:
1. Tax credits for private utilities purchasing EPS equipment for
the purpose of grid protection;
2. Grants to utilities for installation of critical EPS equipment
at vital locations;
3. Providing Government-backed bonding authority to raise money to
provide EPS funding to rural electric systems and others who
need it;
4. FERC agreement to include these devices in the rate base.
______
Statement of the Canadian Electricity Association
July 21, 2009
The Canadian Electricity Association (``CEA''), the national forum
and voice of the evolving electricity business in Canada, is pleased to
provide the following statement regarding the appropriate actions that
the U.S. Congress should take to protect the electric grid from
cybersecurity threats and vulnerabilities. CEA's members account for
the majority of Canada's installed generating capacity and high voltage
transmission. In this statement, CEA explains the importance of taking
cybersecurity actions in the United States that are mindful of the
interconnected nature of the North American transmission grid and the
importance of avoiding actions that could undermine the reliability of
the transmission grid and impact cross-border trade. CEA further
provides suggestions for this subcommittee to consider before
developing legislation to address physical and cybersecurity in the
electricity sector. Specifically, CEA suggests that: (1) The North
American Electric Reliability Corporation remain the primary body for
addressing cybersecurity matters on the North American transmission
grid; (2) any authority given to U.S. Governmental authorities to
address emergency situations be of a limited duration and be
coordinated with Canadian governmental authorities; (3) consultation
and information sharing between the U.S. and Canadian governmental
authorities should be provided for in any legislation; and, (4) U.S.
legislation should be respectful of Canadian sovereignty and
jurisdiction.
background
The electric transmission systems of U.S. and Canadian utilities
are interconnected with one another at numerous points, forming a
highly integrated North American transmission grid, as can be seen in
the following map:
Of the 211,152 circuit miles of transmission lines greater than 200
kilovolts in North America, 46,499 circuit miles, or 22 percent, are
located in Canada. This integration allows for cross-border trading,
which facilitates a higher level of reliability for consumers,
efficiencies in fuel and resource management, and efficiencies in
system operation. These benefits, and the activities of companies
investing and participating in markets on both sides of the border,
serve citizens of the United States and Canada extremely well.
To provide perspective on the importance of the U.S./Canadian
trading relationship, the chart below shows both exports from Canada to
the United States and imports into Canada from the United States
between 1999 and 2008:
Canada is a net exporter of electricity to the United States. The
quantity of electricity exported from Canada to the United States has
typically been 6 to 10 percent of Canadian production. At the same
time, as the chart above demonstrates, electricity imports to Canada
from the United States have also increased over time. The North
American market is borderless, and supply meets demand north to south
or south to north as the market requires, to the advantage of consumers
across the continent. Such electricity trade enhances the reliability
of each country's electricity supply and mitigates risk by providing
power during times of emergency outages or periods of high electricity
demand. Canadian utilities are part of and therefore critical to the
energy security of the United States, and the reliability of the North
American transmission grid.
any actions taken in the united states to address cybersecurity on the
bulk-power system must be coordinated with canadian governmental
authorities
CEA recognizes the serious risks that cybersecurity threats and
vulnerabilities present to the international grid. Nevertheless, CEA
believes that any actions to address cybersecurity threats and
vulnerabilities must be accomplished in a manner that recognizes the
mutual inter-dependency of the interconnected Canada-U.S. transmission
systems, and must not unintentionally imperil or downgrade reliability
and erect barriers to cross-border trade.
The President of the United States recently directed a 60-day,
comprehensive review to assess U.S. policies and structures for
cybersecurity, and the result was the release of ``Cyberspace Policy
Review'' on May 29, 2009. In the report, the White House concluded that
``the United States needs a comprehensive framework to ensure
coordinated response and recovery by the government, the private
sector, and our allies to a significant incident or threat.''
Understanding that the United States cannot act in a unilateral
fashion, the report concluded:
``The United States cannot succeed by acting in isolation, because
cyberspace crosses geographic and jurisdictional boundaries. The United
States must work actively with countries around the world to make the
digital infrastructure a trusted, safe, and secure place that enables
prosperity for all nations.''
CEA supports the concept of cross-border cooperation between Canada
and the United States to prevent cybersecurity attacks.
nerc is the appropriate standard-setting body for the north american
transmission grid
CEA believes that the best venue to address cybersecurity matters
on the North American transmission grid is the North American Electric
Reliability Corporation (``NERC''). Through the reliability standard-
setting model included in section 215 of the Federal Power Act, the
NERC reliability standard-setting process allows for a balance of
interests ensuring access to expertise from industry across the
continent for the development of standards with continental application
that can be approved by authorities on both sides of the border--be it
FERC in the United States, or any of the jurisdictional authorities in
the Canadian provinces. This model recognizes jurisdictional
sovereignty through the existence of the remand provision in the U.S.
legislation, which is also incorporated into the processes for
standards approval in a number of Canadian provinces and which is
incorporated into the existing NERC standard-setting procedures. This
component assures that no governmental authority has the ability to
unilaterally modify standards which would apply to the whole system,
and that any variances are accommodated through the collective process.
At the same time, it gives public authorities the confidence that the
system has a Government backstop, providing Governmental authorities on
both sides of the border with the confidence that standards developed
through that process reflect their concerns.
NERC also has the ability to effectively incorporate the
experiences and knowledge of the private sector in both the United
States and Canada, which is especially important in this very technical
industry. Any legislative directive must avoid placing the regulator in
an operational role in terms of issuing detailed emergency procedures
to address a present or imminent threat or vulnerability to electric
system reliability. Such an approach would be consistent with the
conclusions reached in ``Cyberspace Policy Review'' about the
importance of a public-private partnership to address network security
issues. As the President explained when the report was issued, ``My
administration will not dictate security standards for private
companies. On the contrary, we will collaborate with industry to find
technology solutions that ensure our security and promote prosperity.''
Recognizing the need to better respond to cybersecurity challenges,
NERC has recently established processes to allow for the expedited
development of cybersecurity standards. NERC is developing approaches
that allow cybersecurity standards to be developed in a less public
manner and in a way that allows for quick action to respond to ever-
changing threats. Importantly, this process follows the NERC standard-
setting model, thereby allowing for the development of cybersecurity
standards that are respectful of Canadian jurisdictional sovereignty
and allowing for the development of standards that can be approved by
Canadian governmental authorities. In addition, CEA is encouraged that
NERC has elevated the profile of its Critical Infrastructure Protection
Program, to increase its cybersecurity expertise and to better
coordinate with Governmental authorities. We believe such steps allow
NERC to better respond to cybersecurity issues.
considerations for u.s. legislation
CEA believes much of what needs to be done to address cybersecurity
issues on the North American transmission grid can be accomplished
through the NERC standards development process. Nevertheless, CEA
recognizes that U.S. legislation may be necessary to address certain
gaps in NERC authority. CEA has attached to this statement as an
appendix a paper prepared by the major electric utility trade
associations in Canada and the United States on the appropriate
approach to take on cybersecurity. CEA also provides the following
comments should this subcommittee pursue a legislative strategy.
Authority to Take Action on an Emergency Basis
CEA recognizes situations can arise requiring emergency actions to
be taken immediately to protect the reliability of the bulk power
system. To the extent that NERC does not have the information or
authority to respond to such an emergency situation, CEA agrees that
Governmental bodies should be able to respond expeditiously to ensure
industry acts to protect the grid. In terms of U.S. Governmental
authority to respond to imminent cybersecurity threats, CEA understands
the need for authority to address emergency situations, although we
believe that such authority must be limited only to specific, credible,
and imminent cybersecurity emergencies, be of a limited duration, and
be coordinated with Canadian governmental authorities.
Consultation and Sharing of Information
In any cybersecurity legislation, CEA strongly supports the
inclusion of a requirement that the appropriate U.S. Governmental
agency consult with appropriate Canadian authorities before taking
measures to address cybersecurity threats. Unlike the U.S. system,
transmission is regulated in Canada primarily by provincial
governmental authorities. Moreover, reliability standards are
authorized and enforced by provincial governmental authorities.
Consulting with the appropriate governmental authorities in the
relevant provinces will help to ensure that actions taken are
respectful of Canadian jurisdictional sovereignty and avoid unintended
impacts on reliability and cross-border trade. The absence of
consultation between and among governmental authorities could further
result in the elimination of, or reduction in, the sharing of critical
cybersecurity information--not a good result at a time when the sharing
of information is becoming more and more important.\1\
---------------------------------------------------------------------------
\1\ CEA also believes strongly that orders or measures to address
known or imminent cybersecurity threats must be accompanied by
sufficient information sharing regarding the threat such that those
implementing the order or measure can do so effectively.
---------------------------------------------------------------------------
Consultation and information sharing is absent, for example, in
H.R. 2195, a bill introduced by Homeland Security Chairman Bennie
Thompson. The absence of a process for coordination between Canadian
and U.S. Governmental officials prior to any actions taken by FERC to
address a cyber vulnerability or threat could undermine both
reliability and security on the North American transmission grid. As
noted in ``Cyberspace Policy Review,'' such coordination among
Governmental officials is critical to effectively addressing
cybersecurity issues.
Any U.S. Legislation Should be Respectful of Canadian Sovereignty and
Jurisdiction
In addition to the need for coordination between Canadian and U.S.
Governmental officials, this subcommittee should also be mindful that
U.S. legislation should avoid interfering with Canadian sovereignty and
jurisdiction, which could undermine both cybersecurity and reliability.
For example, in H.R. 2195, ``critical electric infrastructure'' is
defined so broadly as to include Canadian systems and assets, since
those systems and assets, if incapacitated or destroyed, could cause
significant harm to the U.S. grid. Such a broad definition would, under
this language, bring Canadian utilities within the scope of FERC
authority under Section 224(e). Moreover, the Interim Measures
authority under Section 224B would allow FERC to supplement, replace,
or modify existing cybersecurity reliability standards approved by
NERC. Since existing cybersecurity standards are in effect in the
majority of Canadian provinces, the replacement of such standards in
the United States by FERC could result in inconsistent reliability
standards on the North American grid, thereby potentially undermining
reliability and potentially making the system more vulnerable to a
cyber attack. CEA therefore requests this subcommittee to consider the
impact that provisions in any proposed legislation could have on
Canadian sovereignty and jurisdiction.
need for coordination among industry sectors
As a final matter, CEA is concerned with any legislative actions
taken by Congress that fail to take into account the scope of the
cybersecurity problem. As noted in ``Cyberspace Policy Review,''
cybersecurity affects all sectors and must be addressed in a
comprehensive manner. CEA believes any cybersecurity bill would be
greatly improved by requiring that the necessary information sharing
and collaboration take place between governmental agencies and all the
critical infrastructure sectors, not just electricity. A focus on just
the electricity sector addresses only one piece of a much larger
puzzle, and could, in fact, miss important elements to effectively
addressing cybersecurity in the bulk power sector. The President's
report recognizes that the cybersecurity issue ``transcends the
jurisdictional purview of individual departments and agencies because,
although each agency has a unique contribution to make, no single
agency has a broad enough perspective or authority to match the sweep
of the problem.'' Given the complexity of the cybersecurity problem,
and the need for coordination on an international basis, CEA asks this
subcommittee to exercise caution before developing legislation to
address cybersecurity in the electricity sector.
CEA appreciates this opportunity to provide this statement and
would be happy to answer any questions that may arise during the
hearing.
The North American Electric Power Industry's Top Priority is a Reliable
and Secure Bulk Power System
The stakeholders of the electric power industry continue to work
closely and in partnership with governmental authorities at the
Federal, State/provincial and local levels in both the United States
and Canada in order to maintain and improve upon the high level of
reliability consumers expect. Cybersecurity is an important element of
bulk power system reliability that the electric power industry takes
very seriously.
electric power industry in strong partnership with government
The electric power industry works closely with various government
agencies on bulk power system security. On an on-going basis, we
communicate and collaborate in the United States with the Department of
Homeland Security, the Department of Energy, and the Federal Energy
Regulatory Commission (FERC), and in Canada with the various Federal
and provincial authorities to gain needed information about potential
threats and vulnerabilities related to the bulk power system. The
electric power industry also works very closely with the North American
Electric Reliability Corporation (NERC) to develop mandatory
reliability standards, including cybersecurity standards. In addition,
NERC has an ``alert and advisory'' procedure that provides the electric
power industry with timely and actionable information to assure the
continued reliability and security of the bulk power system.
the electric power industry continuously monitors and acts quickly to
ensure bulk power system reliability and security
Every day, the electric power industry continuously monitors the
bulk power system and mitigates the effects of transmission grid
incidents--large and small. Consumers and government are rarely aware
of these incidents because of the sector's advance planning and
coordination activities which reflect the quick and often seamless
response the sector takes to address reliability and security events.
This response includes prevention and response/recovery strategies--
both are equally important. The industry's strong track record on
reliability and security continues as we work diligently to adhere to
mandatory NERC reliability standards, which are approved by FERC,
including standards that address cybersecurity.
nerc flexible standards approval processes meet majority of grid
challenges
NERC's industry-based and FERC-approved standards development
process yields mandatory standards for the bulk power system that are
clear, technically sound, and enforceable, yet garner broad support
within the industry. NERC is striving to draw from the state-of-the-art
in cybersecurity, through consideration of the National Institute of
Standards and Technology (NIST) framework for cybersecurity, and to
integrate that framework into NERC's existing Critical Infrastructure
Protection standards. NERC has also made important revisions to its
standards development process by putting in place policies that allow,
when necessary, for the confidential and expedient development of
standards, including those related to cyber- and physical security.
emergency cyber situations require an expeditious and efficient
approach
If the Federal Government has actionable intelligence about an
imminent threat to the bulk power system, the electric power industry
is ready, willing, and able to respond. We understand it may be
necessary for Government authorities to issue an order, which could
require certain actions to be taken by the electric power industry. In
these limited circumstances, when time does not allow for classified
industry briefings and development of mitigation measures for a threat
or vulnerability, FERC in the United States and the appropriate
corresponding authorities in Canada should be the Government agencies
that direct the electric power industry on the needed emergency
actions. These actions should only remain in effect until the threat
subsides or upon FERC approval of related NERC reliability standards.
In the United States, Section 215 of the Federal Power Act (Energy
Policy Act of 2005) invested FERC with a significant role in bulk power
system reliability, and it would be duplicative and inefficient to
recreate that responsibility at another agency. As FERC, NERC and the
electric power industry relationships move forward and mature in the
area of reliability and security, any disruption of this would be
counterproductive.
improved electric power industry-government partnership with better
information flow
In nearly all situations the electric power industry can protect
the reliability and security of the bulk power system without
Government intelligence information. However, in the limited
circumstances when the industry does need Government intelligence
information on a particular threat or vulnerability, it is critical
that such information is timely and actionable. After receiving this
information, the electric power industry can then direct its expert
operators and cybersecurity staff to make the needed adjustments to
systems and networks to ensure the reliability and security of the bulk
power system. The electric power industry is fully committed to taking
the needed steps to maintain and improve bulk power system reliability
and security, and stands ready to work with Congress, FERC, other
Government agencies and NERC on these critical issues.
Supporting Associations and Contacts.--American Public Power
Association, Joy Ditto; Canadian Electricity Association, Bonnie
Suchman; Edison Electric Institute, Scott Aaronson; Electric Power
Supply Association, Con Lass; Electricity Consumers Resource Council,
John Anderson; Large Public Power Council, Jessica Matlock; National
Association of Regulatory Utility Commissioners, Charles Gray; National
Rural Electric Cooperative Association, Laura M. Schepis; Transmission
Access Policy Study Group, Deborah Sliz.
______
Statement of Industrial Defender, Inc.
Thank you for the opportunity to submit written testimony regarding
efforts to secure the modern electric grid from physical and cyber
attacks. I appreciate the subcommittee examining these important issues
and am grateful for your willingness to consider my views.
I am the president and CEO of Industrial Defender, Inc., a provider
of cyber risk protection with over 18 years of industrial control
system and SCADA industry experience and more than 7 years of
industrial cybersecurity experience. Industrial Defender has completed
more than 100 process control/SCADA cybersecurity assessments, more
than 10,000 global technology deployments in securing critical
infrastructure systems, more than 3,000 mission-critical SCADA
deployments and provides managed security services for 170 process
control plants in 21 countries. My comments on the subcommittee's
hearing topic follow.
protecting the u.s. electric power infrastructure from physical and
cyber attacks
The Federal Government has a responsibility to protect our Nation's
electric power infrastructure from physical or cyber attacks to ensure
the social, economic, health, and safety of our citizens. There has
been a significant increase in malicious cyber attack attempts on
critical infrastructure electric power entities from suspected
terrorists and even adversarial nations and more action is needed to
fortify our Nation's electric power cyber defenses in order to combat
the potentially dangerous threats. A recent coordinated cyber attack on
the United States and South Korea, which may have originated in North
Korea, involved the malicious use of more than 100,000 computers.
Though this particular attack was not targeted at U.S. electric power
interests, it does suggest that more needs to be done in order to
improve our Nation's cyber defenses.
The majority of electric power assets in the United States are
owned and operated by private sector entities. Based upon private
sector contracts executed by Industrial Defender over the past 7 years
to assess and mitigate cyber risk specific to critical infrastructure
industries, including electric power, oil and gas, water,
transportation, and chemical sectors, we have found that industries
with cybersecurity regulatory mandates in place, including the Chemical
and Electric Power sectors, are industries taking a leadership role in
protecting their digital infrastructure assets. Having regulations in
place, however, does not guarantee 100 percent compliance or
protection. There have been significant challenges within industries
for which mandatory compliance standards have been implemented. A
recent letter to electricity industry stakeholders from Michael
Assante, the Chief Security Officer for the North American Electric
Reliability Corporation (NERC) dated April 7, 2009, raised concern over
the identification of Critical Assets and Critical Cyber Assets (NERC
CIP-002), which are defined as those ``facilities, systems and
equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the Bulk
Electric System.'' Results from a survey published for the July 1-
December 31, 2008 period suggest that certain qualifying assets may not
have been identified as ``Critical''. Of particular concern were
qualifying assets owned and operated by electric power generation
owners and operators, of which only 29 percent reported identifying at
least one critical asset, and transmission owners, fewer than 63
percent of which identified at least one critical asset. This inaction
by electricity asset owners and operators regarding mandatory
compliance requirements gives rise to great concern over the ability of
any voluntary private sector compliance program to be effective. There
is a risk that industries that do not have compliance mandates may be
willing to play the percentages that a critical infrastructure incident
will not happen at their company, rather than spend thousands or even
millions of dollars to mitigate any known risks and vulnerabilities.
Ensuring the reliability and security of the bulk electric system
must be a cooperative and shared responsibility between private sector
organizations and the Federal Government. This should include the
Federal Government overseeing a coordinated effort between public
sector and private sector entities to enhance and enforce the NERC CIP
standards; drive cybersecurity awareness and education within the
public and private sector; require vendor commercial information
security credentials; provide crucial sharing of information regarding
cyber incidents, vulnerabilities, and best practices; provide a
cybersecurity implementation funding incentive; and, offer ``Safe
Harbor Protection'' for private sector companies, ensuring the
elevation of threat and vulnerability information to the Federal
Government while at the same time increasing public awareness and
protection.
industry compliance with nerc standards
In addition to the North American Electric Reliability (NERC)
survey, which raises concerns over the inaction of bulk electricity
asset owners and operators, some bulk electricity providers may be
taking a ``defensible audit position'' in lieu of a well-designed cyber
risk mitigation strategy. It is our opinion that this behavior is the
result of non-descriptive and prescriptive requirements in the current
NERC CIP standards that leave determination of a risk-mitigation
strategy solely to the discretion of industry. Additionally, it is
important to note that up to the latest revision of the NERC CIP
standards, asset owners and operators were permitted to apply
``reasonable business judgment'' in determining risk-mitigation
strategy for critical assets.
The current industry spread relative to interpretation and action
around the current NERC CIP standards is extremely broad. Based upon
experience, significant action was taken by industry in assessing cyber
risk through contracting third parties to provide independent NERC CIP
gap analysis, network design reviews, vulnerability assessments,
penetration testing, and NERC CIP compliance training. Much of this
work was done in advance of the December 31, 2008 deadline; however,
many utilities remain very active in performing this work relative to
their operational assets. What is more concerning, regarding NERC CIP
compliance, is the slow pace at which industry is adopting technology
required to meet NERC CIP-005 and NERC CIP-007 compliance,
specifically, establishing Electronic Security Perimeter and System
Security management for all Critical Cyber-Assets. It is evident, as
represented in Mr. Assante's April 7, 2009 letter to Industry
Stakeholders, that the definition of a ``Critical Asset'', and
associated ``Critical Cyber-Asset'', has been viewed differently
between the private sector and NERC. The private sector's
interpretation, and hence subsequent identification of critical assets,
has resulted in actions that seem contrary to the defined objectives of
securing the Nation's critical infrastructure.
In one example, a major U.S. electric power provider considered
implementing intrusion detection monitoring technology to mitigate
cybersecurity risks and vulnerabilities in order to secure its
substations and meet the required NERC CIP compliance standards.
Currently, the NERC CIP compliance standards focus on ``routable
communication protocols'' and exclude ``non-routable communication
protocols'' and ``communication links''. The electric power entity
eventually made a cost-conscious decision to convert all of its
substations to a non-routable communication protocol SCADA network. As
a result, it did not move forward with the substation equipment
upgrade, resulting in a move backwards instead of using technology to
enhance cybersecurity, workplace efficiency, and productivity.
With over 150 investor-owned utilities, Government-owned and -
operated utilities and a number of smaller municipal electric entities
falling under the jurisdiction of the NERC CIP standards, there should
be significant demand for monitoring technology to support NERC CIP
requirements. Unfortunately, the purchasing behavior of bulk
electricity providers does not match the number of monitoring sensors
needed to support the NERC CIP standards.
government efforts to secure control systems and the electric industry
from physical and cyber attacks
Escalation of threats and exposure of incidences are essential
components of successfully thwarting cyber attacks against the Nation's
critical infrastructure. With 85 percent of the Nation's critical
infrastructure owned and operated by the private sector, the public and
private sectors must work collaboratively, with trusted and open lines
of communication, to ensure the timeliest communication of critical
cybersecurity information. Relying solely on Federal Government
intelligence agencies to identify the threat is a shortsighted
strategy. The private sector represents the most valuable source of
operational intelligence, which must be harnessed in order to
effectively communicate and drive action to reduce the consequences of
pending attacks.
Operational systems (SCADA/Process Control Systems) used to safely
and reliably operate critical infrastructure in electric power, water,
energy, chemicals and transportation sectors lack the necessary
security technology to escalate cyber threats and expose cyber
incidences in real-time so that appropriate action (communication,
emergency orders/actions, etc) can be taken to minimize the impact on
national security, public safety, and economic interests.
Greater investments in ``Defense in Depth Sensor Technology,''
including electronic security perimeter, remote access and
authentication, network intrusion detection, host intrusion detection,
and patch monitoring and management, will enable real-time aggregation
of threats and incidences for real-time reporting. FERC Order 706 also
calls for ``defense-in-depth'' subject to technical feasibility
considerations with NERC oversight.
Through the deployment of Defense in Depth Sensor Technology, the
U.S. Department of Homeland Security (DHS) should assume the role of
``Critical Infrastructure Threat Clearing House.'' The goal of the
Critical Infrastructure Threat Clearing House is to establish lines of
communication between asset owners and operators and DHS to warn the
public of potentially dangerous, malicious, and non-malicious
cybersecurity incidents. It is recommended that DHS establish a ``cyber
heat map,'' populated with intelligence by Defense in Depth Sensor
Technology, which would provide transparency into the current
cybersecurity threats facing the Nation, as well as supply access to
detailed information on each specific threat occurrence. However, for
this to be effective, safe harbor protection should be afforded to the
private sector reporting party (see below).
pending legislation and coverage of the electric sector
Cooperation between private sector organizations and the Federal
Government will need to be achieved to enable increased cybersecurity
protection as well as flexibility to expand these infrastructure
platforms to support future needs. To this end, legislation pending
before Congress could be strengthened to better achieve the separate
goals of the private and public sectors as well as increased public
safety. Important issues that are not currently part of the legislative
proposals are outlined below.
A distinct lack of threat visibility due to the slow
adoption of technology designed to both detect and protect
against cybersecurity threats.
Inclusion of safe harbor protection for private sector
companies, ensuring the elevation of threats and
vulnerabilities to the Federal Government, resulting in
increased public awareness and protection.
An absence of specific descriptive and prescription
recommendations for critical infrastructure systems and
requirements.
Mechanisms to enable a more efficient and timely means of
issuing standards through granting FERC ``authorship''
responsibility. Presently the NERC Standards processes are
largely created and approved by industry and hence are somewhat
self-policing.
Require any full- or part-time contractor with privileged
access to critical infrastructure control related information
system to obtain commercial cybersecurity credentials.
Provision to increase availability of funds for
cybersecurity related equipment and staffing.
Any final legislation promoting public and private sector
collaboration should include the following recommendations.
More Descriptive Definition of Critical Cyber-Assets.--It is
essential that any final legislation specifically identify
which critical cyber assets need to be secured. As it relates
to SCADA/Process Control System security requirements, all
computer or microprocessor-based operational devices used to
monitor, control, or analyze the critical infrastructure where
accurate timing has been deemed necessary must be included to
ensure the integrity of the critical infrastructure. These
devices include, but are not limited to: Power Plant Automation
Systems; Substation Automation Systems; Programmable Logic
Controllers (PLC); Intelligent Electronic Devices (IED);
sequence of event recorders; digital fault recorders;
intelligent protective relay devices; Energy Management Systems
(EMS); Supervisory Control and Data Acquisition (SCADA)
Systems; Plant Control Systems; routers; firewalls; Intrusion
Detection Systems (IDS); remote access systems; physical
security access control systems; telephone and voice recording
systems; video surveillance systems; and, log collection and
analysis systems.
Remove the Exclusion of ``Non-routable Protocols'' and
``Communication Links''.--This exclusion is being used as a
work-around to avoid implementation costs. FERC Order 706
includes comments from the ISA99 Industrial Automation and
Control Systems Security Team objecting to the exclusion of
communication links from CIP-002-1 and non-routable protocols
from critical cyber assets. The comments argue that both are
key elements of associated control systems, essential to proper
operation of the critical cyber assets, and have been shown to
be vulnerable--through testing and experience.
Bolster Public/Private Clearing House.--It is increasingly
essential that private sector asset owners and operators work
collaboratively with the Government to warn the public of
potentially dangerous malicious and non-malicious cybersecurity
incidents. Through the deployment of Defense-in-Depth Sensor
Technology, the U.S. Department of Homeland Security (DHS)
should assume the role of ``Critical Infrastructure Threat
Clearing House.'' The goal of the Critical Infrastructure
Threat Clearing House is to establish lines of communication
between asset owners and operators and DHS to warn the public
of potentially dangerous, malicious, and non-malicious
cybersecurity incidents. It is recommended that DHS establish a
``cyber heat map'' populated with intelligence by Defense in
Depth Sensor Technology, which would provide transparency into
the current cybersecurity threats the Nation faces, as well as
supply access to detailed information on each specific threat
occurrence. In order for this to be effective, safe harbor
protection should be afforded to the private sector reporting
party (see below).
Include Recommendation of Descriptive and Prescriptive
Solutions.--Any final legislation should require the deployment
of Defense-in-Depth Sensor Technology throughout the entire
SCADA/Process Control System network environment. Defense-in-
Depth Sensor Technology includes electronic security perimeter,
remote access and authentication, network intrusion detection,
host intrusion detection, and patch monitoring and management.
Equipping critical infrastructure systems with the appropriate
security sensor technology enables real-time aggregation of
threats and incidences for real-time reporting to the
appropriate authorities.
Provide ``Safe Harbor Protection''.--Presently there is no
``Safe Harbor Protection'' afforded to the private sector for
open ``escalation of threats, exposure of incidences'' with the
Federal Government. Without these protections in place, private
sector companies will be less inclined to share the information
and risk potential negative public exposure. Legislation
pending before Congress attempts to address this issue by
providing protection to disclosed cybersecurity data; however,
the proposals do not provide a similar protection to the
disclosing entity. In order to ensure open communication from
the private sector, it is essential to provide privacy
protection for both the disclosing entity and the disclosed
cybersecurity data. As a means of bridging the communication
gap between public sector and private sector, safe harbor
protection should be provided to private sector companies
escalating threats and/or exposing incidences with the Federal
Government. This protection is not intended to provide a safe
harbor from accountability, but instead to provide protection
to share information with the appropriate authorities. The U.S.
Department of Defense's (DOD) Defense Industrial Base Cyber
Security and Information Assurance (CS/IA) pilot program
initiative, launched in early 2008, offers a potential model on
this issue. The DIB/CSIA has five major components: (1) A
binding bilateral DOD-DIB company framework agreement to
facilitate CS/IA cooperation; (2) threat and vulnerability
information sharing; (3) DIB network incident reporting; (4)
damage assessments; and (5) DOD acquisition and contract
changes. Some of these components might be relevant to
establishing a similar relationship between the Federal
Government and private sector critical infrastructure
companies.
Grant FERC Authorship Responsibility.--Presently, the NERC
Critical Infrastructure Protection (CIP) standards [CIP-002--
CIP-009] provide electric utility private sector guidance on
the subject of cybersecurity. Pending legislation would provide
FERC with emergency authorities to issue actions/orders in the
event of a known cybersecurity threat to the electric utility
infrastructure. These actions/orders would remain in effect
over a defined period of time until they are incorporated into
a standard, and/or the threat is mitigated, or the order/action
expires.
The NERC CIP standards are self-policing in that they are created
and approved by industry. According to FERC Chairman Jon
Wellinghoff in his April 28, 2009 letter to U.S. Representative
Edward J. Markey, ``The commission is committed to exercising
all of the authority that Congress has given it to help protect
the power grid. However, Congress needs to be aware that the
commission's current authority is not sufficient to ensure the
cybersecurity of the grid. The existing process is based on
industry consensus and is, therefore, too slow, subject to
disclosure to potential attackers, and not responsive enough to
adequately address matters that affect national security.''
Granting FERC emergency authorities to act in the event of a
threat or incident is the reactive element of protecting our
Nation's critical infrastructure. Who is responsible for the
proactive element of mitigating our risks, escalating the
threats and exposing our incidences?
In addition to having emergency authorities, FERC should be
granted authorship responsibilities for future cybersecurity
standards to ensure the protection and integrity of the
Nation's electric utility infrastructure. FERC can continue to
leverage NERC for the creation of the standards; however, in
the interest of ensuring timely, descriptive, and prescriptive
cybersecurity standards, FERC must have the authority to author
and issue such standards. Industry input is important to drive
public sector-private sector collaboration; however, the
present self-policing standards leave the Nation's ability to
secure the electric utility infrastructure in a timely manner
vulnerable.
Require a Commercial Cybersecurity Credential.--Any full- or
part-time contractor with privileged access to a critical
infrastructure control information system, regardless of job or
occupational series, would need to obtain a commercial
cybersecurity credential accredited by ANSI or an equivalent
authorized body. The credential would also require maintaining
certified status with a certain number of hours of continuing
professional education each year. This program would be phased
in and have a similar framework as DOD Directive 8570.1
Information Assurance Training, Certification, and Workforce
Program.
Cybersecurity Implementation Monetary Incentives.--This
could be similar in concept and scope to the renewable energy
incentives passed in the Emergency Economic Stabilization Act
of 2008 and/or the Smart Grid incentives of the American
Recovery and Reinvestment Act of 2009 (ARRA).
intrusion detection technology and identification of cyber attacks
Industrial networks, while sharing many of the same technologies as
business networks, differ enough from business networks to make many
conventional threat management approaches ineffective. Industrial
networks tend to be more static and predictable than business networks.
Safety and effectiveness testing costs for industrial networks are very
high, and the effects of technologies like anti-virus scanning and even
security patch management on these computers is unpredictable enough
that no such technologies can be used safely without incurring very
high costs. Industrial networks tend to be tightly controlled--
generally conventional office tools such as word processors,
presentation tools, and email clients are not found on legacy
industrial networks. However, modern industrial leverage base internet
protocols like TCP and HTTP layer on top of these base protocols a
large variety of control-system-custom protocols like Modbus, DNP3,
ICCP and IEC 61850, which are never seen on business networks.
The present lack of investment in equipping industrial network
systems with real-time security sensors to provide visibility into the
current cybersecurity threats, vulnerabilities and incidences plaguing
them has emerged as both a necessary and dangerous initiative in terms
of cybersecurity protection. Based on historical risk and vulnerability
assessment data captured from Industrial Defender professional services
field teams, most SCADA environments contain latent vulnerabilities,
likely with compiled exploits, and are not discovered, on average,
until almost a year later (331 days).
As a result, it is necessary to carefully evaluate security
technologies and techniques before deploying them on industrial
networks and computers. Through the evaluation of many technologies
over the last 5 years, Industrial Defender has found results that span
the entire spectrum from security technologies and procedures that
actively impair the effectiveness of industrial networks and control
systems, through technologies that do not impair networks, but add no
value either, to technologies and approaches that are, in fact,
effective and worthwhile at securing industrial networks.
Network intrusion detection systems (NIDS) are an essential
component of a defense-in-depth strategy, and there are real benefits
in the form of specialized expertise when an outsourced managed service
provider manages NIDS sensors. NIDS sensors developed for industrial
control systems need to be customized with knowledge of industrial
network protocols and systems. The sensors are routinely deployed
inside the security perimeter of the industrial network, monitoring
traffic exchanged between the industrial computers and between those
computers and the business network.
Conventional NIDS technologies are ``signature-based.'' That is,
much like the well-known anti-virus (AV) products used on PC
workstations, signature-based NIDS use a large set of rules called
``signatures'' to scan network traffic. Any traffic that matches the
signature triggers an alert and may trigger corrective action, as well.
A key limitation of conventional signature-based NIDS is that like
signature-based AV, signature-based NIDS can only detect attacks that
it has a signature for. As new vulnerabilities are found in common
computer and network components, new signatures are written to identify
communications patterns of attackers trying to take advantage of those
vulnerabilities. If an attacker discovers a vulnerability or somehow
manages to create an attack vector for a vulnerability before a patch/
fix or signature for the vulnerability is available, that attack is
called a ``zero day'' attack. Signature-based NIDS are by definition
unable to detect zero-day attacks, because those attacks occur before
signatures are available to detect the attacks.
Host intrusion detection systems (HIDS) monitor the operation of
computer systems and alert when suspicious activity is detected. The
archetypical example of HIDS is an anti-virus system. With NIDS, it is
generally possible to monitor networks in a completely passive way,
receiving a copy of every message exchanged on a switch, for example,
without impairing the communications on the switch in any way. This is
important because of the prohibitive cost of re-testing an industrial
solution for safety and effectiveness if an after-the-fact security
monitoring solution changes the behavior of the network significantly.
Control system HIDS have the same imperative--first do no harm.
After-market HIDS must not interfere with the operation of the control
system and must not reduce confidence in the correctness of a control
system to the point where a prohibitively expensive re-test is
required. An industrial HIDS solution must be designed with exactly
this criterion in mind. Most enterprise class HIDS interfere with the
operation of the host, either by accident or by design, or they insert
themselves so deeply into the operating system and kernel of the host
computer, that they destroy all confidence in the continued correct and
safe operation of the control system.
government investment in control systems r&d
One area of focus should be a centralized clearing house for the
correlation of alerts and traffic statistics. Such central oversight
would provide intelligence regarding widespread information gathering
and other attacks. For the central correlation to work, cooperation of
large, managed service providers and large, self-managed networks is
needed, in order to send the necessary standardized alerts, and traffic
statistics to the U.S. Government. If a central agency was the real-
time clearing house for conclusions about traffic patterns and the
correlation of such conclusions, that agency would be able to correlate
suspicious activities across many industrial networks. Such
correlation, especially correlation of traffic profiling results, might
allow the central monitoring agency to identify widespread information-
gathering activities targeted at critical infrastructure networks. Such
activity is a logical precursor to a widespread attack on
infrastructure. It would also allow a central clearing house to draw
conclusions about widespread infections calling out to the internet for
instructions from time to time, which might be a sign of a coordinated
attack on many sites.
Industrial Defender recommends that the Federal Government
investigate establishing a program, correlation infrastructures and
technologies, and the necessary data exchange standards to permit real-
time alerts and traffic statistics to be aggregated centrally.
Individually managed security service providers and large industrial
security/network control centers would be encouraged--or required--to
participate in the program and provide the central authority with the
statistics and other information that the agency requires to calculate
high level correlations. Such a program could provide government and
intelligence agencies with important insights into the health of
industrial networks overall, and with insight into sudden changes or
widespread patterns indicative of preparations for a large-scale
attack.
A second area of focus is to strongly encourage control system
vendor partnerships with the U.S. Department of Energy's National
Supervisory Control and Data Acquisition (SCADA) Test Bed programs at
Idaho National Laboratory and Sandia National Laboratory. There needs
to be a continued and raised emphasis on control system security
product and technology assessments to identify vulnerabilities and
corresponding mitigation approaches when systems are being designed and
built.
______
Statement of Southern California Edison
a lifecycle framework for self-sustaining implementation of smart grid
interoperability and cyber security standards
introduction
Advancing Smart Grid interoperability and security through
standards adoption fosters innovation and accelerates robust, secure,
and reliable Smart Grid deployments. This is achieved by lowering the
barriers to entry for vendors; accelerating secure and interoperable
product time to market; and ultimately lowering costs for consumers.
With all the potential benefits associated with broad standards
adoption it seems reasonable to institute a standards lifecycle
framework to ensure the deployment of a robust and interoperable Smart
Grid. Unfortunately, realizing the benefits of standardization requires
more than just selection of a standard.
Several papers in circulation including papers developed by EnerNex
\1\ and EPRI \2\ show that there are plenty of standards available.
With so many available standards, why has the pace of adoption been
slow? The answer is that the selection of a standard is but one aspect
of a greater product lifecycle. Full realization of the benefits will
require a shared Government and industry focus on a common set of Smart
Grid functions, and a standards lifecycle framework supporting those
functions. The goal of this standards lifecycle framework is to align
policy, standards development, product development, and procurement
actions to create a self-sustaining Smart Grid market. A successfully
operating, self-sustaining Smart Grid product market is defined by
public policy supported by standards that are rapidly adopted by
product vendors seeking certification, and driven by utility
procurement agents only buying products certified to those standards.
The effect in the marketplace is that product vendors are incented to
compete against each other to create products that are increasingly
interoperable and secure. Within this context, it is clear that any
approach needs to be comprehensive and cohesive.
---------------------------------------------------------------------------
\1\ Smart Grid Standards Assessment and Recommendations for
Adoption and Development, draft v0.82, Enernex for California Energy
Commission, February, 2009.
\2\ EPRI Technical Report: Integration of Advanced Automation and
Enterprise Information Infrastructures: Harmonization of IEC 61850 and
IEC 61970/61968 Models, EPRI, Palo Alto, CA 2006. Product ID 1013802.
---------------------------------------------------------------------------
Beyond the creation of a standards lifecycle framework, it should
also be noted that the associated effects of validation, enforcement,
certification, and accreditation are missing or in need of additional
support. Certification and enforcement are critical elements of the
lifecycle. Certification defines test cases that clarify standards
interpretation in products by vendors. In this manner, any ambiguity in
standards interpretation is quickly identified and remedied in such a
closed-loop process. Without such a process, vendors will interpret
standards differently and interoperability will not be achieved.
This holistic approach to standards adoption allows for a more
inclusive stakeholder representation. Achieving increasing levels of
interoperability and robustness will require a concerted effort by all
stakeholders including regulators, Government agencies, utilities,
vendors, commercial organizations, and standards development
organizations. These interests can be represented through a look at the
applicable development and adoption lifecycles and how these lifecycles
intersect. Two of the most relevant lifecycles are the procurement
lifecycle and the standards development lifecycle. These two lifecycles
are significant in that they cover both the development of the products
and standards and the adoption and enforcement of the standards.
standards development lifecycle
The standards development lifecycle is the realization of an
operational need through the articulation of the need, followed by the
development of standards, certification processes, and implementation
validation. The standards process is better served when the
organizations needing to procure the products are involved in this
needs development. In the case of Smart Grid, these organizations are
mostly utilities. Needs are typically represented through business
objectives, use cases, and requirements. These needs should be the
basis for both platform agnostic and platform specific standards
development. The process for establishing and representing the needs
through standards is well-established and actively practiced in the
utility industry.
As shown above in Figure 1, the standards development lifecycle
does not end with the development of the standard; this is simply the
starting point. The standard needs to be implemented, validated and
adopted. In most cases where standards are available but not widely
used, the fault is not with the development of the standard but rather
with the enforcement of the standard. Fortunately, normal competitive
market drivers can be used to enable this piece. Commercial
organizations chartered to validate vendor implementations claiming to
be compliant with a given standard are needed. These organizations play
a critical role in the overall adoption of a standard. There are
several commercial organizations currently providing certification
services including ZigBee, HomePlug, Wi-Fi, and WiMAX. While the
communications space is well-served by these organizations, other
domains have no commercial equivalent. As an example for the electric
grid, there are no commercial security certification organizations.
Utilities and other organization have developed security-related needs
statements and there are many security standards. Again, because there
is no certifying organization the lifecycle is broken and the standards
adoption becomes ad-hoc. Closing the loop with a certification process
is a key to accelerating mature standards. In doing so,
interoperability issues are discovered and regressed into the standards
and the technologies. Without this closed-loop process,
interoperability is almost impossible to achieve on a broad system
spanning multiple vendors.
Ultimately, adoption is achieved through the procuring
organization. The utilities procure devices which extend and enhance
the capabilities of the electric grid. Using security as an example,
devices which are certified as more robust or more secure will be
procured over competing devices offering less robustness or security.
In this way, both the utilities and the vendors have the necessary
incentives to foster a sustainable Smart Grid ecosystem.
procurement-driven standards lifecycle framework
The standards development process relies on the utility procurement
lifecycle for enforcement. This lifecycle also provides other key touch
points with the standards development lifecycle beyond the final
enforcement of a given standard. These touch points give visibility and
provide context for participation of various stakeholders. The utility
procurement lifecycle, at its core, is concerned with procuring
products which meet a given set of criteria. These criteria include
regulatory policy, operational needs, and business functionality as
well as any standards compliance requirements. Regulators and standards
organizations support the utility procurement process at several points
in the lifecycle.
Regulators at both the State and Federal level can provide four key
roles in the lifecycle.
1. Define performance criteria in the context of meeting public
policy objectives. California's ``six criteria'' for advanced
metering is one example;
2. Provide oversight on utility expenditures and can enforce
interoperability and cybersecurity standards adoption;
3. Ensure utility participation in a centralized incident response
effort; and,
4. Refine performance criteria based on continuous improvement.
Continuing with the security example, the procurement lifecycle
merged with the standards development lifecycle to create a
procurement-driven, cybersecurity standards lifecycle framework, as
shown in figure 2 below, provides for a more consistent and more secure
electric grid. In fact, enabling the entire lifecycle is the only way
to increase security capability across the entire grid.
As part of this standards lifecycle framework, various industry
stakeholders are able to define operational needs within the context of
regulatory objectives. These needs are carried into standards
development by utilities and vendors, evaluated for risk and used to
seed various technology-agnostic and technology-specific standards
development by standards development organizations (SDOs). The
resulting standards can be recognized by Federal and State regulators
as meeting policy objectives. While standards development is often
described as a long arduous process, today Smart Grid development can
benefit from the many existing standards available. The current
potential to accelerate standards adoption is described in the ``Smart
Grid Standards Adoption--Utility Industry Perspective'' \3\ white
paper.
---------------------------------------------------------------------------
\3\ Smart Grid Standards Adoption--Utility Industry Perspective
v5.0, by Utility Smart Grid Executive Working Group and Open SmartGrid,
March 23, 2009.
As this lifecycle framework continues, products are developed by
manufacturers and software developers and evaluated for standards
compliance certification by independent commercial labs, which have
been accredited by a Governmental agency such as NIST.
Devices/software are then procured by the utility for
implementation. During the course of utility operations, performance
information is gathered, new threats are identified, and knowledge is
shared. Any security risk that is realized is responded to by a central
incident response team which coordinates the response to the security
event. Again, using the touch points across the standards lifecycle
framework, the industry is able to transfer this security knowledge to
the appropriate organizations.
conclusion
Lower product costs, operational costs, and improved resiliency are
significant benefits associated with standards adoption. In order to
truly realize these benefits, the entire product lifecycle needs to be
considered. There are two complementary views of this lifecycle, the
first view is the standard lifecycle, and the second is the procurement
lifecycle. Certification is a key component of the lifecycle and
without certification the cycle is broken and the ability to achieve
broad interoperability is negated. These lifecycles should be unified
by a comprehensive standards lifecycle framework described above. This
more holistic view also clearly identifies the roles for key
stakeholders' participation. For the energy sector, enabling and
enhancing, this standards lifecycle framework should be the primary
goal.
SCE Response to Questions for the DHS Subcommittee for Cybersecurity,
Emerging Threats, and Science and Technology on July 21
How much of the total cost of its metering infrastructure does SCE
expect to recoup from rate cases?
SCE's Smart Meter program is authorized for full rate recovery by
the California Public Utilities Commission.
Are SCE's assets hardened against an intentional or unintentional
electromagnetic pulse? If so, how did SCE go about mitigating
this threat? How much did implementing protective measures
cost? Was SCE able to recoup these costs in a rate case?
SCE understands the disruption potential of electromagnetic pulse
(EMP) and other threats that pose risks to system availability. These
threats are taken into account as part of our system design. The risk
of the SCE assets being affected by EMP is a function of the
probability, size, and nature of an EMP threat. As such, SCE's risk-
adaptive process accounts for this and other threats through our system
availability, disaster recovery, and business continuity designs.
Please describe how SCE implemented mitigations to the Aurora
vulnerability.
In response to the Aurora Vulnerability, SCE first performed a
detailed assessment of the system to identify and mitigate the
associated vulnerabilities across our service territory in alignment
with NERC recommendations. Additionally, SCE refined planning,
engineering, procurement, security, and compliance policies to support
NERC CIP standards.
What would industry like to see from Government in terms of an alert
and warning system about an impending cyber attack? Does this
early warning system exist today?
We believe the Government has an important role to play in the case
of impending security events. This role should be played in the broader
context of a well-defined structure as articulated in SCE's white paper
``A Lifecycle Framework for Self-sustaining Implementation of Smart
Grid Interoperability and Cyber Security Standards'' which is attached
to this response. Early warning processes in use today include US-CERT,
the Electric Sector--ISAC (ES-ISAC) managed through NERC, as well as
the DHS Daily Open Source Infrastructure Report. All existing early
warning processes would benefit from participating in a broader self-
sustaining, framework that includes the mechanisms for all stakeholders
including policymakers, vendors, utilities and incident response teams
to take actions so the overall electric infrastructure becomes
increasingly secure.
What is the current role of the Federal Government be in defending
against nation-state-level cyber or physical attacks against
electric facilities? What should the role of the Federal
Government be?
We believe the role of the Federal Government should be to work
with industry to align collaborative efforts on policy, standards
development, product development and procurement actions to create the
self-sustaining Smart Grid market as outlined in the attached white
paper ``A Lifecycle Framework for Self-sustaining Implementation of
Smart Grid Interoperability and Cyber Security Standards''. A
successfully operating, self-sustaining market is defined by public
policy supported by standards that are rapidly adopted by product
vendors seeking certification, and driven by utility procurements
buying products certified to those standards. The effect in the
marketplace is that product vendors are incented to compete against
each other to create Smart Grid solutions that are increasingly
interoperable and secure.
Does SCE use the Energy ISAC today? Does SCE believe that the Energy
ISAC is effective in producing timely and relevant analysis and
warnings for the industry? If not, what measures can be
undertaken to improve this capability?
Yes, SCE utilizes the Electric Sector--ISAC (ES-ISAC), managed
through NERC, for warnings applicable to the electric sector. The ES-
ISAC, notifications are supplemented by US-CERT, as a source for our
Anti-vulnerability Emergency Response Team, a 24x7 group of SCE subject
matter experts tasked with vulnerability and incident response.
We do believe the ES-ISAC represents an effective mechanism for
timely and relevant analysis and warnings for the industry. ES-ISAC
participation in the broader industry lifecycle framework, as stated in
the attached white paper, would improve communication on security
events and known vulnerabilities across a broad set of industry
stakeholders.
What are the key aspects of any piece of legislation that seeks to
secure the electric grid from cyber and physical attack?
Legislation seeking to secure the electric grid should consider the
ability to facilitate the standards-driven process which motivates the
market to produce and adopt increasingly secure and interoperable
products.
Are industry-written security standards appropriate to protect assets
as critical to national security as the electric system? If so,
why? If not, should a Federal entity write the standards?
Yes, SCE believes a public/private partnership is the most
effective way to develop cybersecurity specifications and standards. An
example is the current effort between the industry, NIST and the
Department of Energy, known as ASAP-SG, the goal of which is to
organize and articulate Smart Grid cybersecurity standards by
leveraging an existing set of standards will help provide the guidance
necessary for vendors to develop secure product; certification labs to
certify secure product; and utility companies the ability to
confidently procure and implement secure products.
SCE has published three papers on the topic of security and
standards please see: http://www.sce.com/PowerandEnvironment/
smartgrid/.
A P P E N D I X I I
----------
Questions From Chairwoman Yvette D. Clarke of New York for Dr. William
R. Graham, Chairman, Commission to Assess the Threat to the United
States From Electromagnetic Pulse
Question 1. The EMP commission report looked at several
infrastructure sectors, the first of which was electric power. Please
tell us about the vulnerabilities you found there, and if you could
prioritize their criticality. To the best of your knowledge, has the
electric industry attempted to address these vulnerabilities? Where are
we right now in protecting the electric grid and what more must be
done?
Answer. The vulnerabilities found in the electric power
infrastructure include:
a. High-voltage transformer damage due to low frequency (E3) High
Altitude EMP. These transformers are only produced outside the
United States, and at a very low rate. Lead time for delivery
under normal circumstances is months to years.
b. Damage to relays and other control electronics in high-voltage
substations due to high frequency (E1) EMP.
c. Distribution transmission line insulator damage due to E1 EMP.
d. Damage to power control center electronics due to E1 EMP.
e. Widespread blackout of power grids due to simultaneous failures
of controls, transformers, and the loss of load (due to
insulator damage).
As far as I have been able to determine, the electric industry has
not attempted to address these vulnerabilities. The Federal Energy
Regulatory Commission (FERC) has been active in trying to understand
EMP and other electromagnetic threats to the power grid, and they are
encouraging the North American Electric Reliability Corporation (NERC)
to take action with mandatory standards. FERC has asked the Department
of Energy (DoE) to begin the development and demonstration of
protection technologies against EMP, geomagnetic storms, and
Intentional Electromagnetic Interference (IEMI). NERC has also recently
been briefed about EMP and geomagnetic storms by representatives of the
EMP Commission.
While the level of discussion concerning the threat of EMP to the
power grid is increasing, until NERC and the power industry take action
in developing standards and implementing a schedule for protection,
nothing will move forward. It is clear that a national leadership from
the National Security Council, the Department of Homeland Security, and
the DoE is required to move this protection issue forward. Such
leadership has not been forthcoming.
Question 2. Would installing the protections necessary to protect
the electric grid from EMP be costly?
Answer. Protection for the vulnerabilities indicated above would
not be expensive in terms of the initial costs of the equipment, the
replacement costs, or certainly when compared with the cost to the
economy of the United States of an extended electrical blackout.
a. It is recommended that the work of the EMP Commission be studied
by those in charge of ensuring the reliability of the U.S. power
system, with an emphasis on relative vulnerabilities (e.g. 765 kV
network) and in terms of applying protection first to new construction,
where the cost will be at the low end for such protection. The U.S.
experience with military systems indicates that the cost of protecting
new systems from EMP is in the 1-2% range when carried out by
knowledgeable and experienced engineers. Unfortunately, the number of
such engineers has been declining since the end of the Cold War.
b. It is urgent that work begins on adapting international
standards on EMP protection to the U.S. power grid as soon as possible.
It appears that FERC is in the best position to ensure that NERC
develops the proper protection standards and sets a schedule to
accomplish the protection.
Question 3. The ``Smart Grid'' concept means putting more
computerized systems, similar to Systems Control and Data Acquisition
(``SCADA'') systems throughout the grid, down to the level of
individual users such as homes and buildings. Aren't these systems even
more sensitive and susceptible to damage by EMP than the other
components of the electrical grid? In your opinion, would the ``Smart
Grid'' be even more likely to be taken down by EMP than our current
grid if the computer controls were not protected from EMP?
Answer. It is very clear that one of the primary objectives of the
``Smart Grid'' is to reduce the peak power needs by controlling the
power usage by the customer (primarily through time of day pricing or
mandatory reductions in use of electricity at times of high usage of
electricity in various regions). While this approach may be beneficial
in the short run, the information from electronic meters at homes and
buildings will essentially be used to operate the grid, without proper
leadership and systems engineering, will lead to much less margin for
electric power reliability.
Based on experiments performed by the EMP Commission, substation
safety relays have been found to be vulnerable to EMP, but at much
higher levels of threat than standard PC equipment (PCs are extremely
vulnerable to EMP). The point is that Smart Meters (essentially PC
technology) will require a strong, comprehensive effort for both
Electromagnetic Interference (EMI) and EMP protection.
If these meters are not well-protected against EMP, as well as
normal EMI, geomagnetic storms, and IEMI (EM weapons), then EMP will
likely cause a more rapid failure of the new ``Smart'' Grid. The IEEE
Electromagnetic Compatibility (EMC) Society met recently in Austin,
Texas and registered alarm at the lack of basic EMC and EMP protection
standards being referenced by the National Institute of Standards and
Technology (NIST) and the Electric Power Research Institute (EPRI) in
their review of existing important protection standards for the ``Smart
Grid''. A letter from the Society is being prepared to indicate this
concern.
Question 4. New ``Green Generation'' such as wind power will also
require the addition of thousands of miles of new high-voltage
transmission, because most of the wind farms will be located far from
population centers. Aren't these very long high-voltage lines the most
vulnerable to Geomagnetically Induced Currents (GIC), and if that is
the case, shouldn't we be building these transmission lines with EMP
protective technologies?
Answer. Some of the planning performed by industry has indicated, a
preference for 765 kV lines leading from the Midwest, where wind power
can easily be obtained, to Chicago. Studies performed for the EMP
Commission clearly indicated that long high-voltage power transmission
systems (including their connected transformers) are highly vulnerable
to geomagnetic storms. For example, 765 kV systems are more vulnerable
to geomagnetic storms than the lower voltage systems found in most of
the United States. The reason for the use of higher voltages is to
minimize power loss, but protection is needed for the transformers.
Clearly the protection of transformer neutrals, as discussed during the
EMP Commission research, should be applied to all such new transmission
systems as they are built, thereby reducing the cost of installation
compared to the cost of retrofitting. Such geomagnetic storm protection
will also provide protection against E3 EMP.
Questions From Chairwoman Yvette D. Clarke of New York for Mr. Michael
J. Assante, Vice President and Chief Security Officer, North American
Electric Reliability Corporation
Question 1. Why did the Critical Infrastructure Protection
Committee decide against taking action on the EMP Commission findings
during the September 11, 2008 meeting?
Answer. The Critical Infrastructure Protection Committee (``CIPC'')
is a NERC-sponsored, self-governed committee of volunteers representing
users, owners, and operators of the bulk power system and other
interested entities with a mission to advance the physical and
cybersecurity of the critical electricity infrastructure of North
America. The CIPC does not constitute all of the activities related to
Critical Infrastructure Protection undertaken by NERC, nor does it
definitively represent NERC's full position on any matter. The CIPC
advises NERC's Board of Trustees and Electric Sector Steering Group,
along with NERC staff, on matters relating to Critical Infrastructure
Protection.
NERC is not in a position to explain the conclusion stated in the
minutes of CIPC's September 11, 2008 meeting regarding the EMP
Commission report. The CIPC has worked with the EMP Commission in the
past. A subgroup of CIPC, the High Altitude Electromagnetic Pulse Task
Force, was formed during 2002 and 2003 specifically for the purpose of
working with the EMP Commission and providing industry insight and
support for its efforts. That industry participation is referenced
repeatedly throughout the EMP Commission's April 2008 report. At CIPC's
invitation, Dr. Michael Frankel, Executive Director of the EMP
Commission, made a presentation to the committee at its March 2009
meeting about the work of the EMP Commission and the EMP Commission
report.
Question 2. It is our understanding from the April 2009 letter sent
by Mike Assante that a large portion of the electrical industry has not
identified ``critical cyber assets,'' which is a requirement under the
NERC standards. Please explain why this letter was sent and what the
response to the letter has been.
Answer. The prioritization of critical assets for protection is the
foundation upon which NERC's Critical Infrastructure Protection
(``CIP'') standards are built. In developing the standards, the
industry standards drafting team recognized that the protection of
assets must occur in a staged approach, with appropriate focus being
given to those elements of the system deemed ``critical'' to
reliability. This approach was approved by the Federal Energy
Regulatory Commission (``FERC'') in its conditional approval of NERC's
Reliability Standards CIP-002--CIP-009 in Order No. 706 on January 18,
2008.
``Critical assets'' are defined in NERC's glossary of terms as
those ``facilities, systems, and equipment which, if destroyed,
degraded, or otherwise rendered unavailable, would affect the
reliability or operability of the Bulk Electric System.''\1\
---------------------------------------------------------------------------
\1\ NERC Glossary of Terms. Version dated April 20, 2009. http://
www.nerc.com/files/Glossary_2009April20.pdf.
---------------------------------------------------------------------------
Reliability Standard CIP-002 ``requires the identification and
documentation of the Critical Cyber Assets associated with the Critical
Assets that support the reliable operation of the Bulk Electric
System.''\2\
---------------------------------------------------------------------------
\2\ NERC Reliability Standard CIP-002-1. http://www.nerc.com/files/
CIP-002-1.pdf.
---------------------------------------------------------------------------
Due to the nature of the system, not all Registered Entities own or
operate critical assets. Many Registered Entities, for example, own or
operate a single small generating station, which would not necessarily
be deemed ``critical'' under the definition above.
As part of the implementation plan for the CIP standards, NERC
requires Registered Entities to self-certify their progress in coming
into compliance with certain Reliability Standards. Responses received
from the industry for the period of July-December 2008 raised a concern
that all respondents may not have applied a suitable approach in
identifying critical assets and their associated critical cyber assets.
The April 7, 2009 letter sent by NERC's Chief Security Officer Michael
Assante sought to bring clarity to the discussion of appropriate
approaches to critical asset identification. The letter encouraged
Registered Entities to take a fresh look at current risk-based
assessment models to ensure they appropriately account for new
considerations specific to cybersecurity, such as the need to consider
misuse of a cyber asset, not simply the loss of such an asset. Final
decisions regarding appropriate identification of critical assets and
their associated critical cyber assets will be made through NERC's
compliance and enforcement efforts. Compliance audits on the CIP
standards have already begun.
The April 7 letter is part of the iterative process between NERC
and industry stakeholders as we work together to improve reliability.
In this case, NERC gathered information about the status of
implementation of the Critical Infrastructure Protection standards and
fed that information and its own insights back to the industry as part
of a cycle of continuous improvement. NERC is working to address a
critical element of the cybersecurity challenge: The educational
learning curve and resulting compliance-related challenges that must be
addressed to improve the cybersecurity of the bulk power system.
Question 3. Describe the expense and technical challenges in
installing or implementing cyber and EMP protections for the grid?
Answer. The expense and technical challenges associated with
implementing cyber and EMP protections for the grid depend upon the
types of protections required and the grid systems being addressed.
Thus, NERC cannot respond specifically, but we are able to provide a
general response.
The nature of the Bulk Power System creates unique complexity in
addressing security risk. The interconnected system includes
approximately 5,000 generating plants, 165,000 miles of transmission
lines, 20,000 substations, and millions of digital controls. These
assets are widely dispersed, primarily located outside, and are owned
and operated by approximately 1,800 different entities. The variance in
size and organizational structure of these 1,800 entities present
additional challenges. Entities range in size from thousands of
employees to 20 or fewer employees. The organizations range from large
investor-owned utilities like Exelon and Pacific Gas & Electric to non-
profit electricity market operators like ISO New England; from small
municipally owned utilities like the City of Orrville, OH to large
Government agencies like the Tennessee Valley Authority and the U.S.
Army Corps of Engineers; and from independent owners of individual
generating plants like JP Morgan Ventures to cooperatives of all sizes,
from Great River Energy to Bluebonnet Electric Cooperative.
Systems are highly customized for specific environments, and, while
common components are often used, unique configurations present
challenges in providing uniform, specific guidance on protections.
Actions that result in improved security on some systems could
potentially result in degraded security on others. More effective
approaches often involve a range of acceptable mitigation options.
The real-time operating environment also presents an important
technical challenge, such that security controls that may be
appropriate in other settings could present significant risks to the
reliable operation of the system were they to be similarly applied to
the bulk power system.
NERC believes that the asset owners would be in the best position
to provide specific information on the costs and technical challenges
of various protections.
Question 4. Do plans or procedures exist for the electric industry
in the case of a known cyber attack or an imminent EMP? If so, can you
outline them for us?
Answer. NERC's Critical Infrastructure Protection standards require
an annual exercise for response to cybersecurity events. Standard CIP-
009 requires that recovery plans be put in place for Critical Cyber
Assets and that these plans follow established business continuity and
disaster recovery techniques and practices.\3\
---------------------------------------------------------------------------
\3\ NERC Reliability Standard CIP-009. http://www.nerc.com/files/
CIP-009-1.pdf.
---------------------------------------------------------------------------
To my knowledge, no electric industry plans or procedures have been
developed specifically for an imminent EMP.
Initial planning for response to an imminent geomagnetic event was
completed by many entities in response to the 1989 geomagnetic storm
that triggered a widespread blackout in Quebec. Response to an imminent
EMP threat would require similar measures for certain components of an
EMP, but those measures would not deal with all aspects of an EMP.
Over the past year, NERC has been working to improve industry-wide
responses to known or imminent threats of all kinds. NERC's alerts
system allows it to reach nearly 5,000 industry professionals at
operations centers, power plants, and other power system facilities
across North America. A next-generation alerts tool is currently
nearing completion, which will enable recipients to view and submit
secure information to NERC. Contacts will be able to receive alert
information via text message and e-mail.
Question 5. Does NERC have requirements for cyber and physical
protections for new ``Smart Grid'' assets?
Answer. NERC Reliability Standards apply to the Bulk Power System
as defined in Section 215 of the Federal Power Act:
(A) facilities and control systems necessary for operating an
interconnected electric energy transmission network (or any portion
thereof); and
(B) electric energy from generation facilities needed to maintain
transmission system reliability. The term does not include facilities
used in the local distribution of electric energy.
Thus, ``Smart Grid'' assets that are necessary to the operation of
the Bulk Power System can be covered under NERC Reliability Standards,
but those located on facilities used in the local distribution of
electric energy are not, unless such assets materially impact the bulk
power system.
NERC is coordinating with NIST as it develops interoperability and
system security standards for ``Smart Grid'' systems at the
distribution level, as directed in FERC's July 2009 ``Smart Grid Policy
Statement''.
Question 6. What efforts has NERC made to adopt NIST security
standards? How do the current NERC standards differ from NIST 800-53
standards?
Answer. NERC currently has efforts underway to adapt the NIST
framework for use in power system applications. The Cyber Security
Order 706 Drafting Team recently posted a concept paper entitled
Categorizing Cyber Systems: An Approach Based on BES Reliability
Functions for industry comment, which outlines a proposed framework for
revising the existing Critical Infrastructure Protection Standards.
Comments on the concept paper are due from industry on September 4,
2009.
Existing NERC standards primarily differ from the NIST framework in
several ways:
(1) NERC standards do not presently assign a ``level of risk''
(Low-Medium-High) to an asset being protected;
(2) NERC standards do not include a graduated approach to controls
to align with such a ``level of risk'' framework; and
(3) NERC standards apply to individual assets and do not
comprehensively consider the systems or networks of which they
are a part or the function for which they are employed.
Question 7. Is NERC required by law to follow an ANSI standards
development process in writing CIP standards?
Answer. No, NERC is not required by law to have an ANSI-accredited
standards process. Section 215 of the Federal Power Act does require
that NERC's standards development process ``provide for reasonable
notice and opportunity for public comment, due process, openness, and
balance of interests in developing reliability standards . . . ''.
(Sec. 215(c)(2)(D)). These factors are very similar to the central
characteristics of an ANSI-accredited process, and in certifying NERC
as the ERO, FERC found that NERC's ANSI-accredited standards
development process meets the statutory requirements. NERC's standards
development process is set forth in NERC's Rules of Procedure, which
FERC has approved.
Question 8. Is it possible that foreign adversaries have penetrated
the electric grid and are in position to cause significant damage at a
time of their choosing? Are utilities capable of knowing this?
Answer. I am unable to discuss that question in an open forum. I
would be prepared to work with the appropriate Government agencies to
arrange a secure briefing for the subcommittee at its request.
As raised in my written testimony, the electric grid is placed at
significant risk as a result of limited information-sharing between the
Federal Government intelligence community and asset owners. In order to
adequately protect their systems, asset owners need to know what to
look for. The origin and signature of potentially dangerous code
continually change and are identified by the Federal Government
intelligence community. This information often remains classified,
leaving asset owners without access to this classified information
unable to protect and respond to potential threats.
Question 9. What are the largest risks to the electric grid, and
what is NERC doing to mitigate those risks? In assessing the risk to
these systems, how do you assess threat?
Answer. Some of the largest risks to the electric grid include
frequent, uncontrollable events such as severe weather and other
natural disasters. Other large risks are controllable events, such as
the causal factors of the August 14, 2003 blackout: Untrimmed trees,
untrained system operators, and malfunctioning equipment.
NERC's over 100 Reliability Standards focus on mitigating
controllable risks, requiring that transmission owners maintain
appropriate vegetation clearance around transmission lines, that all
system operators are trained and certified, and that communications
protocols are in place to ensure system operators are able to respond
to events effectively.
Cybersecurity is another significant risk to the system. One of the
most concerning aspects of this challenge is the cross-cutting and
horizontal nature of networked technology that provides the means for
an intelligent cyber attacker to impact multiple assets at once, and
from a distance. The majority of reliability risks that challenge the
bulk power system today result in probabilistic failures that can be
studied and accounted for in planning and operating assumptions.
Cybersecurity is unique; system planners and operators must recognize
the potential for simultaneous loss of assets and common modal failure
in scale in identifying what needs to be protected. This is why
protection planning requires additional, new thinking on top of sound
operating and planning analysis. NERC believes asset owners and system
operators are critical to the protection planning process and to
determining the appropriate and necessary protections for their
operating environments.
High Impact, Low Frequency (``HILF'') events, such as EMP events
and pandemic illness, also present significant risk to the electric
system. These events are the subject of an upcoming workshop to be
conducted by NERC and the Department of Energy, presently targeted to
be held in mid-November 2009. (Please refer to NERC's response to
Question 15 for further information on this effort.)
Relative threat can be defined as a function of the probability and
severity of a given event. HILF events are typically characterized by
probability that is uncertain relative to other threats. Though, to
NERC's knowledge, the North American Bulk Power System has never
experienced a coordinated cyber attack that has affected reliability or
a high-altitude detonation of a nuclear weapon, past experience is not
a reliable indicator of future occurrence. NERC and the industry have
no illusions of immunity to these threats.
Question 10. Has NERC done any analysis on the security of the
electric grid from cyber or physical (EMP) attack? If so, how secure
and resilient does NERC believe the grid is today?
Answer. NERC has several efforts underway to assess security and
preparedness, including its Cyber Risk Preparedness Assessment, Bulk
Power System threat assessment program, and the HILF initiative. NERC
also supported and participated in the development of the EMP
Commission report.
NERC believes that as Registered Entities are coming into
compliance with NERC's CIP standards, the system as a whole is becoming
more prepared to deal with the effects of a cyber attack to the bulk
power system. Due to the ever-changing nature of this threat, however,
the Bulk Power System may never be fully secure from all potential
coordinated cybersecurity threats.
Certain of the measures and practices utilities put in place in
response to the 1989 geomagnetic event in Quebec could provide some
measure of protection against some, but clearly not all, manifestations
of an EMP attack.
Question 11. What limitations does the term and definition of
``bulk power system'' have on the security of the electric grid at
large? Assuming we can protect the ``bulk power system'' from attack,
will that be adequate to protect the U.S. electric system?
Answer. The ``Bulk Power System'' is defined in Section 215(a)(1)
of the Federal Power Act as:
(A) facilities and control systems necessary for operating an
interconnected electric energy transmission network (or any
portion thereof); and
(B) electric energy from generation facilities needed to maintain
transmission system reliability.
The term does not include facilities used in the local distribution
of electric energy.
The authority granted by Section 215 to the Federal Energy
Regulatory Commission and NERC as the ``Electric Reliability
Organization'' places appropriate focus on the reliability of the
``Bulk Power System,'' as outages and disturbances on that system have
the potential for far greater impact than those on distribution
systems. However, the terms ``Bulk Power System'' and ``U.S. electric
system'' are not synonymous. Protecting the former does not guarantee
that the latter will be entirely protected. Local distribution
facilities are generally outside NERC's jurisdiction, except (as noted
above) where local distribution facilities materially impact the Bulk
Power System. The States of Alaska and Hawaii are also outside NERC's
jurisdiction.
Question 12. Can the electric grid be significantly disrupted
through attacks on assets that are not addressed by NERC CIP standards?
Answer. Yes. Beyond the electric sector, debilitating attacks on
other critical infrastructures, such as natural gas pipelines,
railways, and telecommunications, could significantly affect the Bulk
Power System.
Question 13. What efforts have been initiated by NERC to require
asset owners to secure this infrastructure from electromagnetic pulse
events? Please provide specific details.
Answer. NERC has recently partnered with the Department of Energy
on the ``High Impact, Low Frequency'' event workshop currently targeted
to be held in mid-November. One of the goals of this workshop is to
provide guidance for the development of future requirements of this
nature. Please refer to NERC's response to Question 15 for further
information on this effort.
Question 14. Does an early detection and warning capability for
cyber and physical threats exist for the electric industry today? If
not, why not?
Answer. Elements of an early detection capability exist, but
mechanisms are needed to promote more information sharing between the
Federal Government intelligence community and asset owners. When
physical or cybersecurity events affecting critical cyber assets occur
on the system, asset owners are required by NERC Reliability Standards
to report this information to NERC. Asset owners are also encouraged,
and many do, to report additional security events to NERC in its role
as the ES-ISAC and submit an OE Form 417 to the Department of Energy
regarding the event.
Mechanisms like NERC's alerts system and notifications from the
United States Computer Emergency Response Team serve as effective
warning capabilities for distributing critical information to the
electric sector. Both mechanisms are capable of reaching wide audiences
within the industry. Through its alerts system, NERC is able to require
entities in receipt of the alert to acknowledge receipt and report to
NERC on actions taken on recommendations included in the alert. NERC's
last recommendation (December 2008) was met with a 96% response rate.
Question 15. What is the High Impact/Low Probability Working Group?
When and why was it started? How will findings from this group affect
the NERC CIP standards?
Answer. In partnership with the Department of Energy, NERC has
recently begun an effort to assess ``high impact, low frequency''
risks--or, more accurately, those risks whose likelihood of occurrence
is uncertain relative to other threats, but that could significantly
impact the system were they to occur. Officially launched on July 2,
the effort is a culmination of high-level discussions between
leadership at NERC and the Department of Energy. NERC and DOE are
currently recruiting members for the joint industry/Government working
group, which will examine the potential impacts of these events on the
bulk power system. The group will focus on influenza pandemic, space
weather, terrorist attacks, and electromagnetic pulse events and host
an invitation-only workshop in the coming months to discuss their
assessment and develop conclusions and recommendations to industry
based on their work. These recommendations will be used to drive needed
technology research, development, and investment and also to evaluate
NERC's current standards and initiatives, potentially driving the
creation of new standards to address these issues.
The workshop is currently slotted for mid-November 2009.
Question 16. What responsibility and involvement does NERC have in
Smart Grid development and deployment?
Answer. NERC has supported the development of certain ``Smart
Grid'' resources on the transmission system through its support of the
North American Synchro-Phasor Initiative (``NASPI''). Coordinated with
industry and the Department of Energy, this initiative is designed to
improve power system reliability and visibility through wide area
measurement and control using ``phasor measurement units'' or ``PMUs''.
The NASPI community is working to advance the deployment and use of
networked phasor measurement devices, phasor data-sharing, applications
development and use, and research and analysis.
NERC also referenced the development of the ``Smart Grid'' and its
potential effects on the reliability of the bulk power system in its
2008 Long-Term Reliability Assessment, briefly mentioning cybersecurity
as a primary concern when deploying ``Smart Grid'' infrastructure.
NERC's technical committees are currently forming a ``Smart Grid Task
Force'' to further review this issue.
As mentioned above, NERC is also coordinating with NIST through its
development of Smart Grid interoperability and system security
standards.
Questions From Chairwoman Yvette D. Clarke of New York for Mr. Steven
T. Naumann, on Behalf of Edison Electric Institute, Electric Power
Supply Association
Question 1. Does the industry believe that physical or cyber events
are serious issues to the functioning of the electric grid?
Answer. Yes. The industry takes all threats to the reliability of
the bulk power system seriously.
Question 2. Is it possible that foreign adversaries have penetrated
the electric grid and are in position to cause significant damage at a
time of their choosing? Are utilities capable of knowing this?
Answer. I do not know. Utilities continually monitor their systems
for intrusions. I do not know whether all utilities are capable of
detecting all intrusions.
Question 3. What are the largest risks to the electric grid, and
what is EEI doing to mitigate those risks? In assessing the risk to
these systems, how do you assess threat?
Answer. Historically, the largest risks to the grid have been
created by acts of nature including hurricanes, ice storms, wildfires,
and flooding. The interconnected nature of the electric grid has led to
traditional coordination by the North American electric power companies
in responding to those risks.
EEI member companies continually assess operational risks be they
natural or manmade and work to put appropriate risk mitigation measures
in place.
Most organizations perform risk assessments that include the
following elements:
Identifying threats that could harm and, thus, adversely
affect critical operations and assets. Threats include such
things as intruders, criminals, disgruntled employees,
terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize
based on historical information and judgment of knowledgeable
individuals.
Identifying and ranking the value, sensitivity, and
criticality of the operations and assets that could be affected
should a threat materialize in order to determine which
operations and assets are the most important.
Estimating, for the most critical and sensitive assets and
operations, the potential losses or damage that could occur if
a threat materializes, including recovery costs.
Identifying cost-effective actions to mitigate or reduce the
risk. These actions can include implementing new organizational
policies and procedures as well as technical or physical
controls.
Companies throughout North America maintain strong programs to
anticipate events such as hurricanes and winter storms, and to
efficiently mitigate damage and restore service when such events
happen. Coordination with Federal, State, and local governments,
including law enforcement and emergency management, is a critically
important part of these planning processes. Through decades of
experience with these extremely challenging events, electric companies
understand systemic risks, including especially the nature of the
reliance of the electric industry on other key infrastructure
industries such as natural gas pipelines and telecommunications. In
recent years, the electric utility industry has added a strong emphasis
on physical and cybersecurity in response to potential terrorist
attacks on critical infrastructure.
Question 4. What would industry like to see from Government in
terms of an alert and warning system about an impending cyber attack?
Does this early warning system exist today?
Answer. The industry is strongly interested in receiving timely,
actionable and specific threat information, and having the opportunity
to engage in consultation with Federal agencies as to appropriate
response/attack mitigation strategies. Some elements of warning systems
exist today. However, timely delivery of specific threat/threat actor
information has been a challenge, due to barriers posed by sharing of
classified information, as well as the time required by Government
agency staff to obtain approval to release information to private
industry participants. The approval and communications challenges are
magnified when multiple Government agencies are involved. If the
Congress wishes the electric sector to be in a position to respond to
an impending cyber attack it simply must take steps to provide specific
threat/threat actor information to the sector--with appropriate
mechanisms to protect against inappropriate distribution and release of
classified or other security-sensitive information.
Question 5. What is the current role of the Federal Government in
defending against nation-state-level cyber or physical attacks against
electric facilities? What should the role of the Federal Government be?
Answer. There are multiple Federal agencies involved in defending
against cyber or physical attacks perpetrated by nation-states and
other adversaries against electric facilities, including: The
Department of Defense, the Department of Energy, the Department of
Homeland Security, the Federal Bureau of Investigation, and the Office
of the Director of National Intelligence, among others. While it would
be difficult to describe their mission profiles with precision, the
industry is very interested in receiving timely, actionable, and
specific threat information from these various entities.
Question 6. What are EEI and its industry representatives doing to
address the April 8, 2009 Wall Street Journal article discussing the
existence of ``cyberspies'' in the electric grid?
Answer. NERC has been charged by Congress with overseeing the
reliability of the bulk power system and addressing issues
substantively. In light of this, I suggest that NERC is the appropriate
entity within our sector to address and answer this question in detail.
Question 7. Have each of the EEI member companies fully implemented
the mitigation measures for the Aurora vulnerability? How much did the
security upgrades cost and how long did it take to mitigate these
vulnerabilities?
Answer. I do not have first-hand knowledge of the actions of other
companies in response to Aurora, nor the costs to mitigate any
vulnerabilities. I believe that Exelon has fully implemented the
mitigation measures for the Aurora vulnerability. The costs incurred by
the Exelon Companies, Commonwealth Edison Company, Exelon Generation
LLC and PECO Energy, in complying with the Aurora Advisory were
approximately $1.2 million.
EEI does not have specific knowledge of how many companies have
mitigated the Aurora vulnerability, or the costs incurred.
Question 8. EEI has a program called the Spare Transformer
Equipment Program, or ``STEP'' program, which is supposed to increase
the electric industry's inventory of spare transformers in the event of
a transmission outage caused by a terrorist attack. How many extra
transformers have been acquired as a result of that program?
Answer. The purpose of the STEP program is to facilitate a
contract-based business program to support more efficient management of
existing inventories of transformers for dealing with a triggering
event, specifically a deliberate destruction of electrical transformers
in connection with a terrorist event. The program is not intended to
increase stockpiles per se, but to set terms and conditions for the
sharing of inventories among the owners of these kinds of equipment.
Thus, when a company orders a new transformer, it is difficult to
specifically determine whether that order has been triggered by
ordinary business needs, or, by the terms of the STEP contract. In
addition, confidentiality provisions of the STEP agreement prohibit
disclosure of various kinds of information.
Question 9. What are EEI's concerns about granting FERC authority
to set standards for security?
Answer. The legislative discussion to date has focused on how best
to ensure that electric companies will take actions in response to
immediate cyber-related emergency threats. Whether conducted by FERC or
NERC, EEI believes that a standards process is ill-suited for
addressing this need. The present focus of the discussions is on the
need for FERC to address cybersecurity issues for the bulk power
system, over which it has reliability jurisdiction. EEI believes that
this is the appropriate FERC role.
Legislation should define a single agency for issuing national
emergency actions to the electric sector. For the kinds of broad cyber-
related threats and vulnerabilities that might relate to needs for
national emergency actions, EEI believes that the primary authorities
located within both DOE and DHS are the appropriate locations for
dealing with these matters. For DOE, its role as lead agency for the
Electricity Sector Coordinating Council (``ESCC'') under the National
Infrastructure Protection Plan (``NIPP'') suggests a broad coordination
and communication role. For DHS, its broad agency role and activities
with the electric industry to date suggests such a role.
For other threats and vulnerabilities that are not of an imminent
national emergency nature, the Self Regulatory Organization (``SRO'')
model for setting standards throughout North America is strong and
should be sustained. The electric industry recognizes that the NERC
Critical Infrastructure Protection Standards need improvement.
Development of the next version of Critical Infrastructure Protection
Standards has just begun. In addition to addressing security-related
concerns at NERC through the standards development process, various
NERC communications processes and technical committee reviews can be
used to discuss and communicate security-related reliability issues.
Questions From Chairwoman Yvette D. Clarke of New York for Mr. Joseph
H. McClelland, Director of Reliability, Federal Energy Regulatory
Commission
Question 1. What is the current role of the Federal Government in
defending against nation-state or terrorist cyber or physical attacks
against electric facilities? Should the security of the electric grid
rely on voluntary private sector measures? What should the role of the
Federal Government be?
Answer. The commission currently has a limited role in defending
against nation-state or terrorist cyber or physical attacks against
electric facilities. Section 215 of the Federal Power Act (FPA)
authorizes the commission to approve and enforce mandatory reliability
standards for the bulk-power system, including cybersecurity standards.
The commission does not, however, have authority to author or modify
cyber- or physical security standards, and it has no authority to order
immediate steps to mitigate a threat or vulnerability that is not
addressed by current standards. The commission can only approve or
remand reliability standards submitted to it by the North American
Electric Reliability Corporation (NERC), the commission-certified
Electric Reliability Organization (ERO). The commission can direct NERC
to submit a reliability standard or a modification to a reliability
standard that addresses a specific matter, but it cannot control the
content of the draft standard to ensure that it sufficiently addresses
the commission's directive. In the event that an inadequate standard is
submitted, the commission can either approve the inadequate standard
and direct modifications, or reject the standard and thereby have no
standard in-place until a replacement standard is drafted by NERC and
filed with the commission.
Cyber or physical attacks on the bulk-power system may constitute
threats to national security, military readiness, public safety, and
our Nation's economic well-being. Because of the wide-spread effects
and serious consequences that a successful cyber attack may bring, it
is important that swift, consistent, and effective action is taken by
entities to prevent such attacks. Such action cannot be assured through
a voluntary or decentralized process. The Federal Government should
have the ability to protect against such attacks by having emergency
authority to order mitigation measures when necessary.
Question 2. Does an early detection and warning capability for
cyber and physical threats exist for the electric industry today? Is
this an appropriate role for the Federal Government? What are the
technical and political challenges in creating such a system?
Answer. Currently, there is no true early detection and warning
capability for cyber and physical threats. Although the electric
industry voluntarily created the Electric Sector--Information Sharing
and Analysis Center (ES-ISAC) to share information on certain physical
and cybersecurity events (such as surveillance issues, break-ins,
thefts, viruses, computer worms, etc), the scope and amount of shared
information is limited.
An early detection and warning system by itself, however, is not
sufficient. Considering the potential impact that a successful cyber or
physical attack on the power grid could have on the safety, economy,
and military readiness of the United States, the Federal Government
should have the ability to order specific measures to protect against
such attacks, in addition to warning entities of imminent threats.
In addition to challenges related to the secure and coordinated
communication of sensitive information, including protecting such
information from public disclosure, the challenges to implementing any
new Federal authority would include: The ability to protect critical
information about physical and cybersecurity threats and
vulnerabilities and the mitigation measures employed to address them,
the ability to provide cost recovery for utilities that comply with a
directive to perform mitigations, and determining which power grid
facilities in the United States should be subject to the commission's
jurisdiction. Turning to technical challenges, it will be important to
work with other agencies that can quickly identify critical system
vulnerabilities and threats in order to rapidly develop effective
solutions, thereby equipping the affected members of the electric
industry to implement timely and effective mitigation measures.
Question 3. Who within FERC is charged with protection of the
electric grid from electromagnetic pulse? Who within FERC is charged
with protection of the electric grid from cyber attack?
Answer. As previously mentioned, section 215 of the FPA creates a
limited role for the commission with respect to overseeing the cyber-
and physical security of the bulk power system. The commission can only
approve or reject reliability standards as they are developed and
proposed by the ERO. Although the commission can direct the ERO to
develop or modify a reliability standard to address a specific matter,
it cannot author or modify the standards.
My office, the Office of Electric Reliability, has primary
responsibility for monitoring the ERO's development of reliability
standards and modifications to reliability standards. The Office of
Enforcement has primary responsibility for overseeing the enforcement
of existing standards, including the eight cybersecurity standards
approved by the commission in Order No. 706. Currently, there are no
standards to protect against electromagnetic pulse, and therefore there
is no group or person at the commission charged with protecting the
electric grid from electromagnetic pulse.
Question 4. What are the current shortcomings in FERC authority to
regulate physical and cybersecurity practices throughout the electric
grid?
The commission's primary authority in this area is section 215 of
the FPA. Under the current statutory framework, however, the commission
cannot author or modify reliability standards, and it has no authority
to order emergency mitigation measures. The commission can direct NERC,
as the ERO, to develop reliability standards or modifications to
reliability standards that address specific matters, but this requires
action through NERC's standard development process.
The commission's current authority is not sufficient to protect the
electric grid from cyber- or physical security vulnerabilities and
threats that endanger national security. The NERC standard development
process is an open and inclusive stakeholder ballot process that
typically takes time and can produce results that inadequately respond
to the commission's directives. Although NERC has an expedited process,
that expedited process has never been used, and even the expedited
process is not likely to allow a timely, adequate response to an
imminent threat. If the commission has to rely on the NERC process, and
that process results in a standard that does not adequately address the
threat, the commission has no authority to modify the standard and
would be limited to remanding it back for additional ``expedited''
processes, leaving the grid vulnerable in the meantime.
Question 5. What limitations does the term and definition of ``bulk
power system'' have on the security of the electric grid at large?
Assuming we can protect the ``bulk power system'' from attack, will
that be adequate to protect the U.S. electric system? Are all cities
protected? Are facilities in Alaska and Hawaii protected? Are all
generation, transmission, and distribution systems protected?
Answer. Currently, the commission defines the term ``bulk power
system,'' based on an industry-developed definition, as ``the
electrical generation resources, transmission lines, interconnections
with neighboring systems, and associated equipment, generally operated
at voltages of 100 kV or higher.'' However, the definition is subject
to the interpretation of the regions and therefore can vary
considerably from place to place. This results in inconsistent
designations of what constitutes the ``bulk power system'' and
therefore what facilities are regulated by the reliability standards.
For instance, this definition excludes some major metropolitan areas
such as New York City.
Additionally, section 215 of the FPA precludes the application of
reliability standards to Alaska and Hawaii and to ``facilities used in
the local distribution of energy.'' Consequently, the commission cannot
use its limited authority to protect Alaska, Hawaii, and distribution
systems from physical and cyber threats.
Question 6. Can the electric grid be significantly disrupted
through attacks on assets that are not regulated by FERC (i.e. assets
that do not belong to ``bulk power system'')?
Answer. Yes. For example, a city or region with a large number of
Smart Meters without appropriate cybersecurity protections that allow
for remote disconnect is vulnerable to an attack that could cause
significant disruption. If an attacker commanded all the meters to
disconnect, the entire load would be dropped rapidly, which could cause
large amounts of generation to be dropped, thereby potentially creating
cascading outages through the transmission system. In addition, attacks
could cause more permanent damage to the meters, to the point that they
would need to be manually replaced and reprogrammed before they could
be used again. Such repair could take several weeks, delaying power
restoration to affected areas.
Question 7. Why should FERC be given authority to protect systems
and assets from physical attack? What kinds of dangers are posed by
physical threats like over-voltages and/or overcurrents?
Answer. The commission should be granted authority to protect
systems from physical attacks because it is the agency charged with
overseeing the reliability of the grid, and physical attacks can cause
equal or greater destruction than cyber attacks. Direct physical
attacks on electric facilities, either through malicious physical
assault or natural occurrences can have devastating consequences. A set
of well-coordinated direct physical attacks on the grid could
jeopardize national security and military readiness and threaten the
Nation's social and economic stability. Any crisis created by a
physical attack could be compounded by an inability to immediately
replace damaged equipment. Lead time for purchase and delivery of the
most critical equipment (such as large power transformers) can be up to
2 years because of limited production and the fact that no domestic
manufacturer currently provides these devices. The bulk power system is
designed to withstand the loss of some critical equipment, but not at
the magnitude that could fail because of a physical attack. The
commission does not need, however, to displace local or other Federal
authorities that have oversight of physical security.
One example of a physical threat is an electromagnetic pulse (EMP)
event. In 2001, Congress established a commission to assess the threat
from EMP, with particular focus on the nature and magnitude of high-
altitude EMP threats to the United States, the vulnerability of U.S.
military and civilian infrastructure to an attack, the capability to
recover from an attack, and the feasibility and cost of protecting
military and civilian infrastructure, including energy infrastructure,
from an attack. In 2004, the commission issued a report describing the
nature of EMP attacks, vulnerabilities to EMP attacks, and strategies
to respond to an attack. The commission issued a second report in 2008.
An EMP may also be a naturally occurring event caused by solar
flares and storms disrupting the Earth's magnetic field. In 1859, a
major solar storm occurred, causing auroral displays and significant
shifts of the Earth's magnetic fields. As a result, telegraphs were
rendered useless and several telegraph stations burned down. The
impacts of that storm were muted because very little electronic
technology existed at the time. Were the storm to happen today,
according to an article in Scientific American, it could ``severely
damage satellites, disable radio communications, and cause continent-
wide electrical black-outs that would require weeks or longer to
recover from.''
Commission staff has no data on how well the bulk power system is
protected against an EMP event, and the existing reliability standards
do not address EMP vulnerabilities. Protecting the electric generation,
transmission, and distribution systems from severe damage due to an EMP
would involve vulnerability assessments at every level of electric
infrastructure. In addition, as the 2004 and 2008 commission reports
point out, the reliable operation of the electric grid requires other
infrastructure systems, such as communications, natural gas pipelines,
and transportation, which would also be affected by an EMP attack or
event.
Question 8. Does FERC maintain any existing authorities that would
allow it to require owners and operators of electric facilities to
harden their equipment to mitigate the effects of an electromagnetic
pulse?
Answer. Section 215 explicitly addresses reliability and
cybersecurity but is not explicit about its applicability to EMP.
Moreover, the process under section 215 typically takes years to return
a standard and there is no assurance that the standard will be
responsive to the commission's directive or adequately address the
threat. As has been described earlier, the commission does not have any
direct authority to require owners and operators of electric facilities
to harden their equipment to mitigate the effects of an EMP attack.
Question 9. Does FERC maintain any existing authorities that would
allow it to require owners and operators of electric facilities to
harden their equipment to mitigate the effects of a cyber attack?
Answer. Although the commission could direct NERC to develop
additional reliability standards to address the threat of a cyber
attack, the process typically takes years to return a standard and
there is no assurance that the standard will be responsive to the
commission's directive or adequately address the threat. As has been
described earlier, the commission does not have any direct authority to
require owners and operators of electric facilities to harden their
equipment to mitigate the effects of a cyber attack.
In January 2008, the commission exercised its authority to approve
cybersecurity standards and approved eight cybersecurity standards in
Order No. 706. However, upon approval, the commission found that the
standards required significant modifications in order to effectively
protect the bulk power system and therefore directed NERC, as the ERO,
to make changes to the approved standards. Although the drafting of
some of those modifications is currently under way through NERC's
standards development process, it is expected to take years before all
of the modifications are filed with the commission for review.
Currently, the eight cybersecurity standards are in various stages of
implementation and are not yet in full effect. For instance, the
standards do not require that many utilities be ``auditably compliant''
until mid-2010.
There is reason for concern about the thoroughness and consistency
with which the electric industry is applying the cybersecurity
standards. In April 2009, NERC's Chief Information Officer sent a
letter to industry (attached) discussing the results of an industry-
wide survey of critical assets. According to NERC's findings, only 31
percent of entities identified at least one critical asset, and only 23
percent identified at least one Critical Cyber Asset. The letter also
stated that only 29 percent of generation owners or operators reported
at least one Critical Asset. The Chief Information Officer questioned
these results and stated that NERC ``will also carry out more detailed
analyses to determine whether it is possible that 73 [percent] of Table
3 and 4 Registered Entities do not possess any assets that, `if
destroyed, degraded, or otherwise rendered unavailable, would affect
the reliability or operability of the Bulk Electric System.' '' The
currently approved reliability standards allow the regulated entities
to self-determine the equipment that is subject to the cybersecurity
standards. If the equipment is not identified, no cyber protection is
required under the standard.
Question 10. What are the key aspects of any piece of legislation
that seeks to secure the electric grid from cyber and physical attack?
Which of the four bills currently being considered in Congress best
addresses these requirements?
Answer. Any legislation that seeks to secure the electric grid from
cyber and physical attack should grant the commission authority,
following a determination by the President or a national security
agency of a vulnerability or threat that endangers national security,
to order such emergency mitigation measures or actions necessary to
protect the Nation's critical electric infrastructure. This authority
should encompass both physical and cybersecurity, as vulnerabilities
and threats to the grid exist in both areas.
Additionally, the commission must have the ability to protect
security-sensitive information from public disclosure. The potential
for publication of sensitive information regarding cyber and physical
threats to the security of the Nation's critical electric
infrastructure weakens the commission's ability to respond to cyber
threats and endangers compliance by private entities concerned about
the sensitivity of information they provide to the commission.
Finally, Congress should consider applying any new legislation to
electric infrastructure that is critical to the safety and security of
the United States, regardless of whether the electric facilities are
excluded from section 215 or included by that section. Currently under
section 215, the commission has no jurisdiction over any electric
infrastructure in Alaska and Hawaii, and lacks jurisdiction over some
transmission, generation, and all distribution facilities in the rest
of the United States.
Currently, H.R. 2195 and S. 946 address many, but not all, of these
issues adequately.
Question 11. H.R. 2195 would provide FERC with authority to rewrite
existing NERC standards if deemed inadequate. How do you envision
exercising this authority?
Answer. H.R. 2195 proposes, inter alia, to direct the commission to
establish, in consultation with the Secretary of Homeland Security,
interim measures that would supplement, replace, or modify
cybersecurity standards that the commission, in consultation with the
Secretary of Homeland Security and other national security agencies,
determines are inadequate to address known cyber vulnerabilities or
threats.
I envision that the commission would use this authority only when
the President or an outside intelligence agency has found that the
security of the Nation is endangered by either a cyber or physical
threat or vulnerability to the Nation's power supply. In these limited
cases, the commission would be able to quickly develop cybersecurity
interim measure that adequately address known vulnerabilities and
threats, enact modifications that the commission previously directed
the ERO to make, and address security issues that the ERO has not yet
reached. The ERO would have the opportunity to develop and propose
standards through its standards development process to replace the
interim measures.
Question 12. Does the current FERC/NERC standards-setting process
(i.e. NERC writes, FERC approves or remands) make sense in a national
security context? Does FERC believe that industry-written standards are
appropriate to protect assets as critical to national security as the
electric system?
Answer. No. The FPA section 215 process is not adequate to protect
against cyber- or physical security vulnerabilities and threats that
endanger national security. The current standards process is too slow,
open, and unpredictable to effectively address threats and
vulnerabilities that endanger national security. In addition, the
jurisdiction conveyed by section 215 to the commission omits major
sections of the Nation's critical electric infrastructure including all
facilities in Alaska and Hawaii, all distribution facilities, and some
transmission and generation including facilities that serve
metropolitan areas such as New York City.
Question 13. How much does compliance with current NERC mandatory
standards cost the average utility? How much do you anticipate the
costs would rise if FERC were given authority to write ``stronger''
standards? How does industry recoup the costs of mandatory standards
today? Would they be able to recoup costs in the future, and if so,
how?
Answer. I do not have specific information regarding the cost to
individual utilities of compliance with NERC standards, and in the
absence of this information, I am unable to predict the additional cost
of compliance, if any, with ``stronger'' standards.
Typically, the costs of compliance with mandatory standards by
entities that qualify as ``public utilities'' under the FPA are
recovered either through filings submitted to the commission pursuant
to section 205 of the FPA or filings made to State utility commissions.
In a Statement of Policy issued September 14, 2001, the commission
provided assurances to regulated entities that the commission ``will
approve applications to recover prudently incurred costs necessary to
further safeguard the reliability and security of our energy supply
infrastructure in response to the heightened state of alert.'' The
commission further stated that ``[c]ompanies may propose a separate
rate recovery mechanism, such as a surcharge to currently existing
rates or some other cost recovery method.'' The commission reiterated
this policy in an April 19, 2004 Statement of Policy on matters related
to bulk power system reliability.
If Congress believes it appropriate, it could include in
legislation a directive to the commission to establish a cost recovery
mechanism for the costs associated with compliance with any commission
order issued pursuant to emergency authority.
Question 14. Should a regulator like FERC provide resources
(funding) to utilities to implement physical and cyber protections?
Answer. Any Federal Government funding of such efforts would be
more appropriately assigned to the Department of Homeland Security or
the Department of Energy. However, a simpler approach could be to allow
the commission to grant cost recovery to the affected entities for any
mitigation measures that it orders.
Question 15. Are procedures in place today that would allow FERC to
issue immediate orders upon receipt of information that a physical or
cyber attack is imminent? What are those procedures, and are they
regularly exercised? (For instance, what could be done to protect the
grid from an imminent geomagnetic event given 15 minutes of warning?)
Could the effects of such an incident actually be mitigated in time?
Answer. No, there are currently no procedures or authorities in
place that would allow the commission to issue orders that address
imminent cyber or physical attacks. The commission does not have
authority to immediately and directly order actions to thwart imminent
physical or cyber attacks. As I have mentioned, under the framework
established by section 215 of the FPA, the commission approves and
enforces mandatory standards that are developed and proposed by a self-
regulatory organization and submitted to the commission. This process
is too slow, open, and unpredictable to address imminent threats to the
power grid that imperil national security.
If such authority did exist, however, it is possible that the
commission could issue an effective order with only 15 minutes warning
if an emergency plan that has already been prepared and practiced is in
place. For example, according to the EMP Commission, an effective
measure to protect large transformers from an EMP event is a resistor
connected in the neutral of the transformer. If such a resistor had
been installed ahead of time, it is conceivable that it could be
switched on within 15 minutes if the utility had enabled remote
operation and provided adequate training and practice drills. For a
cyber threat, an effective order might be to direct the immediate
disconnect of the remote capabilities of targeted facilities if an
adequate plan had been developed along with training and practice
drills.
Question 16. What involvement does FERC have in Smart Grid
development and deployment?
Answer. On July 16, 2009, the commission issued a final Smart Grid
Policy Statement. This policy statement sets priorities to guide the
electric industry in the development of Smart Grid standards for
achieving interoperability and functionality of Smart Grid systems and
devices. It also sets out commission policy for the recovery of costs
by utilities that act early to adopt Smart Grid technologies. The new
policy adopts as a commission priority the early development by
industry of Smart Grid standards that: (1) Ensure the cybersecurity of
the grid; (2) provide two-way communications among regional market
operators, utilities, service providers and consumers; (3) ensure that
power system operators have equipment that allows them to operate
reliably by monitoring their own systems as well as neighboring systems
that affect them; and (4) coordinate the integration into the power
system of emerging technologies such as demand response resources,
electricity storage facilities, and electric transportation systems.
Additionally, commission staff routinely participates in various
National Institute of Standards and Technology efforts concerning Smart
Grid standards, as well as coordinates with the Department of Energy on
its Smart Grid efforts.
Question 17. Does FERC believe that the Energy ISAC is effective in
producing timely and relevant analysis and warnings for the industry?
If not, what measures can be undertaken to improve this capability?
Answer. The ES-ISAC is effective when transmitting system status
information and information regarding operational issues that can
affect other areas or utilities. While this provides some threat
information on technical issues (such as viruses and computer worms)
and certain physical threats (such as surveillance issues and copper
theft threats), it is very limited. However, this system was not
designed and is not operated in order to address vulnerabilities and
threats that endanger national security. As an example, although ES-
ISAC acts as a forum to share information regarding security-related
events that are occurring across the bulk-power system, this forum
cannot preemptively identify the vulnerabilities and threats and does
not develop effective mitigations to address the issues it reports.
Question 18. Do you believe that the Spare Transformer Program has
been successful, and that there are enough spare transformers that
could be put in place to ensure operation of the gird in the event of a
large-scale cyber or EMP event?
Answer. As the commission stated when it issued a declaratory order
about the program, the Spare Transformer Program initiated by the
Edison Electric Institute is a good first step. The program is limited,
however, because it does not cover all voltage classes or step-up
transformers from generating stations, and many utilities do not
participate. For these and other reasons, the program does not have
adequate spares to ensure continued operation of the power grid after a
targeted cyber or large-scale EMP event.
Questions From Chairwoman Yvette D. Clarke of New York for Ms. Patricia
A. Hoffman, Acting Assistant Secretary, Office of Electricity Delivery
and Energy Reliability, Department of Energy
Question 1. What is the current role of the Federal Government in
defending against nation-state or terrorist cyber or physical attacks
against electric facilities? Should the security of the electric grid
rely on voluntary private sector measures? What should the role of the
Federal Government be?
Answer. Response was not received at the time of publication.
Question 2. Does an early detection and warning capability for
cyber and physical threats exist for the electric industry today? Is
this an appropriate role for the Federal Government? What are the
technical and political challenges in creating such a system?
Answer. Response was not received at the time of publication.
Question 3. Who within DOE is charged with protection of the
electric grid from electromagnetic pulse? Who within DOE is charged
with protection of the electric grid from cyber attack?
Answer. Response was not received at the time of publication.
Question 4. What limitations does the term and definition of ``bulk
power system'' have on the security of the electric grid at large?
Assuming we can protect the ``bulk power system'' from attack, will
that be adequate to protect the U.S. electric system? Are all cities
protected? Are facilities in Alaska and Hawaii protected? Are all
generation, transmission, and distribution systems protected?
Answer. Response was not received at the time of publication.
Question 5. Can the electric grid be significantly disrupted
through attacks on assets that are not regulated by FERC (i.e. assets
that do not belong to ``bulk power system'')?
Answer. Response was not received at the time of publication.
Question 6. Does DOE maintain any existing authorities that would
allow it to require owners and operators of electric facilities to
harden their equipment to mitigate the effects of an electromagnetic
pulse?
Answer. Response was not received at the time of publication.
Question 7. Does DOE maintain any existing authorities that would
allow it to require owners and operators of electric facilities to
harden their equipment to mitigate the effects of a cyber attack?
Answer. Response was not received at the time of publication.
Question 8. Does the current FERC/NERC standards-setting process
(i.e. NERC writes, FERC approves or remands) make sense in a national
security context? Does DOE believe that industry-written standards are
appropriate to protect assets as critical to national security as the
electric system?
Answer. Response was not received at the time of publication.
Question 9. The Office of Electricity Delivery and Energy
Reliability received $4.5 billion in the American Recovery and
Reinvestment Act, of which $3.5 billion is for grants for Smart Grid
development. How do you intend on disbursing this grant money? In
reviewing applications for monies, how will DOE determine if
appropriate physical and cyber protections are in place? Will you award
grants to applicants for the purpose of protecting their systems
against physical and cyber attacks?
Answer. Response was not received at the time of publication.
Question 10. Does DOE have a program that would allow for private
or publicly-owned utilities to receive Federal grant monies for
hardening their equipment against an intentional or unintentional
electromagnetic pulse? If not, why not? Should such a program be
created, and, if so, what would appropriate parameters look like?
Answer. Response was not received at the time of publication.
Question 11. Does DOE have a program that would allow for private
or publicly-owned utilities to receive Federal grant monies for
hardening their equipment against an intentional cyber attack? If not,
why not? Should such a program be created, and, if so, what would
appropriate parameters look like?
Answer. Response was not received at the time of publication.
Question 12. When will DOE update its control systems roadmap?
Answer. Response was not received at the time of publication.
Question 13. Has DOE done any analysis on the security of the
electric grid from cyber or physical attack? If so, how secure and
resilient does DOE believe the grid is today?
Answer. Response was not received at the time of publication.
Question 14. Does DOE currently have any authority to perform cyber
or physical vulnerability assessments on private or publicly-owned
electric grid assets?
Answer. Response was not received at the time of publication.
Question 15. Are procedures in place today that would allow DOE to
issue immediate orders upon receipt of information that a physical or
cyber attack is imminent? What are those procedures, and are they
regularly exercised? (For instance, what could be done to protect the
grid from an imminent geomagnetic event given 15 minutes of warning?)
Could the effects of such an incident actually be mitigated in time?
Answer. Response was not received at the time of publication.
Question 16. Does DOE believe that the Energy ISAC is effective in
producing timely and relevant analysis and warnings for the industry?
If not, what measures can be undertaken to improve this capability?
Answer. Response was not received at the time of publication.
Questions From Chairwoman Yvette D. Clarke of New York for Sean P.
McGurk, Director, Control Systems Security Program, National
Cybersecurity Division, Office of Cybersecurity and Communications,
National Protection and Programs Directorate, Department of Homeland
Security
Question 1. What is the role of DHS in securing the electric grid,
and how do you carry out that mission? What programs and policies
exist? How are you resourced?
Answer. Response was not received at the time of publication.
Question 2. What are the largest threats to the electric grid, and
what is DHS doing to mitigate those threats?
Answer. Response was not received at the time of publication.
Question 3. What authorities does DHS have to address cyber and
physical threats to the electric grid?
Answer. Response was not received at the time of publication.
Question 4. Who within DHS is charged with protection of the
electric grid from electromagnetic pulse? Who within DHS is charged
with protection of the electric grid from cyber attack?
Answer. Response was not received at the time of publication.
Question 5. Out of the critical infrastructure and key resource
sectors, what is the criticality of the electric grid?
Answer. Response was not received at the time of publication.
Question 6. Has DHS done any analysis on the security of the
electric grid from cyber or physical attack? If so, how secure and
resilient does DHS believe the grid is today?
Answer. Response was not received at the time of publication.
Question 7. Does DHS currently have any authority to perform cyber
or physical vulnerability assessments on private or publicly-owned
electric grid assets?
Answer. Response was not received at the time of publication.
Question 8. What is the current role of the Federal Government in
defending against nation-state or terrorist cyber or physical attacks
against electric facilities? Should the security of the electric grid
rely on voluntary private sector measures? What should the role of the
Federal Government be?
Answer. Response was not received at the time of publication.
Question 9. Does an early detection and warning capability for
cyber and physical threats exist for the electric industry today? Is
this an appropriate role for the Federal Government? What are the
technical and political challenges in creating such a system?
Answer. Response was not received at the time of publication.
Question 10. Does DHS believe there are shortcomings in FERC
authority to regulate physical and cybersecurity practices throughout
the electric grid?
Answer. Response was not received at the time of publication.
Question 11. What recommendations has DHS ever made to DOE or FERC
regarding electric grid protections, and have those recommendations
been followed?
Answer. Response was not received at the time of publication.
Question 12. Does DHS have a program that would allow for private
or publicly-owned utilities to receive Federal grant monies for
hardening their equipment against an intentional or unintentional
electromagnetic pulse? If not, why not? Should such a program be
created, and, if so, what would appropriate parameters look like?
Answer. Response was not received at the time of publication.
Question 13. Does DHS have a program that would allow for private
or publicly-owned utilities to receive Federal grant monies for
hardening their equipment against an intentional cyber attack? If not,
why not? Should such a program be created, and, if so, what would
appropriate parameters look like?
Answer. Response was not received at the time of publication.
Question 14. Does the current FERC/NERC standards-setting process
(i.e. NERC writes, FERC approves or remands) make sense in a national
security context? Does DHS believe that industry-written security
standards are appropriate to protect assets as critical to national
security as the electric system?
Answer. Response was not received at the time of publication.
Question 15. Does DHS support the grant of authority under HR 2195,
which would provide DHS with authority to assess cyber vulnerabilities
or threats to critical infrastructure, including critical electric
infrastructure and advanced metering infrastructure, on an on-going
basis and produce reports, including recommendations, on a periodic
basis?
Answer. Response was not received at the time of publication.
Question 16. Are procedures in place today that would allow DHS to
issue immediate orders or advisories upon receipt of information that a
physical or cyber attack is imminent? What are those procedures, and
are they regularly exercised? (For instance, what could be done to
protect the grid from an imminent geomagnetic event given 15 minutes of
warning?) Could the effects of such an incident actually be mitigated
in time?
Answer. Response was not received at the time of publication.
�