[Senate Hearing 111-29]
[From the U.S. Government Publishing Office]
S. Hrg. 111-29
CYBER SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
TO
RECEIVE TESTIMONY ON A JOINT STAFF DRAFT RELATED TO CYBER SECURITY AND
CRITICAL ELECTRICITY INFRASTRUCTURE
__________
MAY 7, 2009
Printed for the use of the
Committee on Energy and Natural Resources
U.S. GOVERNMENT PRINTING OFFICE
50-179 WASHINGTON : 2009
-----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND NATURAL RESOURCES
JEFF BINGAMAN, New Mexico, Chairman
BYRON L. DORGAN, North Dakota LISA MURKOWSKI, Alaska
RON WYDEN, Oregon RICHARD BURR, North Carolina
TIM JOHNSON, South Dakota JOHN BARRASSO, Wyoming
MARY L. LANDRIEU, Louisiana SAM BROWNBACK, Kansas
MARIA CANTWELL, Washington JAMES E. RISCH, Idaho
ROBERT MENENDEZ, New Jersey JOHN McCAIN, Arizona
BLANCHE L. LINCOLN, Arkansas ROBERT F. BENNETT, Utah
BERNARD SANDERS, Vermont JIM BUNNING, Kentucky
EVAN BAYH, Indiana JEFF SESSIONS, Alabama
DEBBIE STABENOW, Michigan BOB CORKER, Tennessee
MARK UDALL, Colorado
JEANNE SHAHEEN, New Hampshire
Robert M. Simon, Staff Director
Sam E. Fowler, Chief Counsel
McKie Campbell, Republican Staff Director
Karen K. Billups, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS
Page
Bingaman, Hon. Jeff, U.S. Senator From New Mexico................ 1
Hoffman, Patricia, Acting Assistant Secretary, Office of
Electricity Delivery and Energy Reliability, Department of
Energy......................................................... 4
McClelland, Joseph, Director, Office of Electric Reliability,
Federal Energy Regulatory Commission........................... 10
Mosher, Allen, Senior Director of Policy Analysis and
Reliability, American Public Power Association................. 21
Owens, David K., Executive Vice President, Business Operations,
Edison Electric Institute...................................... 27
Sergel, Richard P., President and Chief Executive Officer, North
American Electric Reliability Corporation...................... 16
APPENDIX
Responses to additional questions................................ 53
CYBER SECURITY
----------
THURSDAY, MAY 7, 2009
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The committee met, pursuant to notice, at 10 a.m. in room
SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman,
chairman, presiding.
OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW
MEXICO
The Chairman. Recent newspaper headlines and television
news coverage have highlighted the serious security threats to
the electricity system in the country. The Wall Street Journal
article talked about Soviet and Chinese hackers who may have
left potentially damaging computer viruses in the control
systems of electric utilities.
Just the thought that foreign agents are hacking into our
control systems is obviously alarming and the potential for
damage they could do or, in the case of a conflict would create
a compelling reason to act to prevent that damage.
We recently sponsored a classified briefing for members and
staff on this set of issues. Members of security agencies and
the Department of Energy and the Federal Energy Regulatory
Commission told us about these threats and about the inadequacy
of our government's authority to respond to and prevent these
threats.
Some thought that we had taken sufficient action to protect
against these types of threats when we put into place the
Reliability Protection Structure of section 215 of the Federal
Power Act which we passed in 2005. More recently however, we
have come to believe that these provisions do not provide
sufficient protection against computer attacks. Both the recent
Republican Chairman of the Federal Energy Regulatory
Commission, Joe Kelliher, and the current Democratic Chair, Jon
Wellinghoff, have indicated that they believe they need
stronger authority to deal with cyber threats and
vulnerabilities.
Almost all the witnesses gathered here today agree that we
need some kind of increased Federal authority, although there
is disagreement as to exactly what that authority should look
like and who should exercise it. This hearing is on a bill that
we intend to include in a comprehensive energy bill that the
committee is working on to address these gaps in Federal
authority and to protect against these dangers.
The proposal is fairly simple. It gives the Secretary of
Energy authority to order actions to protect against imminent
threats. When a security agency informs the Secretary that an
action is about to take place, the Secretary is able to order
measures to protect against the attack.
It then goes on to allow FERC to issue rules for longer-
term circumstances that are not immediate threats, but that are
too dangerous to wait for the development of orders through the
extremely cumbersome NERC process. This authority does not
supersede the NERC process. FERC can issue rules that can then
be replaced by rules developed under the NERC process, when
those rules finally are such that the Commission can approve
them.
[The proposal referred to follows:]
Cyber Security Protection
staff draft summary
may 1, 2009
Definitions
Cyber Security Threat means the imminent danger of an act
that disrupts or attempts to disrupt the operation of
electronic devices or communications networks for the control
of critical electric infrastructure.
Cyber Security Vulnerability means a weakness or flaw in the
design or operation of any programmable device or communication
network that exposes critical electric infrastructure to a
cyber security threat.
Authority of the Commission
The Commission must promulgate rules or orders necessary to
protect against cyber security vulnerabilities.
The Commission may issue such rules without prior notice or
hearing if it determines that the rule or order must be
promulgated immediately to protect against a cyber security
vulnerability.
Emergency Authority of the Secretary
If immediate action is necessary to protect against a cyber
security threat, the Secretary may require, by order, with or
without notice, that entities subject to the jurisdiction of
the Commission under this section, take such actions as are
necessary to protect against that threat.
The Secretary is encouraged to consult and coordinate with
appropriate officials in Canada and Mexico.
Duration of Expedited or Emergency Rules or Orders
Rules or orders issued either by the Secretary under Emergency
Authority, or the Commission under Expedited Procedures, remain
effective for no more than 90 days, unless the Commission gives
interested persons an opportunity to submit written comments and the
Commission affirms, repeals or amends the rule or order.
Critical Electric Infrastructure Information
Critical electric infrastructure information is given the same
protection as is contained in the Critical Infrastructure Information
Act of 2002.
______
SEC.__. CRITICAL ELECTRIC INFRASTRUCTURE.
Part II of the Federal Power Act (16 U.S.C. 824 et seq.) is
amended by adding at the end the following:
``SEC. 224. CRITICAL ELECTRIC INFRASTRUCTURE.
``(a) DEFINITIONS.--In this section:
``(1) CRITICAL ELECTRIC INFRASTRUCTURE.--The term
`critical electric infrastructure' means sys tems and
assets, whether physical or virtual, used for the
generation, transmission, or distribution of electric
energy affecting interstate commerce that, as
determined by the Commission or the Secretary (as
appropriate), are so vital to the United States that
the incapacity or destruction of the systems and as
sets would have a debilitating impact on national se
curity, national economic security, or national public
health or safety.
``(2) CRITICAL ELECTRIC INFRASTRUCTURE INFORMATION.--
The term `critical electric infrastruc ture
information' means critical infrastructure infor mation
relating to critical electric infrastructure.
``(3) CRITICAL INFRASTRUCTURE INFORMATION.--The term
`critical infrastructure information' has the meaning
given the term in section 212 of the Critical
Infrastructure Information Act of 2002 (6 U.S.C. 131).
``(4) CYBER SECURITY THREAT.--The term `cyber
security threat' means the imminent danger of an act
that disrupts, attempts to disrupt, or poses a
significant risk of disrupting the operation of pro
grammable electronic devices or communications net
works (including hardware, software, and data) es
sential to the reliable operation of critical electric
in frastructure.
``(5) CYBER SECURITY VULNERABILITY.--The term `cyber
security vulnerability' means a weakness or flaw in the
design or operation of any program mable electronic
device or communication network that exposes critical
electric infrastructure to a cyber security threat.
``(6) SECRETARY.--The term `Secretary' means the
Secretary of Energy.
``(b) AUTHORITY OF COMMISSION.--
``(1) IN GENERAL.--The Commission shall pro mulgate
or issue such rules or orders as are nec essary to
protect critical electric infrastructure from cyber
security vulnerabilities.
``(2) EXPEDITED PROCEDURES.--The Commission may
promulgate or issue a rule or order without prior
notice or hearing if the Commission determines the rule
or order must be promulgated or issued im mediately to
protect critical electric infrastructure from a cyber
security vulnerability.
``(c) EMERGENCY AUTHORITY OF SECRETARY.--
``(1) IN GENERAL.--If the Secretary determines that
immediate action is necessary to protect critical
electric infrastructure from a cyber security threat,
the Secretary may require, by order, with or without
notice, persons subject to the jurisdiction of the
Commission under this section to take such actions as
the Secretary determines will best avert or miti gate
the cyber security threat.
``(2) COORDINATION WITH CANADA AND MEXICO.--In
exercising the authority granted under this subsection,
the Secretary is encouraged to consult and coordinate
with the appropriate officials in Can ada and Mexico
responsible for the protection of cyber security of the
interconnected North American electricity grid.
``(d) DURATION OF EXPEDITED OR EMERGENCY RULES OR ORDERS.--
Any rule or order promulgated or issued by the Commission
without prior notice or hearing under subsection (b)(2) or any
order issued by the Sec retary under subsection (c) shall
remain effective for not more than 90 days unless, during the
90 day-period, the Commission--
``(1) gives interested persons an opportunity to
submit written data, views, or arguments (with or
without opportunity for oral presentation); and
``(2) affirms, amends, or repeals the rule or order.
``(e) JURISDICTION.--
``(1) IN GENERAL.--Notwithstanding section 201, this
section shall apply to any entity that owns, controls,
or operates critical electric infrastructure.
``(2) COVERED ENTITIES.--
``(A) IN GENERAL.--An entity described in
paragraph (1) shall be subject to the jurisdic
tion of the Commission for purposes of--
``(i) carrying out this section; and
``(ii) applying the enforcement
authorities of this Act with respect to
this section.
``(B) JURISDICTION.--This subsection shall
not make an electric utility or any other
entity subject to the jurisdiction of the
Commission for any other purpose.
``(f) PROTECTION OF CRITICAL ELECTRIC INFRASTRUCTURE
INFORMATION.--Section 214 of the Critical Infrastructure
Information Act of 2002 (6 U.S.C. 133) shall apply to critical
electric infrastructure information submitted to the Commission
or the Secretary under this section to the same extent as that
section applies to critical infrastructure information
voluntarily submitted to the Department of Homeland Security
under that Act (6 U.S.C. 131 et seq.).''.
This is obviously an important issue and one that I hope we
are able to deal with as part of an energy bill, and I thank
the witnesses for being here.
Let me go ahead and introduce the witnesses and then we
will hear the testimony.
Patricia Hoffman is Principal Deputy and Acting Assistant
Secretary in the Office of Electricity Delivery and Energy
Reliability at the Department of Energy. She's been here before
our committee recently on other issues as well.
Joseph McClelland is the Director of the Office of Electric
Reliability at FERC and thank you for being here.
Rick Sergel is President and CEO of the North American
Electric Reliability Corporation in Princeton. Thank you for
being here. Allen Mosher is a Senior Director of Policy
Analysis and Reliability with the American Public Power
Association.
David Owens is the Executive Vice President of Business
Operations with Edison Electric Institute. Thank you very much
for being here.
If each of you can take 5 or 6 minutes and give us your
perspective on this set of issues and then we will undoubtedly
have questions.
Ms. Hoffman.
STATEMENT OF PATRICIA HOFFMAN, ACTING ASSISTANT SECRETARY,
OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY,
DEPARTMENT OF ENERGY
Ms. Hoffman. Thank you. Mr. Chairman and members of the
committee. Thank you for this opportunity to testify before you
on cyber security issues facing the electric industry and on
emergency authorities to protect critical electric
infrastructure.
All of us here today share common concerns that
vulnerabilities exist within the electric system and that the
government and private sector must do everything we can to
address it. This is particularly true for Smart Grid systems
which, by their very nature, involve the use of information
technologies in areas and applications on the electric system
where they not have been used before.
The mission of the Office of Electricity Delivery and
Energy Reliability is to lead national efforts to modernize the
electric grid, to enhance the security and reliability of the
energy infrastructure, and to facilitate recovery from
disruptions to the energy supply. To accomplish this mission,
the Office focuses on long-term system requirements through our
research investments in the electric delivery system and near-
term energy vulnerability assessments and disaster recovery.
Our efforts to enhance the cyber security of the energy
infrastructure have produced results in five areas. We have
identified cyber vulnerabilities in energy control systems and
worked with vendors to develop hardened systems that mitigate
the risks. We have developed more secure communication methods
between energy control systems and field devices. We have
developed tools and methods to help utilities assess their
security posture. We have developed modeling and simulation
capabilities to estimate the effects of cyber attacks on the
power grid. Finally, we have provided extensive cyber security
training for the energy asset owners and operators to help them
prevent, detect, and mitigate cyber penetration.
In 2005, the Department worked closely with asset owners
and operators in the oil, gas, and electric sectors to develop
a roadmap to secure control systems in the energy sector. The
roadmap is a detailed, prioritized plan for cyber security
improvements over the next 10 years including best practices,
new technologies, and risk management. The Roadmap vision is
that control systems for critical applications will be
designed, installed, and operated to maintain and survive an
intentional cyber assault with no loss of critical function.
Efforts at the national labs are producing results that
industry can use today to enhance the security of their control
systems. For example, Sandia National Laboratories developed an
Advanced Network Toolkit For Assessments and Remote Mapping
which aids utility owners in mapping access points to allow
easy visualization of their control system networks, an
important critical step in meeting the North American Electric
Reliability Corporation's critical infrastructure protection
standard. Through the Department's National Supervisory Control
and Data Acquisition Test Bed program, we have assessed 90
percent of the current market offerings of SCADA and energy
management systems in the electric sector and 80 percent of the
current market offerings in the oil and gas sector. Twenty test
bed and offsite assessments of control systems from vendors
have led to the development of 11 hardened control system
designs with 31 of these systems now deployed in the
marketplace.
The national labs also educate end-users on cyber security
best practices and implementing methods to better manage
control system risks. For example, the Idaho National
Laboratory has released a common vulnerabilities report. This
report represents the steadily growing understanding of control
system security issues and methods for mitigating current and
emerging vulnerabilities. This effort is expanding to new
technologies; such as substation automation and the Smart Grid,
as the program seeks a continuing understanding of the systems
being planned for and developed for the energy sector critical
infrastructure.
The Department is also working to implement Smart Grid
Investment Grand and Demonstration Programs under the American
Recovery and Reinvestment Act of 2009. These programs are
authorized under title 13 of the Energy Independence and
Security Act of 2007 for the Smart Grid. We are hoping to
implement these programs in a responsible manner and the
request for proposals for Smart Grid projects will include
requirements that each applicant will thoroughly and
systematically address all cyber security risks to their
systems.
A key component of the Smart Grid is the Advanced Metering
Infrastructure, or AMI. AMI requires two-way communications
between utilities and the end-users. Over the last 10 months,
DOE has been partnering with the AMI Security Task Force under
the Utility Communications Architecture International Users
Group. This task force is comprised of utilities, security
domain experts, standard body representatives, and industry
vendors.
On March 10, 2009, the task force published the AMI
security requirements which provides critical guidance for
vendors and utilities to design and procure secure, reliable
AMI systems. Because of the success of this industry-government
collaboration, the Department is working with the task force to
expand the activity and develop a suite of security
requirements for all critical Smart Grid applications. The
National Institute of Standards and Technology is responsible
for developing a framework for interoperability standards
development for the Smart Grid. These standards will be
submitted to the Federal Energy Regulatory Commission for
rulemaking.
The Department views the development of interoperability
standards that includes appropriate cyber security protections
as one of the key milestones toward realizing the goal of
widespread implementation of Smart Grid technologies, tools,
and techniques.
With regard to protecting the electric grid from newly
discovered vulnerabilities, the Department does not have a
position on the Draft Joint Cyber Security Text. The Department
does provide the following technical comment: All
vulnerabilities must be thoroughly evaluated on a scientific
basis to determine the impact and risk to the Nation in the
event the vulnerability was to be exploited. Any decision to
act or to issue an order by the government must be based on
sound risk management principles and judgment, considering the
characteristics of the vulnerability, the capabilities of the
threat, the likelihood of attack, the consequences to the
Nation should the vulnerability be exploited, and the cost of
mitigation.
This concludes my statement, Mr. Chairman, and thank you
for the opportunity to speak. I look forward to answering any
questions you and your colleagues may have.
[The prepared statement of Ms. Hoffman follows:]
Prepared Statement of Patricia Hoffman, Acting Assistant Secretary,
Office of Electricity Delivery and Energy Reliability, Department of
Energy
Mr. Chairman and members of the Committee, thank you for this
opportunity to testify before you on the cyber security issues facing
the electric industry and on emergency authorities to protect critical
electric infrastructure. All of us here today share a common concern
that vulnerabilities exist within the electric system and that the
government and the private sector must do everything we can to address
it. This is particularly true for smart grid systems, which by their
very nature involve the use of information technologies in areas and
applications on the electric system where they have not been used
before. With the funding provided for smart grid activities in the
American Recovery and Reinvestment Act of 2009, the Department will be
expanding our partnership with industry to advance the smart grid while
maintaining security of smart grid devices and systems.
A smart grid uses information technology to improve the
reliability, availability, and efficiency of the electric system. With
smart grid, information technologies are being applied to electric grid
applications including devices at the consumer level through the
transmission level to make our electric system more responsive and more
flexible.
To be clear, the smart grid is both a means to enhancing grid
security as well as a potential vulnerability.
Enhanced grid functionality enables multiple devices to interact
with one another via a communications network. These interactions make
it easier and more cost effective, in principal, for a variety of clean
energy alternatives to be integrated with electric system planning and
operations, as well as for improvements in the speed and efficacy of
grid operations to boost electric reliability and the overall security
and resiliency of the grid. The communications network, and the
potential for it to enhance grid operational efficiency and bring new
clean energy into the system, is one of the distinguishing features of
the smart grid compared to the existing system.
For example, Wide Area Measurement Systems (WAMS) technology is
based on obtaining high-resolution power system measurements (e.g.,
voltage) from sensors that are dispersed over wide areas of the grid.
The data is synchronized with timing signals from Global Positioning
System (GPS) satellites. The real-time information available from WAMS
allows operators to detect and mitigate a disturbance before it can
spread and enables greater utilization of the grid by operating it
closer to its limits while maintaining reliability. When Hurricane
Gustav came ashore in Louisiana in September 2008, an electrical island
was formed in an area of Entergy's service territory. Entergy used the
phasor measurement system to detect this island, and the phasor
measurement units (PMU) in the island to balance generation and load
for some 33 hours before surrounding power was restored.
The Department understands that the smart grid will be more complex
than today's grid, with exponentially more access points, both virtual
and physical through smart grid devices and without proper controls in
place these factors could result in increasing the electric sector's
vulnerabilities.
DEPARTMENT OF ENERGY ACTIVITIES
The mission of the Office of Electricity Delivery and Energy
Reliability is to lead national efforts to modernize the electric grid,
to enhance the security and reliability of the energy infrastructure,
and to facilitate recovery from disruptions to the energy supply. To
accomplish this mission, the Office focuses on long-term system
requirements through our research investments in the electricity
delivery system and near-term energy vulnerability assessments/disaster
recovery. Our efforts to enhance the cyber security of the energy
infrastructure have produced results in five areas. We have--
Identified cyber vulnerabilities in energy control systems
and worked with vendors to develop hardened systems that
mitigate the risks
Developed more secure communications methods between energy
control systems and field devices
Developed tools and methods to help utilities assess their
security posture
Developed a modeling and simulation capability to estimate
the effects of cyber attacks on the power grid
Provided extensive cyber security training for energy owners
and operators to help them prevent, detect, and mitigate cyber
penetration.
In 2005, the Department (in collaboration with the Department of
Homeland Security and Natural Resources-Canada) worked directly with
asset owners and operators in the oil, gas, and electricity sectors to
develop the Roadmap to Secure Control Systems in the Energy Sector--a
detailed, prioritized plan for cyber security improvements over the
next 10 years, including best practices, new technology, and risk
assessment. The Roadmap vision states that in 10 years, controls
systems for critical applications will be designed, installed,
operated, and maintained to survive an intentional cyber assault with
no loss of critical function. Industry representatives defined goals,
milestones, and priorities to guide the industry toward this vision.
As a result, the Department was one of the first research
organizations to align its cyber security research activities with the
Roadmap goals and vision. The Institute for Information Infrastructure
Protection (I3P) is working to develop several technologies that
address Roadmap goals including security metrics and trusted devices.
The Trusted Cyber Infrastructure for the Power Grid (TCIP) (a
collaboration of universities led by the University of Illinois at
Champaign-Urbana working with energy sector asset-owners and operators
and vendors with funding from NSF, DOE, and DHS) is also conducting
extensive cyber security research that aligns with the Roadmap goals.
In addition, there are over 50 other public and private organizations
working on projects that directly address the challenges identified in
the Roadmap.
Efforts at the national labs are also producing results that
industry can use today to enhance the security of their control
systems. For example, Sandia National Laboratories developed the
Advanced Network Toolkit for Assessments and Remote Mapping, or
ANTFARM. This tool aids energy utility owners in mapping critical cyber
assets and access points to allow easy visualization of their control
system networks-a critical step in meeting the North American Electric
Reliability Corporation's Critical Infrastructure Protection (NERC CIP)
standards. Released in August 2008. The toolkit is open source and
available online for free.
Through the Department's National Supervisory Control and Data
Acquisition (SCADA) Test Bed program, we have assessed 90% of the
current market offering of SCADA and energy management systems (EMS) in
the electric sector, and 80% of the current market offering in the oil
and gas sector. Twenty test bed and on-site field assessments of
control systems from vendors including ABB, Areva, GE, OSI, Siemens,
Telvent, and others, have led them to develop 11 hardened control
system designs with thirty-one of these systems now deployed in the
marketplace. Vendors also have released several software patches to
better secure legacy systems. The National SCADA Test Bed (NSTB) is a
state-of-the-art national resource designed to aid government and
industry in securing their control systems through vulnerability
assessments, focused research and development (R&D) efforts, and
outreach. Over the years the Department has expanded its investments in
the NSTB and today it includes the resources and capabilities of five
national laboratories (Idaho National Engineering Laboratory, Sandia
National Laboratory, Pacific Northwest National Laboratory, Oak Ridge
National Laboratory, and Argonne National Laboratory) as well as many
cost-shared projects with the private sector.
The national labs also educate end-users on cyber security best
practices and implementing methods to better manage control systems
risk. For example, the Idaho National Laboratory has released on an
annual basis a ``Common Vulnerabilities'' report. Using results from
assessments performed from 2003 to 2007, the November 2008 document
represents a steadily growing understanding of control system security
issues and methods for mitigating current and emerging vulnerabilities.
This effort is expanding to new technologies, such as substation
automation and Smart Grid, as the program seeks a continuing
understanding of the systems being planned for and deployed in the
energy sector critical infrastructure.
The Department, through a work-for-others agreement with the Idaho
National Laboratory, is also working with a major vendor of smart
meters to conduct a cyber security assessment of their device. The
primary motivation for this work was driven by the utilities--end-users
of the product.
The Department has also funded several research and development
projects with the private sector. The Bandolier project, led by Digital
Bond, is developing security audit files, which are incorporated into a
utility's existing network scanners and used to audit the control
system's security settings against an optimal security configuration.
Given that large control systems can have over 1000 security settings,
Bandolier can help a utility enhance its security posture while saving
time and money at the same time. Audit files are now available for
Siemens, Telvent, and ABB. Digital Bond has made its product available
for a nominal subscriber fee on its website.
The Hallmark project, led by Schweitzer Engineering Laboratories
(SEL), is another DOE-supported research and development project. SEL
is working to commercialize the Secure SCADA Communications Protocol
originally developed by Pacific Northwest National Laboratory. The
technology will enable utilities to secure critical data communications
links between remote substations and control centers and is scheduled
to be launched in the next few months.
To track progress on implementation the Department designed a
unique online collaborative tool--the interactive energy Roadmap
(ieRoadmap)--which can be found online at
www.controlsystemsroadmap.net. Public-and private-sector researchers
self-populate the online database with project information and map
their efforts to specific challenges and priorities identified in the
Roadmap. The website has become a vital resource for news, information
sharing, and collaboration.
Looking ahead, the Department also participates in multi-agency
information-sharing forums such as the Networking and Information
Technology Research and Development (NITRD) program, which is the
primary mechanism for government to coordinate unclassified networking
and information technology research and development investments.
Thirteen Federal agencies are formal members (including DOE) of the
NITRD Program.
Also in the long-term, the Department seeks to alter the very
nature of cyber security. During the past two years, the Department's
Office of Science has brought together a growing community of cyber
security professionals and researchers from the laboratories, private
industry, academia, and other government agencies to assess the state
of cyber security in general and within the Department specifically.
These experts concluded that the current approach to addressing cyber
security problems is reactive and the Department should develop a long-
term strategy that goes beyond stopping traditional threats to
rendering both traditional and new threats harmless.
In December 2008, the Department released the findings of this
group in ``A Scientific Approach R&D Approach to Cyber Security,''
which outlines a set of opportunities to introduce anticipation and
evasion capabilities to platforms and networks, data systems to
actively contribute to their control and protection, and platform
architectures that operate with integrity despite the presence of
untrusted components. This approach could not only provide new, game-
changing capabilities to the Department, but could also be directly
applied to other agencies, industry, and society.
SMART GRID
The American Recovery and Reinvestment Act of 2009 appropriated
$4.5 billion in funds for electricity delivery and energy reliability
activities to modernize the electric grid, to include demand responsive
equipment, enhance security and reliability of the energy
infrastructure, energy storage, facilitate recovery from disruptions,
and for implementation of programs authorized under Title XIII of the
Energy Independence and Security Act of 2007 (Smart Grid).
The Department is working to implement these new program activities
in a responsible manner and the request for proposals for these
activities will include requirements that each applicant thoroughly and
systematically addresses all cyber security risks to the system.
A key application of the smart grid is Advanced Metering
Infrastructure (AMI). AMI requires two-way communication between the
utility and the end-user. Over the last 10 months, DOE has partnered
with the AMI Security (AMI-SEC) Task Force organized under the UCA
International User's Group. The Task Force is comprised of utilities,
security domain experts, standards body representatives and industry
vendors. On March 10, 2009, the Task Force published the AMI System
Security Requirements, which provides critical guidance for vendors and
utilities to help design and procure secure and reliable AMI systems.
Because of the success of this industry-government collaboration, the
Department is working with the Task Force to expand the activity to
develop a suite of security requirements for all critical Smart Grid
applications.
The National Institute of Standards and Technology (NIST) is
responsible for developing the framework for interoperability standards
development for the smart grid. The Federal Energy Regulatory
Commission (FERC) has authority for issuing standards for rulemaking.
The Department views the development of interoperability standards
that include appropriate cyber security protections as one of the key
milestones toward realizing the goal of widespread implementation of
smart grid technologies, tools, and techniques. DOE-NIST-FERC
coordination on these standards has been ongoing for more than a year
through the Federal Smart Grid Task Force, an EISA-mandated group that
meets monthly and involves agencies from across the Federal government,
including EPA, USDA, DHS, and DOD.
Recent progress on two key activities demonstrates the efficacy of
the coordination effort: (1) Development of the Interoperability
Standards Roadmap under the leadership of NIST, and (2) Development of
a policy statement on interoperability standards under the leadership
of FERC. These activities are critical for the Department in the
selection of meritorious projects under the Smart Grid Investment
Grants Program and the Smart Grid Regional Demonstration Program as the
quality of the approaches for addressing interoperability and cyber
security will be important evaluation criteria.
With regard to protecting the electric grid from newly discovered
vulnerabilities, the Department does not have a position on the Draft
Joint Staff Cybersecurity Text. The Department does provide the
following technical comment:
All vulnerabilities must be thoroughly evaluated on a
scientific basis to determine the impact and risk to the nation
in the event the vulnerability were to be exploited. Any
decision to act or issue an order by the government must be
based on sound risk management principals and judgment
considering the characteristics of the vulnerability, the
capabilities of the threat, likelihood of attack, the
consequences to the nation should the vulnerability be
exploited, and the cost of mitigation.
This concludes my statement, Mr. Chairman. Thank you for the
opportunity to speak, and I look forward to answering any questions you
and your colleagues may have.
The Chairman. Thank you very much.
Mr. McClelland.
STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC
RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Mr. Chairman and members of the committee,
thank you for the invitation to appear before you today to
discuss the cyber security of the electric grid.
My name is Joe McClelland and I am the Director of the
Office of Electric Reliability at the Federal Energy Regulatory
Commission. I am here today as a Commission staff witness and
my remarks do not necessarily represent the views of the
Commission or any individual commissioner.
Although new section 215 of the Federal Power Act has
provided an adequate foundation for the development of
reliability standards to date, the threat of cyber attacks or
other intentional malicious acts against the electric grid is
very different. These threats can endanger national security
and they may be posed by foreign nations or others intent on
attacking the United States through the electric grid.
Widespread disruption of electric service could quickly
undermine the U.S. Government, its military, and the economy,
as well as endanger the health and safety of millions of our
citizens.
Given the national security dimension to this threat, there
may be a need to act quickly to protect the grid and to act in
a manner where action is mandatory, rather than voluntary, and
to protect certain information from public disclosure. Faced
with the cyber or other national threat to reliability, there
may be a need to act decisively in hours or days, rather than
weeks, months, or years.
The Commission's legal authority is inadequate for such
action, as it is required to depend upon the Electric
Reliability Organization, or ERO, to develop and propose
standards to address cyber security issues. The process
employed by the ERO typically takes years to develop the
standard, is open to public review, and may not be necessarily
responsive to the Commission's directives. This is true of both
cyber and non-cyber threats that pose national security
concerns.
In the case of such threats to the electric system, the
Commission does not have timely, confidential, or direct
authority to protect the reliability of the system. As a
result, I believe legislation is needed. Any new legislation
should address several key concerns.
First, the legislation should allow the Commission to take
action before a cyber or other national security incident has
occurred. Second, any legislation should allow the Commission
to maintain the appropriate confidentiality of any security-
sensitive information submitted or developed through the
exercise of this authority.
Third, it is important that Congress be aware that if
additional reliability authority is limited to the ``bulk power
system'', as defined in the Federal Power Act, it would exclude
protection against attacks involving Alaska and Hawaii and
possibly the territories, including any Federal installations
located therein. In addition, the current interpretation of
bulk power system also would exclude some transmission and all
local distribution facilities, including virtually all of the
grid facilities in large cities such as New York City; thus
precluding possible Commission action in these population
centers.
Finally, legislation should not only address cyber security
threats, but also other national security threats to
reliability.
The Joint Staff favors one approach that would largely
rectify the inadequacies in existing Federal authority to
address cyber threats to the electric grid. It gives the
Commission authority to issue rules or orders that are
necessary to protect critical electric infrastructure and thus
allow the Commission to act to protect against damage to the
grid.
I will briefly point out a few concerns with the joint
staff draft. While the draft bill addresses the protection of
critical infrastructure information, it could be construed to
provide protection only for information voluntarily submitted
to the Commission or the Secretary. It does not address other
information, such as that which may be compelled or developed
by the Commission or the Secretary, or information that would
be included in orders issued by either agency. Therefore, I
recommend that the language be amended to address these issues.
I also recommend that the legislation address not only
cyber security threats, but other national security threats to
reliability. Potential physical acts against the grid can cause
equal or greater destruction than cyber attacks and the Federal
Government should have no less ability to act to protect
against such damage.
Finally, Congress should be aware that if additional
liability authority is limited to the areas within the
Commission's jurisdiction under section 215 of the Federal
Power Act, it would exclude protection against reliability
threats in Alaska, Hawaii, and possibly the territories. Again,
including any Federal installations located therein as well as
major population areas such as New York City.
Thank you again for the opportunity to testify today and I
would be happy to answer any questions they you may have.
[The prepared statement of Mr. McClelland follows:]
Prepared Statement of Joseph McClelland, Director, Office of Electric
Reliability, Federal Energy Regulatory Commission
Mr. Chairman and Members of the Committee:
Thank you for this opportunity to appear before you to discuss the
cyber security of the electric grid. My name is Joseph McClelland. I am
the Director of the Office of Electric Reliability (OER) of the Federal
Energy Regulatory Commission (FERC or Commission). The Commission's
role with respect to reliability is to help protect and improve the
reliability of the Nation's bulk-power system through effective
regulatory oversight as established in the Energy Policy Act of 2005. I
am here today as a Commission staff witness and my remarks do not
necessarily represent the views of the Commission or any individual
Commissioner.
My testimony summarizes the Commission's oversight of the
reliability of the electric grid in the area of security, some of the
Commission's actions to implement section 215 of the Federal Power Act,
and some of the limitations in the Commission's authority. The
Commission does not have sufficient authority to provide effective
protection of the grid against cyber attacks or other security threats
to reliability. As will be explained in more detail later, this is
primarily due to three factors regarding the development of reliability
standards under section 215; lack of timeliness, lack of ability to
protect security-sensitive information, and lack of ability to control
the content of proposed cybersecurity standards. Therefore, legislation
is needed and my testimony discusses the key elements that should be
included in any new legislation in this area.
BACKGROUND
In the Energy Policy Act of 2005 (EPAct 2005), the Congress
entrusted the Commission with a major new responsibility to oversee
mandatory, enforceable reliability standards for the Nation's bulk
power system (excluding Alaska and Hawaii). This authority is in
section 215 of the Federal Power Act. Section 215 requires the
Commission to select an Electric Reliability Organization (ERO) that is
responsible for proposing, for Commission review and approval,
reliability standards or modifications to existing reliability
standards to help protect and improve the reliability of the Nation's
bulk power system. The reliability standards apply to the users, owners
and operators of the bulk power system and become mandatory only after
Commission approval. The ERO also is authorized to impose, after notice
and opportunity for a hearing, penalties for violations of the
reliability standards, subject to Commission review and approval. The
ERO may delegate certain responsibilities to ``Regional Entities,''
subject to Commission approval.
The Commission may approve proposed reliability standards or
modifications to previously approved standards if it finds them ``just,
reasonable, not unduly discriminatory or preferential, and in the
public interest.'' The Commission does not have authority to modify
proposed standards. Rather, if the Commission disapproves a proposed
standard or modification, section 215 requires the Commission to remand
it to the ERO for further consideration. The Commission, upon its own
motion or upon complaint, may direct the ERO to submit a proposed
standard or modification on a specific matter. The Commission however,
does not have the authority to modify or author a standard but must
depend upon the ERO to do so.
The Commission has implemented section 215 diligently. Within 180
days of enactment, the Commission adopted rules governing the
reliability program. In mid-2006, it approved the North American
Electric Reliability Corporation (NERC) as the ERO. In March 2007, the
Commission approved the first set of national mandatory and enforceable
reliability standards. In April 2007, it approved eight regional
delegation agreements to provide for development of new or modified
standards and enforcement of approved standards by Regional Entities.
In exercising its new authority, the Commission has interacted
extensively with NERC and the industry. The Commission also has
coordinated with other federal agencies, such as the Department of
Homeland Security, the Department of Energy, the Nuclear Regulatory
Commission, and the Department of Defense. Also, the Commission has
established regular communications and meetings with regulators from
Canada and Mexico regarding reliability, since the North American bulk
power system is an interconnected continental system subject to the
varied regulatory regimes of three nations.
CYBER SECURITY STANDARDS APPROVED UNDER SECTION 215
An important part of the Commission's responsibility to oversee the
development of reliability standards involves cyber security. Section
215 defines ``reliability standard[s]'' as including requirements for
the ``reliable operation'' of the bulk power system including
``cybersecurity protection.'' Section 215 defines reliable operation to
mean operating the elements of the bulk power system within certain
limits so instability, uncontrolled separation, or cascading failures
will not occur ``as a result of a sudden disturbance, including a
cybersecurity incident.''
Section 215 also defines a ``cybersecurity incident'' as a
``malicious act or suspicious event that disrupts, or was an attempt to
disrupt, the operation of those programmable electronic devices and
communication networks including hardware, software and data that are
essential to the reliable operation of the bulk power system.''
In August 2006, NERC submitted eight proposed cyber security
standards, known as the Critical Infrastructure Protection (CIP)
standards, to the Commission for approval under section 215. Each of
these standards contains layers of multiple requirements. Critical
infrastructure, as defined by NERC for purposes of the CIP standards,
includes facilities, systems, and equipment which, if destroyed,
degraded, or otherwise rendered unavailable, would affect the
reliability or operability of the ``Bulk Electric System.'' NERC
proposed an implementation plan under which certain requirements would
be ``auditably compliant'' beginning by mid-2009, and full compliance
with the CIP standards would not be mandatory until 2010.
On January 18, 2008, after issuing both a staff preliminary
assessment and notice of proposed rulemaking, the Commission issued a
Final Rule approving the CIP Reliability Standards and concurrently
directed NERC to develop significant modifications addressing specific
concerns, such as the breadth of discretion left to utilities by the
standards. For example, the standards state that utilities ``should
interpret and apply the reliability standard[s] using reasonable
business judgment.'' Similarly, the standards at times require certain
steps ``where technically feasible,'' but this is defined as not
requiring the utility ``to replace any equipment in order to achieve
compliance.'' Also, the standards would allow a utility at times not to
take certain action if the utility documents its ``acceptance of risk''
that might be placed on the bulk-power system. To address this, the
Final Rule directed NERC, among other things: (1) to develop
modifications to remove the ``reasonable business judgment'' language
and the ``acceptance of risk'' exceptions; and, (2) to develop specific
conditions that a responsible entity must satisfy to invoke the
``technical feasibility'' exception. NERC and the industry are working
on proposed modifications to address these two issues. However, until
such time as the standards are modified by the ERO through its
stakeholder process, approved by the Commission, and implemented by
industry, the discretion remains and critical facilities will be left
unprotected.
A good example of the discretion implicit in the existing cyber
security standards involves the utility's ability to determine which of
its facilities would be subject to them. In the Final Rule, the
Commission addressed its concerns by requiring independent oversight of
a utility's decisions by industry entities with a ``wide-area view,''
such as reliability coordinators or the Regional Entities, subject to
the review of the Commission. This revision to the standards is subject
to approval by the affected stakeholders in the standards development
process and therefore has not yet been presented to the Commission.
NERC recently conducted a survey on this issue which seems to validate
the Commission's concern and original directives by demonstrating that
a significant percentage of owners and operators do not believe they
own or operate critical cyber assets. For example, NERC stated that
only 29% of generation owners and generation operators reported at
least one critical asset, though it is unclear from NERC's data what
portion of the Nation's generation capacity that 29% represents, or
what portion the designated critical assets represent. Thus, it is not
clear, even today, what percentage of critical assets and their
associated critical cyber assets has been identified. It is clear,
however, that this issue is serious and represents a significant gap in
cybersecurity protection.
CURRENT PROCESS TO ADDRESS CYBER OR OTHER NATIONAL SECURITY THREATS
TO RELIABILITY
As an initial matter, it is important to recognize how mandatory
reliability standards are established under section 215. Under section
215, reliability standards are developed by the ERO through an open,
inclusive, and public process. The Commission can direct NERC to
develop a reliability standard to address a particular reliability
matter, including cyber security threats or vulnerabilities. However,
the NERC process typically takes years to develop standards for the
Commission's review. In fact, the cyber security standards approved by
FERC took the industry approximately three years to develop.
NERC's procedures for developing standards allow extensive
opportunity for industry comment, are open, and are generally based on
the procedures of the American National Standards Institute. The NERC
process is intended to develop consensus on both the need for the
standard and on the substance of the proposed standard. Although
inclusive, the process is relatively slow, cumbersome and unpredictable
regarding its responsiveness to the Commission's directives.
Key steps in the NERC process include: nomination of a proposed
standard using a Standard Authorization Request (SAR); public posting
of the SAR for comment; review of the comments by industry volunteers;
drafting or redrafting of the standard by a team of industry
volunteers; public posting of the draft standard; field testing of the
draft standard, if appropriate; formal balloting of the draft standard,
with approval requiring a quorum of votes by 75 percent of the ballot
pool and affirmative votes by two-thirds of the weighted industry
sector votes; re-balloting, if negative votes are supported by specific
comments; approval by NERC's board of trustees; and an appeals
mechanism to resolve any complaints about the standards process. NERC-
approved standards are then submitted to the Commission for its review.
This standards development process requires public disclosure regarding
the reason for the proposed standard, the manner in which the standard
will address the issues at-hand, and any subsequent comments and
resulting modifications in the standards as the affected stakeholders
review the material and provide comments.
Generally, the procedures used by NERC are appropriate for
developing and approving reliability standards. The process allows
extensive opportunities for industry and public comment. The public
nature of the reliability standards development process can be a
strength of the process as it relates to most reliability standards.
However, it can be an impediment when measures or actions need to be
taken to address threats to national security quickly, effectively and
in a manner that protects against the disclosure of security-sensitive
information.
The procedures used under section 215 for the development and
approval of reliability standards do not provide an effective and
timely means of addressing urgent cyber or other national security
risks to the bulk power system, particularly in emergency situations.
Certain circumstances, such as those involving national security, may
require immediate action. If a significant vulnerability in the bulk
power system is identified, procedures used so far for adoption of
reliability standards take too long to implement effective corrective
steps.
FERC rules governing review and establishment of reliability
standards allow the agency to direct the ERO to develop and propose
reliability standards under an expedited schedule. For example, FERC
could order the ERO to submit a reliability standard to address a
reliability vulnerability within 60 days. Also, NERC's rules of
procedure include a provision for approval of ``urgent action''
standards that can be completed within 60 days and which may be further
expedited by a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk power system
reliability or national security. However, it is not clear NERC could
meet this schedule in practice. Moreover, faced with a cyber security
or other national security threat to reliability, there may be a need
to act decisively in hours or days, rather than weeks, months or years.
That would not be feasible even under the urgent action process. In the
meantime, the bulk power system would be left vulnerable to a known
national security threat. Moreover, existing procedures, including the
urgent action procedure, would widely publicize both the vulnerability
and the proposed solutions, thus increasing the risk of hostile actions
before the appropriate solutions are implemented.
In addition, the proposed standard submitted to the Commission may
not be sufficient to address the vulnerability or threat. As noted
above, when a proposed reliability standard is submitted to FERC for
its review, whether submitted under the urgent action provisions or the
usual process, the agency cannot modify such standard and must either
approve or remand it. Since the Commission may not modify a proposed
reliability standard under section 215, it would have the choice of
approving an inadequate standard and directing changes, which
reinitiates a process that can take years, or rejecting the standard
altogether. Under either approach, the bulk power system would remain
vulnerable for a prolonged period.
Finally, the open and inclusive process required for standards
development is not consistent with the need to contain security-
sensitive information. For instance, a SAR would normally detail the
need for the standard as well as the proposed mitigation to address the
issue. Subsequent drafts of the standard would consider how effectively
it addresses the cyber security matters and what objections or
revisions are proposed by the stakeholders resulting in a final version
that would be filed with the Commission for review. Potential
adversaries would have the ability to monitor these developments and
alter their actions as necessary to preserve an effective attack
vector.
NERC'S ``AURORA'' ADVISORY AND SUBSEQUENT ACTIONS
Currently, the alternative to a mandatory reliability standard is
for NERC to issue an advisory encouraging utilities and others to take
voluntary action to guard against cyber or other vulnerabilities. That
approach provides for quicker action, but any such advisory is not
mandatory, and should be expected to produce inconsistent and
potentially ineffective responses. That was the Commission's experience
with the response to an advisory issued in 2007 by NERC regarding an
identified cyber security threat referred to as the ``Aurora'' threat.
While NERC can issue an alert, as it did in response to the Aurora
vulnerability, compliance with these alerts is voluntary and subject to
the interpretation of the individual utilities. Also, an alert can be
general in nature and lack specificity. For example, as Commission
staff has found with the Aurora alert, such alerts can cause
uncertainty about the specific strategies needed to mitigate the
identified vulnerabilities and the assets to which they apply. Reliance
on voluntary measures to assure national security is fundamentally
inconsistent with the conclusion Congress reached during enactment of
EPAct 2005, that voluntary standards cannot assure reliability of the
bulk power system.
Damage from cyber attacks could be enormous. All of the electric
system is potentially subject to cyber attack, including power plants,
substations, transmission lines, and local distribution lines. A
coordinated attack could affect the electrical grid to a greater extent
than the August 2003 blackout and cause much more extensive damage.
Cyber attacks can physically damage the generating facilities and other
equipment such that restoration of power takes weeks or longer, instead
of a few hours or days. The harm could extend not only to the economy
and the health and welfare of our citizens, but even to the ability of
our military forces to defend us, since many military installations
rely on the bulk power system for their electricity. In fact, a recent
Defense Science Board report concluded that ``critical missions at
military installations are vulnerable to loss from commercial power
outage and inadequate backup power supplies.''\1\ The cost of
protecting against cyber attacks is difficult to estimate but,
undoubtedly, is much less than the damages and disruptions that could
be incurred if we do not protect against them.\2\
---------------------------------------------------------------------------
\1\ Report of the Defense Science Board Task Force on DoD Energy
Strategy ``More Fight--Less Fuel'', February 2008.
\2\ As an example, the US Canada Joint Task Force on the August
2003 Blackout concluded that the outage that affected over 50,000,000
citizens and was estimated to cost between $4 and $10 billion dollars
in the United States.
---------------------------------------------------------------------------
The need for vigilance may increase as new technologies are added
to the bulk power system. For example, ``smart grid'' technology will
provide significant benefits in the use of electricity. These include
the promised ability to manage not only energy sources but also energy
consumption. However, a smarter grid would permit two-way communication
between the electric system and a much larger number of devices located
outside of controlled utility environments, which will introduce many
potential access points. To some degree, this is similar to the banking
industry allowing its customers to bank on line, but only with
appropriate security protections in place. Security features must be an
integral consideration, as the Commission stated in a recent proposed
policy statement on smart grid. As the ``smart grid'' effort moves
forward, steps will need to be taken to ensure that cyber security
protections are in place prior to its implementation. The challenge
will be to focus not only on general approaches but, importantly, on
the details of specific technologies and the risks they may present.
KEY ELEMENTS OF NEEDED LEGISLATION
In my view, section 215 provides an adequate statutory foundation
for the ERO to develop reliability standards for the bulk power system.
However, the threat of cyber attacks or other intentional malicious
acts against the electric grid is different. These are national
security threats that may be posed by foreign nations or others intent
on attacking the U.S. through its electric grid. The nature of the
threat stands in stark contrast to other major reliability
vulnerabilities that have caused regional blackouts and reliability
failures in the past, such as vegetation management and protective
relay maintenance practices. Widespread disruption of electric service
can quickly undermine the U.S. government, its military, and the
economy, as well as endanger the health and safety of millions of
citizens. Given the national security dimension to this threat, there
may be a need to act quickly to protect the grid, to act in a manner
where action is mandatory rather than voluntary, and to protect certain
information from public disclosure. The Commission's legal authority is
inadequate for such action. This is true of both cyber and non-cyber
threats that pose national security concerns. In the case of such
threats to the electric system, the Commission does not have sufficient
authority to timely protect the reliability of the system.
Any new legislation should address several key concerns. First,
legislation should allow the Commission to take action before a cyber
or other national security incident has occurred to prevent a
significant risk of disruption to the grid due to such an incident. In
order to protect the grid, it is vital that the Commission be
authorized to act before an attack. Second, any legislation should
allow the Commission to maintain appropriate confidentiality of any
security-sensitive information submitted or developed through the
exercise of this authority. It should also allow the Commission to
protect such information when the Commission issues orders under any
new authority. Third, it is important that Congress be aware that if
additional reliability authority is limited to the ``bulk power
system,'' as defined in the FPA, it would exclude protection against
attacks involving Alaska and Hawaii and possibly the territories,
including any federal installations located therein. The current
interpretation of ``bulk power system'' also would exclude some
transmission and all local distribution facilities, including virtually
all of the grid facilities in large cities such as New York., thus
precluding possible Commission action to mitigate cyber or other
national security threats to reliability that involve such facilities
and major population areas. Finally, legislation should address not
only cyber security threats but also other national security threats to
reliability.
The Joint Staff draft bill is one approach that would largely
rectify the inadequacies in existing federal authority to address cyber
threats to the electric grid. It gives the Commission authority to
issue rules or orders that are necessary to protect critical electric
infrastructure from weaknesses or flaws in the design or operation of
electric devices or networks that expose critical electric
infrastructure to a cyber security threat. This authority to address
cyber security vulnerabilities would apply to all systems or assets,
whether physical or virtual, used for the generation, transmission, and
distribution of electric energy that in the determination of the
Commission are so vital to the U.S. that the incapacity or destruction
of such systems and assets would have a debilitating impact on the
security, national economic security, or national public health or
safety. Thus, it would allow the Commission to act to protect against
potential damage to the grid, including the grid facilities in New York
City, which I referenced earlier.
As I have noted, a key concern with respect to any cyber security
legislation is that the Commission must be allowed to maintain
appropriate confidentiality of any security-sensitive information
submitted or developed through the exercise of its authority. This
applies to information submitted to the Commission and to orders issued
by the Commission, which may contain security-sensitive information.
While the draft bill addresses the protection of critical
infrastructure information, it could be construed to provide protection
only for information voluntarily submitted to the Commission or the
Secretary. Not all information submitted to the Commission or the
Secretary will be submitted voluntarily, but rather may be ordered to
be submitted in an agency rule or order. Additionally, the Commission
or the Secretary may need to include sensitive information in the
orders they issue and this information similarly should be non-public.
Therefore, I recommend that the language be amended to address these
issues.
I also recommend that the Joint Staff draft be amended to address
not only cyber security threats but also other national security
threats to reliability. Intentional physical malicious acts (targeting,
for example, critical substations and generating stations) can cause
equal or greater destruction than cyber attacks and the Federal
government should have no less ability to act to protect against such
potential damage. This additional authority would not displace other
means of protecting the grid, such as action by federal, state and
local law enforcement and the National Guard, but the Commission has
unique expertise regarding the reliability of the grid, the
consequences of threats to it and the measures necessary to safeguard
it. If particular circumstances cause both FERC and other governmental
authorities to require action by utilities, FERC will coordinate with
other authorities as appropriate.
Finally, Congress should be aware of the fact that if additional
reliability authority is limited to the areas within the Commission's
jurisdiction under section 215 of the FPA, it would exclude protection
against reliability threats in Alaska and Hawaii and possibly the
territories, including any federal installations located therein.
CONCLUSION
The Commission's authority is not adequate to address cyber or
other national security threats to the reliability of our transmission
and power system. These types of threats pose an increasing risk to our
Nation's electric grid, which undergirds our government and economy and
helps ensure the health and welfare of our citizens. Congress should
address this risk now. Thank you again for the opportunity to testify
today. I would be happy to answer any questions you may have.
The Chairman. Thank you very much.
Mr. Sergel, go right ahead.
STATEMENT OF RICHARD P. SERGEL, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Sergel. Thank you, Chairman, and members of the
committee. I appreciate the opportunity to testify today and I
commend you and your staffs for your attention to this
important issue.
NERC is committed to ensuring the reliability of the bulk
power system in North America in the face of cyber security
threats and assuring that NERCs efforts will complement those
of the government and industry in regard to cyber security
protection and assuring that there are no gaps, and that that
responsibility is clear for execution of cyber security
protection initiatives.
Now, as the international regulatory authority for the
reliability of the bulk power system in North America, NERC is
responsible for developing reliability standards applicable to
all users and owners of the system, ensuring that each of the
nearly 2,000 entities that own and operate components of the
system understand cyber security and the efforts needed to
adequately protect the security of the bulk power system, and
this has been a priority for us.
Now, my written testimony details the steps NERC has taken
to enhance protection of the system from cyber security
vulnerabilities and threats. I'm not going to talk about those
here today. We do have eight of the mandatory and enforceable
reliability standards in effect today, focus on cyber security,
and fill a specific role in the protection of the system. Now,
these standards were developed under the process established in
section 215, a process that worked to put those standards in
place for securing the grid and and we are working today to
improve those standards.
But reliability standards are not enough. NERC agrees that
new specific authority for emergency response to cyber threats
is necessary. In the case of an imminent cyber security threat,
authority to direct action should be vested in the Federal
Government in the United States and, as appropriate, in Canada.
The Joint Staff Draft addresses what we see as the
principle gap in the current law. The Federal Government lacks
sufficient authority to act to address an imminent and specific
cyber security threat to the critical infrastructure of the
United States. NERC believes that authority to act in such
emergencies should be assigned to a single Federal agency.
The Draft would give the Secretary of Energy the authority
to act in such circumstances. The provisions of the Draft to
encourage consultation and coordination with officials in
Canada and Mexico are, we believe, very important in
recognition of the international nature of the interconnected
North American power system.
Now, in addition to the new authority in the Department of
Energy, the Draft would also give new authority to the Federal
Energy Regulatory Commission to establish standards to address
not only emergencies, but cyber security vulnerability.
Moreover, FERC would be authorized to adopt rules or orders
without notice or hearing.
NERC believes it would be unwise to supplant section 215,
with respect to the establishment of cyber security standards
and, whatever occurs, we need to make sure that it's
complementary to what we do today. Hopefully we will be able to
do that.
The NERC standard setting process brings together industry
and security experts to develop standards that must apply to
the international, interconnected grid. Developing long-term
standards that apply to the more than 1,800 diverse entities
that own and operate the grid is a complex undertaking.
Standards must apply equally to companies with thousands of
employees and to those with only 20. Additionally, the
standards must do no harm. They must take into account the
unique component configurations and operational procedures that
differ widely across the grid. Given the industry's extensive
experience in standard development, NERC firmly believes that
the level of expertise necessary to create standards that
achieve security objectives and ensure liability can best be
found within the industry itself. But I emphasize again, that
is only if we have emergency authorization in place.
Now, we are also concerned that the draft sets up
potentially competing emergency authorities between the
Secretary of Energy and FERC.
Now in closing, I'd like to reiterate our primary message.
In the case of an imminent cyber security threat, the U.S.
Government should be authorized to act immediately. With
emergency responsibility in the hands of government, NERC would
be better able to do what it does best, develop and implement
cyber security reliability standards that will harden the grid
against intrusion and aid in responding effectively to cyber
security incidents.
Thank you.
[The prepared statement of Mr. Sergel follows:]
Prepared Statement of Richard P. Sergel, President and Chief Executive
Officer, North American Electric Reliability Corporation
INTRODUCTION
The cyber security of the bulk power system in North America
remains an important concern for our nation. When I last spoke in front
of a Congressional committee in September 2008, my organization, the
North American Electric Reliability Corporation (NERC), had just
launched a major initiative to improve its response to cyber security
challenges. I am pleased to report significant progress on this front,
which is a clear indication that the framework established under
Section 215 of the Federal Power Act is producing results. But I remain
firm in the message I communicated nine months ago: the Federal
government should be given additional, carefully crafted, emergency
authority to address specific, imminent cyber security threats.
My testimony today will focus on the steps NERC has taken to
enhance protection of the North American bulk power system from cyber
security threats, and offer NERC's views on the Joint Staff Draft,
which would provide the needed federal authority.
I. ROLE OF NERC STANDARDS IN PROTECTING THE BULK POWER SYSTEM
FROM CYBER ATTACK
As the international regulatory authority for the reliability of
the bulk power system in North America, NERC is responsible for
developing Reliability Standards applicable to all users, owners and
operators of the Bulk Power System. In the United States, NERC was
certified as the Electric Reliability Organization by the Federal
Energy Regulatory Commission (FERC) under Section 215 of the Federal
Power Act in July 2006. NERC is similarly recognized in much of Canada,
with the goal of ensuring that the entire interconnected power system
operates from a single platform of sound reliability practices and
procedures. NERC's over 100 Reliability Standards cover long-term
reliability issues ranging from vegetation management to system
operator training to modeling of the bulk power system.
Eight of NERC's standards are focused on cyber security and fill a
specific role in the protection of the bulk power system. The standards
are comprised of roughly forty specific requirements designed to lay a
solid foundation of sound security practices that, if properly
implemented, will develop the capabilities needed to secure critical
infrastructure from cyber security threats. Audits of compliance with
certain requirements included in the standards currently in effect, as
approved by FERC on January 18, 2008 in Order No. 706, will begin on
July 1, 2009.
NERC and its stakeholders recognize that the cyber security
standards currently in effect can be improved and are actively working
to do so in an expedited manner. As part of these efforts, NERC has
worked with industry, consumer representatives and regulators to
strengthen the standards both in the short-term by means of an initial
six-month revision phase, and the longer-term, through a concurrent 18-
month revision phase. Phase I revisions are already complete--they were
adopted by the electric industry with an 88% approval rating last week
and approved by NERC's Board of Trustees yesterday. The enhanced cyber
security standards will be filed with FERC for approval promptly. We
will also be filing those standards with authorities in Canada. Our
work to further strengthen the cyber standards will continue, and we
look forward to bringing these revisions to FERC for approval in early
2010.
One of the areas NERC and its stakeholders are working to address
in the longer-term revisions was the subject of an April 7 letter from
NERC Chief Security Officer Michael Assante to industry stakeholders.
The letter addressed the identification of Critical Assets and
associated Critical Cyber Assets that support the reliable operation of
the bulk power system, as required by NERC Reliability Standard CIP-
002-1.\1\ In the letter, Mr. Assante called on users, owners, and
operators of the bulk power system to take a fresh look at current
risk-based assessment models to ensure they appropriately account for
new considerations specific to cyber security, such as the need to
consider misuse of a cyber asset, not simply the loss of such an asset.
The letter is part of the iterative process between NERC and industry
stakeholders as we work together to improve reliability. In this case,
NERC gathered information about the status of implementation of the
critical infrastructure protection standards and fed that information
and its own insights back to the industry as part of a cycle of
continuous improvement.
---------------------------------------------------------------------------
\1\ The letter is available from the NERC website: http://
www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-
040709.pdf.
---------------------------------------------------------------------------
This effort demonstrates that NERC is working to address a critical
element of the cyber security challenge: the educational learning curve
and resulting compliance-related challenges that must be addressed to
improve the cyber security of the Bulk Power System. Ensuring that each
of the nearly two thousand entities that own and operate components of
the bulk power system understands cyber security and the efforts needed
to adequately protect the security of the bulk power system has been a
priority for NERC. While efforts such as the September 23rd, 2008 cyber
security summit and classified briefings for industry executives have
been important components of NERC's educational efforts, the standards
development process itself has contributed a great deal to raising the
profile and priority of cyber security within the electric sector.
Other educational efforts currently under development include a series
of webinars on compliance with the critical infrastructure protection
standards and further regular communication with the industry.
At the end of the day, however, preparedness efforts like those
discussed above are necessary but not sufficient to protect the system
against specific and imminent threats. Protecting the system from these
kinds of threats is dependent in large measure on the quality and
timeliness of threat analysis and risk information developed by
intelligence and law enforcement professionals and, importantly, their
ability to share specific, actionable information with asset owners.
II. ADDRESSING IMMINENT AND SPECIFIC CYBER SECURITY THREATS
At NERC, we are working in a number of areas to help provide or
assist in the provision of the kinds of information that will help the
industry better secure critical assets from advanced, well-resourced
threats and other known cyber activity on an ongoing basis. Strong and
proactive participation by industry volunteers thus far has been
encouraging.
In these efforts, NERC collaborates with the U.S. Department of
Energy (DOE) and U.S. Department of Homeland Security (DHS) on critical
infrastructure and security matters on an almost daily basis.
Additionally, NERC serves as the Electricity Sector Information Sharing
and Analysis Center (ES-ISAC),\2\ which is responsible for promptly
analyzing and disseminating threat indications, analyses and warnings
to assist the electricity industry.
---------------------------------------------------------------------------
\2\ The ES-ISAC has been operated by NERC since it was formed in
2001. The ES-ISAC was created as a result of action by the U.S.
Department of Energy in response to Presidential Decision Directive 63
issued in 1998. The ES-ISAC works with the electricity industry to
identify and mitigate cyber vulnerabilities by providing information,
recommending mitigation measures, and following up to monitor
implementation of recommended measures. NERC, in its capacity as the
ES-ISAC, also has some related responsibilities for cyber and physical
security issues associated with all electric facilities operated in the
United States.
---------------------------------------------------------------------------
NERC disseminates these findings via its voluntary alerts
mechanism, which has pioneered outreach to asset owners and is
virtually unmatched by other infrastructure sectors. NERC is now able
to provide timely critical reliability information to security and grid
operations professionals, and has demonstrated success by conducting
training and using the system to send alerts, record acknowledgements
and receive responses within several days. As a result, our last
recommendation was met with a 94 percent response rate. The industry
has been very supportive as we have worked to improve this process. We
look forward to launching an improved secure ``alerts portal'' to
continue to improve this system in the coming weeks.
Other efforts underway at NERC include ongoing work with industry
experts to assess security risks to the bulk power system of North
America. Through these assessments, NERC seeks to broaden the
understanding of cyber risk concerns facing the interconnected bulk
power system and guide industry-wide efforts to develop prudent
approaches to address the most material risks--in both the short-term,
through appropriate alerts, and longer-term, through appropriate
standards. Generalized and aggregated findings generated through these
assessments will be communicated with asset owners through the
voluntary alerts mechanism discussed above.
We firmly believe, however, that there are circumstances where
these efforts will not be adequate to identify or address specific
imminent threats. NERC agrees that new, specific authority for
emergency response to cyber threats is necessary. In the case of an
imminent cyber security threat, authority to direct action should be
vested in the Federal government in the United States and as
appropriate in Canada.
III. COMMENTS ON JOINT STAFF DRAFT
The Joint Staff Draft legislation would add a new Section 224,
``Critical Electric Infrastructure,'' to the Federal Power Act. The
draft addresses the principal gap that NERC sees in the current law:
the Federal government lacks sufficient authority to act to address an
imminent and specific cyber security threat to the critical
infrastructure of the United States. NERC believes that authority to
act in such emergencies should be assigned to a single Federal agency.
Proposed Section 224(c)(1) does this by giving the Secretary of Energy
the authority to act in such circumstances. Proposed Section 224(c)(2)
properly encourages the Secretary, in exercising that authority, to
consult and coordinate with appropriate officials in Canada and Mexico.
This encouragement is entirely appropriate, because the bulk power
system in North America comprises an interconnected grid that spans two
international borders.
The draft legislation goes beyond the scope of Section 215, which
specifically limits standard-setting authority to apply only to users,
owners, and operators of the bulk power system. The draft legislation
would extend jurisdiction, for purposes of Section 224, to any entity
that owns, controls, or operates systems and assets, whether physical
or virtual, used for the generation, transmission, or distribution of
electric energy affecting interstate commerce. At the time Congress
adopted Section 215 of the Federal Power Act, providing for mandatory
and enforceable reliability standards, it carefully chose the scope of
jurisdiction it was granting, based on the nature of the risk and the
international nature of the interconnected grid. Congress should again
weigh the benefits and risks of broader jurisdiction as it considers
this grant of additional authority.
Proposed Section 224(b) would give FERC authority to establish
standards to address not only emergencies, but any cyber security
vulnerability, defined as a weakness or flaw in the design or operation
of any programmable electronic device or communication network that
exposes critical electric infrastructure to a cyber security threat. It
would authorize FERC to adopt rules or orders without notice or
hearing. Proposed Section 224(b) would supplant Section 215 with
respect to establishing cyber security standards. The NERC standard-
setting process brings together industry and security experts to
develop standards that must apply to the international, interconnected
grid. Developing long-term standards that apply to the more than 1800
diverse entities that own and operate the bulk power system is a
complex undertaking. Standards must apply equally to companies with
thousands of employees and to those with only twenty. Additionally, the
standards must not do harm. They must take into account unique
component configurations and operational procedures that differ widely
across the grid. Given our extensive experience in standards
development, NERC firmly believes the level of expertise needed to
create standards that achieve security objectives and ensure
reliability can best be found within the industry itself. Given these
constraints, setting these standards should not be done without notice
or opportunity to be heard, especially when the consequence of non-
compliance can be significant penalties.
Sections 224(b) and 224(c) also create potentially competing
emergency authorities in both the Secretary of Energy and FERC, since
FERC may issue an order without notice and hearing, and there is no
requirement that the Commission coordinate with the Secretary of Energy
or with other potentially affected nations.
NERC believes the highest priority gap in the nation's cyber
security protection is the lack of emergency authority, and proposed
Section 224(c) addresses that gap.
CONCLUSION
NERC, the electric industry, and the governments of North America
share a mutual goal of ensuring threats to the reliability of the bulk
power system, especially cyber security threats, are clearly understood
and effectively mitigated. NERC has taken a number of actions to
protect the bulk power system against cyber security threats and NERC
will continue its work with industry stakeholders to do so. We believe
these efforts have improved and will continue to improve the
reliability and security of the bulk power system. We maintain,
however, that these efforts cannot be a substitute for additional
emergency authority at the federal level to address specific and
imminent cyber security threats.
NERC and industry stakeholders appreciate the magnitude and
priority of this issue and fully support legislative efforts to address
this gap in authority as quickly as possible. Moving forward, NERC is
committed to complementing Federal authority to address cyber security
challenges, regardless of the form it may take. We commend this
Committee for its action to date and look forward to supporting its
efforts however possible.
The Chairman. Thank you very much.
Mr. Mosher.
STATEMENT OF ALLEN MOSHER, SENIOR DIRECTOR OF POLICY ANALYSIS
AND RELIABILITY, AMERICAN PUBLIC POWER ASSOCIATION
Mr. Mosher. Thank you and good morning. Chairman Bingaman,
members of the committee, thank you for asking me to testify
this morning. I am Allen Mosher, Director of Policy Analysis
and Reliability for APPA. I am here on behalf of APPA staff.
There wasn't sufficient time for me to run the Dtaff Draft by
APPA membership, so I am giving you a preliminary view.
APPA is the trade association of the Nation's 2,000 State,
municipal, and other publicly owned utility systems. We serve
about 45 million people across the country in 49 of the 50
States.
I did have an opportunity to speak with a member at the
NERC Board of Trustees meeting the other day about the draft
legislation and my testimony. He very much wanted me to
emphasize that if the utility industry is given reliable,
credible, actionable information from the Federal Government,
we will act to protect our facilities. We have a vested
interest in protecting both the assets and in ensuring reliable
service to our customers. Its a responsibility to customers, to
our communities, and to the Nation as a whole to do that.
APPA does believe that legislation is needed, but it needs
to be carefully drawn and to build upon the security, cyber
security and bulk power reliability framework that is already
in place. We need to improve upon the NERC standards
development process. Yes, it isn't fast enough, but we do
believe that we can improve upon it and make it more effective
and meet many of the needs that have been identified.
We do agree that there should be specific additional
legislative or statutory authorities for the Federal
Government, in particular for FERC and DOE. First, we support
targeted authority for FERC to issue emergency orders in
response to imminent threats to the bulk power system. These
directives should, however, remain in effect only until the
threat subsides and until we can replace them with permanent
NERC reliability standards.
We also support specific authority for the Commission to
address certain vulnerabilities identified in a June 2007 NERC
Advisory called AURORA. In the APPA's view, the AURORA-related
vulnerabilities can and should be addressed through reliability
standards, but until there are standards in place that cover
it, then FERC should have some interim authority, but limited
to that advisory.
We definitely need to have better mechanisms and statutory
protections for communications. There are real problems
communicating on the nature of threats, both from the
government down to the industry and back up from the industry
to the government. There are particular problems for publicly
owned entities, both Federal, State, and municipal. Because we
are entities of local governments, we have public openness laws
that sometimes get in the way of keeping information
confidential.
Let me go on to the next point. We do have some concerns
with the draft. It is potentially over-inclusive of facilities,
it covers generation, transmission, and distribution. We are
concerned that if you include distribution facilities within
the scope of the legislation, you may actually reduce the
effectiveness of the overall program. By trying to cover
everything, you may actually weaken the overall program.
In section 224, B-1, FERC is given very, very broad
discretion to act in the public interest to protect against a
cyber attack. We think there should be some limitations on that
authority. It could--in fact, in the absence of prior
consultation with the industry, lead to requirements that are
burdensome, very expensive, and potentially ineffective. Again,
the Commission can't know all of the details on all of the
different utility systems. As Rick said earlier, we have very
small electric utilities in the country. I have members,
utilities, that have staffs of five people. It would be
impossible for them to be read into the programs and to work
effectively in this construct. So, thus we need to have a
limited scope initially to really have an effective program for
the bulk power system.
Next, the bill gives both FERC and DOE authority to act on
an emergency basis. Although one is characterized as authority
to act on vulnerabilities and the other is threats, this could
lead to conflicts between the actions of two Federal agencies.
What we really can't afford to have in the time of crisis is
two directives from two agencies that are inconsistent.
Finally we need to have really far more, far more effective
measures on confidentiality. The bill raises the issue, but we
need a much more comprehensive structure and we would be happy
to work with the committee to work out such provisions.
Thank you.
[The prepared statement of Mr. Mosher follows:]
Prepared Statement of Allen Mosher, Senior Director of Policy Analysis
and Reliability, American Public Power Association
INTRODUCTION
APPA appreciates the opportunity to provide the following testimony
for the Senate Energy and Natural Resources Committee's hearing
regarding the Joint Staff draft related to cyber security and critical
electricity infrastructure. I am Allen Mosher, Senior Director of
Policy Analysis and Reliability for APPA.
APPA represents the interests of more than 2,000 publicly-owned
electric utility systems across the country, serving approximately 45
million Americans. APPA member utilities include state public power
agencies and municipal electric utilities that serve some of the
nation's largest cities. However, the vast majority of these publicly-
owned electric utilities serve small and medium-sized communities in 49
states.
My comments concerning the electric utility industry's work on
cyber security issues and the Joint Staff draft that is the subject of
today's hearings are offered on behalf of APPA alone. I would be
remiss, however, if I did not first discuss the broad consensus within
the electric power industry in support of enhanced, albeit narrowly
targeted, authorities for the Federal Energy Regulatory Commission
(FERC) and the United States Department of Energy (DOE) in the area of
cyber security.
The associations in our industry represent a broad variety of
stakeholder interests, including investor-owned, cooperatively-owned
and publicly-owned utilities, independent generators, Canadian
utilities, large industrial consumers, and state-public utility
commissions. For very legitimate reasons, we usually have very
different views on the policy issues facing our industry. On the issue
of protection of the electric bulk power system from cyber security
emergencies, however, we have been working together for over a year.
APPA, the Canadian Electricity Association, the Edison Electric
Institute, the Electricity Consumers Resource Council, the Electric
Power Supply Association, the Large Public Power Council, the National
Association of Regulatory Utility Commissioners, the National Rural
Electric Cooperative Association and the Transmission Access Policy
Study Group all support carefully crafted and specific legislation to
deal with the discrete issue of cyber security emergencies. We
understand the seriousness of the issue, and the need to deal with it.
At the same time, we believe that such legislation must be carefully
drawn and narrow in its application, to avoid disrupting the mandatory
reliability regime that Congress has already required and the electric
utility industry is implementing, with FERC oversight.
Attached to my testimony is a two-page issue brief* that outlines
this common perspective among the electric power trade associations in
support of certain shared principles. However, I must emphasize that
this testimony is provided solely on behalf of APPA. I will also
address APPA's initial assessment of the Joint Staff draft, although
these views are only those of APPA Staff, since we were unable to
review the draft legislation with APPA's members prior to the filing of
this testimony.
---------------------------------------------------------------------------
* See attachment on page 32.
---------------------------------------------------------------------------
APPA CYBER SECURITY PRINCIPLES
APPA believes legislation regarding the cyber security of the
nation's electric power system should be based on certain core
principles, and take into account efforts now underway. Any legislation
Congress adopts should:
(1) Continue the strong industry partnership with government
agencies in the United States and Canada. On an ongoing basis,
the electric power industry communicates and collaborates in
the United States with the Department of Homeland Security, DOE
and FERC. Similarly, in Canada, the industry deals with the
various federal and provincial authorities to gain needed
information about potential threats and vulnerabilities related
to the bulk power system. The electric power industry also
works very closely with the North American Electric Reliability
Corporation (NERC) to develop mandatory reliability standards,
including an array of cyber security standards, which NERC
calls ``Critical Infrastructure Protection'' or ``CIP''
standards. In addition, NERC, in its capacity as the Electric
Sector Information Sharing and Analysis Center (ESISAC), uses
its ``alert and advisory'' procedures to provide the electric
power industry with timely and actionable information received
from various federal agencies to assure the continued
reliability and security of the nation's electric systems. NERC
is in the process of adopting important improvements to its
ESISAC alert communications software that will allow more
targeted communications and provide for a more secure, reliable
two-way communications pathway between NERC and industry
members.
(2) Foster the current electric power industry-wide
commitment to continuously monitor the bulk power system and
mitigate the effects of transmission grid reliability and
security incidents, large and small. All sectors of the
industry are working to instill a culture of compliance with
mandatory electric reliability standards enforced by the
Commission within the United States. Maintaining and enhancing
the cyber security of our bulk power control and communication
systems is a fundamental element of this developing industry
culture. The electric utility industry is unlike many other
critical infrastructures in the United States, in that each
utility company, whether publicly or privately owned, is
interconnected with and directly affected by the operating
practices of its neighboring utilities. The very fact that our
own actions can adversely affect the reliable operation of our
neighbors gives the industry a shared commitment to reliability
and to mandatory reliability standards. The need to maintain
and enhance cyber security, coupled with the deployment of
complex digital communications networks for system control,
presents a new set of potential challenges and opportunities to
the industry. New efficiencies made possible by smart grid for
example, also present new vectors for attack upon both new and
existing system control networks that could present a risk of
cascading outages. On the other hand, it may be possible to
design smart grid applications that provide new ways of
detecting and responding to malicious activity on the electric
grid.
(3) Support continued participation in NERC's industry-based
and FERC-approved standards development process which will
yield mandatory CIP cyber security standards for the bulk power
system that are clear, technically sound and enforceable, and
which garner broad support within the industry. NERC is
striving to draw from the state-of-the-art in cyber security,
through consideration of the National Institute of Standards
and Technology's (NIST) framework for cyber security, and to
integrate that framework into NERC's existing Critical
Infrastructure Protection standards. As Vice Chairman of the
NERC Standards Committee, I can personally attest that both
NERC, as an organization, and the industry have made a
significant commitment of resources to the development of new
cyber security standards. In fact we've committed some of our
scarcest resources--our subject matter experts in cyber
security and system operations--to the task of developing draft
standards for consideration by the industry as a whole. NERC
has also made important revisions to its standards development
process, by putting in place policies that allow, when
necessary, for the confidential and expedited or emergency
development of reliability standards, including those related
to cyber security.
However, there are four specific areas in which APPA would support
additional statutory authorities for the federal government and in
particular for FERC and DOE:
(1) Narrowly targeted authority for the FERC to issue
emergency orders in response to an imminent threat to the bulk
power system. If the federal government has actionable
intelligence about an imminent threat to, or a newly identified
vulnerability on, the bulk power system, and time does not
allow for classified industry briefings and timely development
of mitigation measures for a threat or vulnerability, the FERC
in the United States and the appropriate corresponding
authorities in Canada should be authorized to direct the
electric power industry to take needed emergency actions. The
electric power industry is ready, willing and able to respond
to specific directives based on targeted mitigation measures
that are clearly linked to the nature of the underlying threat.
However, these emergency directives should only remain in
effect until the threat subsides or FERC approves related NERC-
developed reliability standards that establish permanent
measures to address the specific vulnerability that the threat
was intended to exploit. In the United States, Section 215 of
the Federal Power Act (added by the Energy Policy Act of 2005)
invested FERC with a significant supervisory role in bulk power
system reliability. It would be duplicative and inefficient to
recreate that responsibility at another agency. But at the same
time, it would be highly disruptive to the process for
development of mandatory and enforceable electric reliability
standards set out in FPA Section 215 for the FERC to impose
permanent or quasi-permanent cyber security standards that have
not undergone the due process steps within the industry
required by that section.
(2) Specific authority for the Commission to issue orders
that address certain vulnerabilities to the bulk power system
identified in the June 21, 2007 ESISAC Advisory issued by NERC,
and related remote access issues. In APPA's view, the
vulnerabilities identified in the so-called ``Aurora Advisory''
can and will be addressed through the development of new NERC
cyber security standards for the bulk power system that will be
posted for industry comment. These standards will be
comprehensive in scope and will encompass all bulk power system
asset owners, operators and users in various degrees. The
standards will address the potential underlying vulnerability
by securing utility assets from unauthorized remote access.
Until such time as those standards are adopted, however, FERC
should be authorized to direct that remedial measures be taken
by United States entities subject to NERC reliability
standards.
(3) Improved communications flows of timely and actionable
information from government to industry, matched by enhanced
responsibility for the electric power industry to share
critical energy infrastructure information with government
agencies on a similarly secure and confidential basis. In
normal circumstances, the electric power industry can protect
the reliability and security of the bulk power system without
government intelligence information. However, in the limited
circumstances when the industry does need government
intelligence information on a particular cyber security threat
or vulnerability, it is critical that such information be
timely and actionable. After receiving this information, the
electric power industry can then direct its expert operators
and cyber security staff to take the necessary steps to secure
systems and networks, ensuring the reliability and security of
the bulk power system. While a number of federal agencies have
roles in this communication process, APPA continues to support
placing DOE in the role of the lead agency in communicating
threat information to the electricity sector as well as to
other sectors of the energy industry. DOE's understanding of
the electric utility industry provides it with the ability to
filter and translate intelligence information into a more
actionable form. Moreover, because DOE does not have direct
regulatory authority over the electric utility industry, it
will be better situated to receive candid assessments of
potential industry vulnerabilities or attempts to penetrate
electric power industry assets than FERC, which is charged with
enforcing industry compliance with mandatory reliability
standards, with penalties of up to $1 million per day for each
violation.
(4) Enhanced authority for the electric power industry--
particularly public power utilities--to protect and keep
critical energy infrastructure information confidential and
non-public. The electric power industry and government face a
variety of complex issues associated with the non-public
exchange of Critical Energy Infrastructure Information (CEII)
as well as gaining appropriate access to highly sensitive cyber
security threat information available to government agencies.
For example, NERC and FERC face conflicting statutory
obligations to use open, public stakeholder processes to
develop cyber security standards and to approve such standards
through public notice and comment, while safeguarding from
public disclosure threat and vulnerability information that may
provide the rationale for certain elements of these reliability
standards. Public power utilities face their own unique
problems in this area. As instrumentalities of state and local
governments, public power utilities are subject to state public
record and open meeting laws, which make keeping a variety of
information non-public more difficult. As publicly-owned
entities, this is as it should be--public power utilities are
committed to open government and transparency. However, in the
case of CEII, transparency is not in the public interest. Just
as certain federally-owned utilities may face difficulties
protecting information from Freedom of Information Act (FOIA)
requests, even when CEII protections are invoked, state and
locally-owned utilities face the risk of state record requests
for such information. The transfer of such sensitive
information to a third party makes protection of CEII for
public power systems even more difficult. Public power systems
are currently developing possible statutory approaches to
address their unique CEII concerns. APPA notes that H.R. 2165,
introduced on April 29, 2009, by Rep. John Barrow (D-GA) and
co-sponsored by Energy and Commerce Chairman Henry Waxman (D-
CA) and Rep. Ed Markey (D-MA), contains provisions intended to
address these pressing information disclosure issues. While
APPA has not completed its analysis, H.R. 2165 appears to
comport with many of the points I have laid out in this
testimony, including the need for enhanced authority to protect
CEII.
APPA STAFF COMMENTS ON JOINT STAFF DRAFT
APPA staff has also reviewed the Senate Energy and Natural
Resources Committee Joint Staff draft of proposed Federal Power Act
Section 224, which would authorize FERC and DOE to issue rules and
orders to respond to cyber security vulnerabilities and threats to
critical electric infrastructure. While we appreciate the Committee
working to address this important issue, APPA does have some concerns
with that draft, including the following:
Inclusion of potentially all electric utility industry
assets, including distribution, is overly broad.
Sec. 224 (a)(1) defines ``Critical electric
infrastructure'' to include distribution systems and
assets that if incapacitated or destroyed would have a
debilitating impact on security, national economic
security, or national public health or safety.
Depending on how FERC and DOE make their respective
determinations in implementing the statute, virtually
all electric utility infrastructure could be included
within the scope of this new statutory authority. APPA
believes that over-inclusion of electric utility
infrastructure would be counterproductive; by
attempting to protect everything efforts to protect the
truly critical and important infrastructure would be
diluted. APPA therefore supports targeting new FERC and
DOE authority toward urgent cyber security threats to
the bulk power system, rather than the broader universe
of facilities envisioned in the Committee staff draft.
The Committee staff draft could expose over 1,650
additional public power distribution systems to FERC
and DOE regulation, imposing very substantial
regulatory and financial burdens on many small cities
and towns that are disproportionate to the potential
cyber security risks that these entities pose. Again,
APPA believes that the effort to maintain and enhance
the cyber security of the nation's critical electric
utility infrastructure should focus first on the
critical facilities and systems that, if not protected,
could cause substantial disruption to the nation's
electric utility industry.
FERC discretion appears to be broad and unfettered.
Sec. 224 (b)(1) directs FERC to issue rules and
orders ``as are necessary to protect critical electric
infrastructure from cyber security threats.'' [Emphasis
added.] This section imposes no real limits on the
extent of FERC authority to order specific actions. As
written, it appears that FERC could order the
enlargement of facilities, interconnections or
disconnections or any other action it deems necessary,
without any obligation even to consult with the
industry in advance to determine whether its proposed
course of action is the most effective and cost-
efficient way to address a particular threat. This
section would also permit FERC to issue cyber security
orders that directly replace or supplement industry-
approved reliability standards, undermining one of the
fundamental tenets underlying Section 215.
FERC and DOE emergency procedure authorities are potentially
redundant.
Under Sec. 224 (b)(2) and (c), FERC and DOE are both
granted authority to act on an emergency basis without
prior notice or hearing for up to 90 days, with FERC
authorized to take expedited measures to protect
critical electric infrastructure from cyber security
vulnerabilities and DOE authorized to take emergency
actions to protect critical electric infrastructure
from cyber security threats. APPA suggests that such
emergency or expedited authority could be assigned to a
single agency, to avoid duplication and confusion as to
the respective roles of the two agencies. It is
imperative that agency directives not be conflicting.
The requirements to consult with industry and to mitigate
burdens before directives become effective should be stronger.
FERC's authority to issue rules or orders under
Section 224 (b)(1) presumably is subject to the
judicial review procedures set out in the FPA, as well
the Administrative Procedures Act (although these
points should be clarified). DOE and FERC authorities
to issue emergency orders under sections (b)(2) and (c)
are subject to a 90 day sunset in Sec. (d) unless FERC
``gives interested persons an opportunity to submit
written data, views, or arguments. . .'' Unfortunately,
there is no requirement for FERC and DOE to consult
with the industry in advance, even as time permits,
regarding the nature of the threat or vulnerability, or
to take into account the industry's views on the most
efficient way in which to address the threat and/or
methods for reducing the associated burden on the
industry. Moreover, the filing of a request for
rehearing or petition for review would not stay the
effectiveness of the directive. Compliance with a
potentially flawed directive would therefore be both
mandatory and subject to financial penalties under FPA
Section 316A (EPAct Sec. 1284).
Draft Sec. 224(f) does not fully address confidentiality
issues, including the need for processes governing non-public
communications between FERC/DOE and the industry, and the
particular confidentiality issues faced by public power
utilities.
My understanding is that the Critical Infrastructure
Information Act processes referenced in Sec. 224 (a)(3)
and (f) protect only voluntary disclosures by non-
governmental entities to government agencies. As
discussed above, a variety of other communications may
need additional safeguards. As noted previously, H.R.
2165 contains provisions that deal with these
confidentiality concerns in a more comprehensive and
effective manner.
Thank you for the opportunity to present APPA's views
on the important cyber security issues facing the
electric utility industry. We look forward to
continuing to work with the Committee on this important
issue and we are available to provide any further
assistance.
The Chairman. Thank you very much.
Mr. Owens.
STATEMENT OF DAVID K. OWENS, EXECUTIVE VICE PRESIDENT, BUSINESS
OPERATIONS, EDISON ELECTRIC INSTITUTE
Mr. Owens. Good morning Chairman Bingaman, Senator
Murkowski, other members of the committee. My name is David
Owens and I am the Executive Vice President for Business
Operations for the Edison Electric Institute. I certainly do
appreciate this opportunity to be with you today.
I am accompanied today by Steve Naumann, who is the Vice
President of Wholesale Market Development for the Exelon
Corporation. Steve also serves as the chair of the Member
Representatives Committee in the North American Electric
Liability Corporation. So, he has extensive technical
background and a good understanding of the NERC processes. I
brought him in case you ask me some hard questions, so I'll
turn around and say, Steve, help me out.
But let me get into just the points that I'd like to make.
I'd like to really focus on three areas morning. I would like
to first say that I believe that the success of public and
private partnerships in recognizing and addressing cyber
threats and vulnerabilities are very critical. I also believe
that there is a need to avoid unintended consequences when
implementing cyber security remedies. Finally, I would like to
make a couple of comments about the joint draft proposal.
But let me start out and really piggyback something that
Allen Mosher said earlier and that is that we take the issue of
cyber security very, very seriously in our industry. Not just
as utility owners and operators, but all aspects of the
industry. We take it very seriously.
We also recognize, however, that our cyber adversaries are
becoming much more sophisticated and so that compels that the
private sector work more closely with the government in
coordinating information from and to the government. So, we see
that we have a significant commitment to work very closely with
the government, to get a good understanding of the possibility
of cyber threats and vulnerabilities.
We recognize that we have important roles and the
government has important roles. We believe that both the public
and private sectors, we need to have our regimes very clearly
defined. We recognize that our roles are complementary and our
responsibilities may be complementary, but we certainly do
believe that there needs to be substantial cooperation between
government agencies and utilities.
We also believe very passionately that grid security, in
order to provide gridsecurity, that the manufacturers of
critical components of our systems, they also need to come
under some very high standards. They need to demonstrate that
they are adequately fulfilling their security responsibilities
by adopting good security practices as well. Now, if our
suppliers are building security into their products and
providing mitigation technical assistance when new
vulnerabilities arise, it permits us to operate our systems in
a much more secure and reliable fashion.
We also recognize, as Pat Hoffman indicated, that there are
additional potential cyber vulnerabilities as we begin to
digitize our systems. As we begin to go to Smart Grid
technologies, we recognize that we open ourselves up for other
vulnerabilities. We believe that it is very imperative that the
industry work closely with the vendors and manufacturers to
ensure that they understand that cyber security is essential,
so that they have cyber security protection and that they are
incorporating in the devices as much as possible.
To that end, we certainly do support the process currently
underway at the National Institute of Standards and Technology
to develop a framework of standards that will become the
foundation of a secure, interoperable Smart Grid.
Now, we are also encouraging the development of a security
certification program. Let me describe that. We call it kind of
Good Housekeeping seal of approval, if you will, through which
Smart Grid components and systems could undergo rigorous
independent testing and receive a certification that security
tests have been passed. If we are using new devices and we're
moving to the Smart Grid, we believe that those devices really
need to be able to pass through a very rigorous screen.
I mentioned earlier the need for cooperation between the
government and industry and EI members are working very closely
with government partners, the national labs, the FBI, the DHS,
DOE, the Office of the Director of National Intelligence and
even FERC in many proactive processes to enhance cyber
security. We believe that this careful consultation with
utilities helps ensure that government intervention in
protecting the grid from a cyber attack does not have
unintended consequences.
That is because, as you know, the grid is a very complex
machine. Certain measures which might prevent a particular type
of cyber attack could themselves have adverse consequences on
the safety and reliability of the electric grid.
So we believe, for this reason, any new legislation giving
FERC or the Department of Energy additional statutory authority
should be limited to emergency situations where there is
significant declared national security or public welfare
concerns and should provide ongoing consultation with industry
experts as much as possible.
Now, we applaud the committee and the chair for the
herculean efforts in the adoption of mandatory reliability
standards. As was indicated earlier by Rick Sergel, there is a
very deliberative process that we go through within the NERC
framework and the adoption of standards. We recognize that that
NERC process really is not suited for developing standards that
are designed to address emergencies, where we require immediate
mandatory action with the confidential handling of information.
But it is also important to recognize, as I believe, that
the vast majority of cyber issues do not rise to the level of
national security. As such, we believe very strongly that the
legislation should be focused narrowly on addressing a
potential set of threats that legitimately merit special
Federal emergency authority.
I will go back to a major theme and that is promoting
clearly defined roles and responsibilities as well as ongoing
consultation sharing of information between the government and
the private sector, in our opinion, is the best approach to
improve cyber security. EI and its member companies, we remain
fully committed to working with the committee, working with the
various government agencies.
I appreciate this opportunity to appear before you today
and I look forward to your questions.
[The prepared statement of Mr. Owens follows:]
Prepared Statement of David K. Owens, Executive Vice President,
Business Operations, Edison Electric Institute
My name is David Owens, and I am Executive Vice President in charge
of the Business Operations Group at the Edison Electric Institute
(EEI). EEI is the trade association of U.S. shareholder-owned electric
companies and has international affiliate and industry associate
members worldwide. EEI's U.S. members serve 95 percent of the ultimate
customers in the shareholder-owned segment of the industry and
represent about 70 percent of the U.S. electric power industry. I am
accompanied by Steve Naumann, Vice President for Wholesale Market
Development for Exelon Corporation. Steve also serves as Chairman of
the Member Representatives Committee of the North American Electric
Reliability Corporation (NERC), and in his various roles he has more
familiarity with the technical and operational aspects of cyber
security issues related to the electric grid, as well as industry
processes in place at NERC. We appreciate your invitation to appear
today and the opportunity to testify about cyber security and critical
electric infrastructure.
My testimony focuses on the nature of cyber security threats to the
bulk electric power system, the efforts of electric utilities to
respond to those threats, and the joint staff draft on critical
electric infrastructure. I want to reassure the Committee that EEI's
member companies and other owners, operators, and users of the bulk
power system take cyber security very seriously. Our companies deal
with cyber security issues every day as one of many important aspects
of grid reliability. Utilities have many processes and programs in
place to protect their cyber infrastructure and mitigate the risks that
cyber intrusions pose to reliable operations of their systems.
Information about cyber security vulnerabilities and attempts to
exploit those vulnerabilities is shared with electric industry owners,
users, and operators through a number of channels every day. Federal
agencies that communicate this information to the private sector, such
as the United States Computer Emergency Readiness Team (US-CERT), as
well as cyber security hardware and software vendors, classify
vulnerabilities in terms of the generalized risk to systems. Factors
such as the seriousness of consequences of a successful attack, the
sophistication required to conduct the attack, and how widely used the
potentially affected assets are within an industry are used to rank
vulnerabilities as ``high'', ``medium'', or ``low'' risk.
Both the federal government and electric utilities have distinct
realms of responsibility and expertise in protecting the bulk power
system from cyber attack. As cyber security threats continue to evolve
and our cyber adversaries become more sophisticated, the private sector
would welcome even more coordination with, and information from,
government agencies with national security responsibilities that have
the best access to intelligence concerning the nature of threats to
electric utility systems. Electric utilities are experienced and
knowledgeable about how to provide reliable electric service at a
reasonable cost to their customers, and they understand how their
complex systems operate. Electric utilities are in a unique position to
understand the consequences of a potential malicious act as well as
proposed actions to prevent such an exploitation. The optimal approach
to utilizing the considerable knowledge of both government intelligence
specialists and electric utilities in ensuring the cyber security of
the nation's electric grid is to promote a regime that clearly defines
these complementary roles and responsibilities and provides for ongoing
consultation and sharing of information between government agencies and
utilities.
As the industry relies increasingly on digital electronic devices
and communications to optimize our systems and enhance reliability,
cyber security will remain a constant challenge. Effective cyber
security will continue to require a strong partnership among utilities,
the federal government, and the suppliers of critical electric grid
systems and components. Our companies believe they are up to their part
of this task, building on our industry's historical and deep-rooted
commitment to maintaining system reliability.
EEI member companies are addressing the risks they know about
through a ``defense-in-depth'' strategy while appropriately balancing
considerations of potential consequences. This defense-in-depth
strategy includes preventive, monitoring and detective measures to
ensure the security of our systems. For example, they perform
penetration tests where a contractor attempts to find and exploit
vulnerabilities. The results of these regular penetration tests inform
companies about whether their preventive strategies are working so that
they can enhance their protection as technologies and capabilities
evolve. Penetration testing also allows them to practice and enhance
their monitoring capabilities.
EEI members are also working with government partners--the national
laboratories, the Federal Bureau of Investigation (FBI), Department of
Homeland Security (DHS), Department of Energy (DOE), and the Office of
the Director of National Intelligence (ODNI)--in many proactive
programs to enhance the cybersecurity of the electric grid. For
example, industry participants worked with DOE to develop a strategic
roadmap to identify and prioritize projects to enhance the security of
electric industry control systems.
Obviously, the scope of the damages that could result from a cyber
security threat depends on the details of any particular incident. A
carefully planned cyber attack could potentially have serious
consequences. In considering the scope of damages that any particular
cyber security threat might inflict, utilities must also consider the
potential consequences caused by any measures taken to prevent against
cyber attack. Certain measures that might prevent a particular type of
cyber attack could themselves have adverse impacts to safe and reliable
utility operations and service to electricity customers. Examples might
include slower responses during emergency operations, longer times for
restoration of outages and disruption of business operations dependent
on Internet access. That is why each situation requires careful
consultation with utilities to ensure that a measure aimed at
protecting the grid from a malicious cyber attack does not instead
cause other unintended and harmful consequences.
Furthermore, every utility operates different equipment in
different environments, making it difficult to offer generalizations
about the impacts to the bulk power system or costs and time required
to mitigate any particular threat or vulnerability. This complexity
underscores the importance of consultation with owners, users, and
operators to ensure that any mitigation that may be required
appropriately considers these factors to ensure an efficient and
effective outcome.
For the foregoing reasons, any new legislation giving the Federal
Energy Regulatory Commission (FERC) or DOE additional statutory
authority should be limited to true emergency situations where there is
a significant declared national security or public welfare concern. In
such an emergency, it is imperative that the government can provide
appropriate entities clear direction about actions to be taken, and
assurance that those actions will not have significant adverse
consequences to utility operations or assets, while at the same time
avoiding any possible confusion caused by potential conflicts or
overlap with existing regulatory requirements.
A separate but equally important component of grid security is to
ensure that manufacturers of critical grid equipment and systems are
adequately fulfilling their security responsibilities by adopting good
security practices in their organizations, building security into their
products, and establishing effective programs so that, as new
vulnerabilities are discovered, they can inform customers and provide
technical assistance with mitigation. As grid technologies continue to
evolve, they inevitably will include greater use of digital controls.
Congress recognized the potential cyber security vulnerabilities, as
well as benefits, that could result from greater digitization of the
grid when it directed DOE to study these issues in Section 1309 of the
Energy Independence and Security Act of 2007.
As new smart grid technologies are developed, it will be imperative
for the industry to work closely with vendors and manufacturers to
ensure they understand that cyber security is essential so that cyber
security protections are incorporated into devices as much as possible.
It is equally critical that cyber security solutions be
incorporated into the architecture being developed for smart grid
solutions, so that the great benefits new smart grid technologies will
provide are implemented in a secure fashion. With smart grid solutions
in the early stages of development, opportunities exist to ensure this
vision is fulfilled. EEI supports the process currently underway at the
National Institute of Standards and Technology (NIST) to develop a
framework of standards that will become the foundation of a secure,
interoperable smart grid. EEI is encouraging the development of a
security certification program, through which smart grid components and
systems could undergo independent testing and receive a certification
that security tests had been passed. Such a program would help
utilities differentiate among different vendor solutions to select
those providing appropriate cyber security.
EEI agrees that it is appropriate for this Committee and Congress
to consider legislation providing federal energy regulators new
authority to address emergency cyber security threats. I want to
emphasize, however, that current law already provides the means to
address the many non-emergency cyber security issues in the electric
industry. Section 215 of the Federal Power Act (FPA), which this
Committee helped develop and which was enacted by Congress as part of
the Energy Policy Act of 2005, provides for mandatory and enforceable
electric reliability standards, specifically including standards to
address cyber security, under FERC oversight. Chairman Bingaman and
other Senators on this Committee should be commended for their work on
enacting Section 215 and other efforts to ensure the reliability of the
electric grid.
The basic construct of the relationship between FERC and NERC in
developing and enforcing reliability standards is sound. In summary,
NERC, using a well-defined stakeholder process that leverages the vast
technical expertise of the owners, users, and operators of the North
American electric grid, develops reliability standards, which are then
submitted to FERC for review and approval. Once approved by FERC, these
standards are legally binding and enforceable in the United States. Any
stakeholder, including FERC, may request that a standard be developed
to address some aspect of reliability, expressly including cyber
security.
I suggest the question on which the Committee should focus is,
``What additional authority should be provided to federal energy
regulators in order to promote clarity and focus in response to
emergency situations?'' Legislation in this area should complement, not
supplant, the mandatory reliability regime already established under
FPA Section 215, and any new federal authority should be appropriately
narrow and focused only on unique problems that cannot be addressed
under Section 215. The Section 215 mandatory reliability framework
reflects years of work and broad consensus reached by industry and
other stakeholders in order to ensure a robust, reliable grid. It
should not be undermined so early in its implementation.
While the open stakeholder processes now used for developing
industry-wide reliability and critical infrastructure protection
standards admittedly are not well-suited to emergencies requiring
immediate mandatory action with confidential handling of information,
it is important to note that the vast majority of cyber security issues
do not rise to the level of national security emergencies. Rather than
creating broad new federal regulatory authorities that could undermine
the consensus-driven policy framework developed through years of
stakeholder input and memorialized in section 215, legislation should
be focused on addressing a relatively narrow set of potential threats
that legitimately merit special federal emergency authority.
Because of its extraordinary nature and potentially broad impacts
on the electric system, any additional federal emergency authority in
this area should be used extremely judiciously. Legislation granting
such authority should be narrowly crafted and limited to address
circumstances where the President or his senior intelligence or
national security advisors determine there is an imminent threat to
national security or public welfare.
Also, the joint staff draft provides DOE and FERC with parallel
authorities to address cyber security threats and vulnerabilities,
respectively. The joint staff draft could be clarified and strengthened
by providing for a single agency to take expedited actions based on
advice or information from the President or intelligence agencies.
Federal legislation also should require that federal emergency
cyber security orders end when the emergency is past or NERC has
developed and FERC has approved a mandatory standard that handles the
situation. The joint staff draft provides a 90-day ``sunset'' for
emergency actions, unless FERC affirms or amends a rule or order after
receiving comments.
Any cyber security legislation should promote consultation with
industry stakeholders and owner-operators of the bulk power system on
remediation measures. The complexities of keeping a large,
interconnected system running safely cannot be understated.
Consultation is critical to improving cyber security while maintaining
safe and reliable utility operations. To the extent practicable, a
basic premise of existing law--involvement of industry experts to
develop mitigation measures--should be replicated for imminent cyber
security threats. Cyber security legislation should provide reasonable
opportunity for important industry consultation, without mandating a
consultation that could delay implementation of mitigation in an urgent
situation.
The consultation provisions of the joint staff draft are focused
mostly on after-the-fact consultation with owners, users and operators.
Without stronger requirements for prior consultation where possible
under the circumstances, it is more likely that federally-ordered
actions, developed under time pressure and without technical input from
affected entities, could cause unintended adverse consequences to
electric reliability.
It is also important to note that FERC has jurisdiction under FPA
section 215 over owners, users, and operators of the bulk power system,
the electric reliability organization (i.e., NERC), and regional
reliability entities. The scope of this authority is relatively broad,
including facilities and control systems that operate interconnected
electric transmission networks and generation needed to maintain
transmission reliability. However, the joint staff draft appears to
represent a further broadening of federal regulatory authority that
would extend to local distribution systems, which historically under
the FPA has been reserved for the jurisdiction of state regulatory
commissions.
CONCLUSION
While many cyber security issues are already being addressed under
current law, we believe it is appropriate to provide federal energy
regulators with explicit statutory authority to address cyber security
in a situation deemed sufficiently serious to require a Presidential
declaration of emergency. In such a situation, the legislation should
clarify the respective roles, responsibilities, and procedures of the
federal government and the industry, including those for handling
confidential information, to facilitate an expeditious response.
Any new authority should be complementary to existing authorities
under Section 215 of the Federal Power Act, which rely on industry
expertise as the foundation for developing reliability standards. Any
new authority should also be narrowly tailored to deal with real
emergencies; overly broad authority would undermine the collaborative
framework that is needed to further enhance security.
Promoting clearly defined roles and responsibilities, as well as
ongoing consultation and sharing of information between government and
the private sector, is the best approach to improving cyber security.
Each cyber security situation requires careful, collaborative
assessment and consultation regarding the potential consequences of
complex threats, as well as mitigation and preventive measures, with
owners, users, and operators of the bulk power system.
EEI and its member companies remain fully committed to working with
the government and industry partners to increase cyber security. EEI's
commitment to such coordinated efforts is illustrated by the broad
representation of industry stakeholder associations represented on the
joint statement on cyber security attached at the end of my testimony.
I appreciate the opportunity to appear today and would be happy to
answer any questions.
ATTACHMENT.--THE NORTH AMERICAN ELECTRIC POWER INDUSTRY'S TOP PRIORITY
IS A RELIABLE AND SECURE BULK POWER SYSTEM
The stakeholders of the electric power industry continue to work
closely and in partnership with governmental authorities at the
federal, state/provincial and local levels in both the United States
and Canada in order to maintain and improve upon the high level of
reliability consumers expect. Cyber security is an important element of
bulk power system reliability that the electric power industry takes
very seriously.
Electric Power Industry in Strong Partnership with Government
The electric power industry works closely with various government
agencies on bulk power system security. On an ongoing basis, we
communicate and collaborate in the United States with the Department of
Homeland Security, the Department of Energy, and the Federal Energy
Regulatory Commission (FERC), and in Canada with the various federal
and provincial authorities to gain needed information about potential
threats and vulnerabilities related to the bulk power system. The
electric power industry also works very closely with the North American
Electric Reliability Corporation (NERC) to develop mandatory
reliability standards, including cyber security standards. In addition,
NERC has an ``alert and advisory'' procedure that provides the electric
power industry with timely and actionable information to assure the
continued reliability and security of the bulk power system.
The Electric Power Industry Continuously Monitors and Acts Quickly to
Ensure Bulk Power System Reliability and Security
Every day, the electric power industry continuously monitors the
bulk power system and mitigates the effects of transmission grid
incidents--large and small. Consumers and government are rarely aware
of these incidents because of the sector's advance planning and
coordination activities which reflect the quick and often seamless
response the sector takes to address reliability and security events.
This response includes prevention and response/recovery strategies--
both are equally important. The industry's strong track record on
reliability and security continues as we work diligently to adhere to
mandatory NERC reliability standards, which are approved by FERC,
including standards that address cyber security.
NERC Flexible Standards Approval Processes Meet Majority of Grid
Challenges
NERC's industry-based and FERC-approved standards development
process yields mandatory standards for the bulk power system that are
clear, technically sound and enforceable, yet garner broad support
within the industry. NERC is striving to draw from the state-of-the-art
in cyber-security, through consideration of the National Institute of
Standards and Technology (NIST) framework for cyber-security, and to
integrate that framework into NERC's existing Critical Infrastructure
Protection standards. NERC has also made important revisions to its
standards development process by putting in place policies that allow,
when necessary, for the confidential and expedient development of
standards, including those related to cyber and physical security.
Emergency Cyber Situations Require an Expeditious and Efficient
Approach
If the federal government has actionable intelligence about an
imminent threat to the bulk power system, the electric power industry
is ready, willing and able to respond. We understand it may be
necessary for government authorities to issue an order, which could
require certain actions to be taken by the electric power industry. In
these limited circumstances, when time does not allow for classified
industry briefings and development of mitigation measures for a threat
or vulnerability, FERC in the United States and the appropriate
corresponding authorities in Canada should be the government agencies
that direct the electric power industry on the needed emergency
actions. These actions should only remain in effect until the threat
subsides or upon FERC approval of related NERC reliability standards.
In the United States, Section 215 of the Federal Power Act (Energy
Policy Act of 2005) invested FERC with a significant role in bulk power
system reliability, and it would be duplicative and inefficient to
recreate that responsibility at another agency. As FERC, NERC and the
electric power industry relationships move forward and mature in the
area of reliability and security, any disruption of this would be
counterproductive.
Improved Electric Power Industry-Government Partnership with Better
Information Flow
In nearly all situations the electric power industry can protect
the reliability and security of the bulk power system without
government intelligence information. However, in the limited
circumstances when the industry does need government intelligence
information on a particular threat or vulnerability, it is critical
that such information is timely and actionable. After receiving this
information, the electric power industry can then direct its expert
operators and cyber security staff to make the needed adjustments to
systems and networks to ensure the reliability and security of the bulk
power system. The electric power industry is fully committed to taking
the needed steps to maintain and improve bulk power system reliability
and security, and stands ready to work with Congress, FERC, other
government agencies and NERC on these critical issues.
SUPPORTING ASSOCIATIONS AND CONTACTS
American Public Power Association, Joy Ditto, [email protected]
Canadian Electricity Association, Bonnie Suchman,
[email protected]
Edison Electric Institute, Scott Aaronson, [email protected]
Electric Power Supply Association, Con Lass, [email protected]
Electricity Consumers Resource Council, John Anderson,
[email protected]
Large Public Power Council, Jessica Matlock, [email protected]
National Association of Regulatory Utility Commissioners, Charles Gray,
[email protected]
National Rural Electric Cooperative Association, Laura M. Schepis,
[email protected]
Transmission Access Policy Study Group, Deborah Sliz,
[email protected]
The Chairman. Thank you all for your excellent testimony.
Let me just ask a few questions and then defer to Senator
Murkowski.
Mr. Mosher, you point out, and I think several of the other
witnesses did as well, that the draft we have circulated here
has both FERC and the Department of Energy with new authority
to act on an emergency basis. You say that you think this could
be confusing and that APPA suggests that such emergency or
expedited authority be assigned to a single agency. Which of
the two?
Mr. Mosher. My recommendation is that the emergency
authority to issue orders should be assigned to the FERC and
that DOE should be given the lead role in the R&D and
communications process.
It's important, I think, to separate regulatory
responsibilities and penalties for enforcement for failure to
comply with government regulations, put that one agency and
then put the R&D, let's stretch the frontier responsibility, in
another organization. I think that DOE is very well situated. I
think we have immense opportunities to improve our
communications to get information from the Federal Government
to the industry, make it actionable, and I would hate to have a
conflict of interest there.
The Chairman. Mr. McClelland, do you agree with that way of
fixing the problem?
Mr. McClelland. If you could bear with me just for a
moment, I brought along a statistic, if I can find my
statistic. If I can't, I can almost recall it from memory.
I'd rather not comment on the capabilities of the
Department of Energy, but I would like to comment on the
Commission's capabilities.
The Commission is a regulator and it deals with industry.
Last year for instance, the Commission issued almost 9,000
orders to the affected entities, mostly to electric utilities.
We had over 400, close to 500, re-hearings. So we have a
process by which we can issue an order and then we can hold a
hearing to hear objections and come to a reasonable decision.
We initiated approximately 50 enforcement cases and settled, or
ended, 22 enforcement cases.
So the commission is well-situated as a regulatory
authority to make certain that measures, if you will, emergency
measures that may be applied get implemented. There is a
hearing and appeals process and then there is also an
enforcement arm for folks that may not be so inclined to follow
the Commission's directives.
The Chairman. All right. So, you think giving the
Commission authority to act in the face of immediate threats is
consistent with the authority they currently have, is that what
I'm understanding?
Mr. McClelland. It is authority--it's consistent with
implementation. The Commission has maintained all along that we
are not an intelligence or security organization. We work very
closely with the Department of Energy, we work closely with
Homeland Security, the Central Intelligence Agency, the
Department of Defense, Nuclear Regulatory Commission, on
intelligence matters.
Many of our folks, in my particular office, we're mostly
experienced electrical engineers from industry. So we use that
intelligence, we draw upon that intelligence. We have top-
secret and SCI clearances. We use that intelligence and
coordinate very closely with the agencies to subsequently work
with industry to try to address the vulnerabilities.
The Chairman. Let me ask you about one other point you made
in your testimony. This might be something of interest to
Senator Murkowski.
You say, ``Finally, Congress should be aware''--this is on
page 16 of your testimony, ``should be aware of the fact that
if additional reliability authority is limited to the areas
within the Commission's jurisdiction under section 215 of the
FPA, it would exclude protection against reliability threats in
Alaska and Hawaii and possibly the territories, including any
Federal installations located therein.'' You mentioned New York
City, as I understood it. Could you elaborate on that?
Mr. McClelland. Yes. Would you like the elaboration just to
the cities or----
The Chairman. Elaboration on all of it, please.
Mr. McClelland. The Defense Science Board, the Energy Task
Force, issued a report. It was entitled, ``More Fight--Less
Fuel'' and it was February 2008. One of the primary findings,
they didn't intend to arrive at this conclusion, but they
arrived at two primary conclusions. The second conclusion,
which is the one that they had not intended to reach, was that
the military's critical missions are overly dependent upon the
commercial power grid. The commercial power grid, in many
cases, the military installations do not have sufficient back
up, other than for a few hours on base for selected facilities.
That would speak very heavily--and there is also a
classified annex which we could not go into in an open forum,
but the classified annex named specific facilities that would
be at risk.
What we wanted to make certain of was that if Congress
chose the definition of, Bulk Power System under the Federal
Power Act, it would do so with a complete understanding that
Alaska, Hawaii, perhaps the territories, would not be included.
So we couldn't assure that mandatory actions would be taken, to
protect and to implement measures to protect the cyber security
of those systems.
In addition, the Federal Power Act allows some discretion
in the definition of bulk power system. One of the regions in
the Northeast has chose to define bulk power system to largely
exclude all facilities below 230,000 volts. In that particular
case, and they have that discretion, subject to the
Commission's review, that the process will take some time to
sort through. It could take years to sort through. That
discretion essentially opts out all of New York City.
If other entities or other regions exercise that same
definition, then major population areas would be excluded from
cyber security protection that the Commission might employ
under that definition under the Federal Power Act.
The Chairman. So, you're suggesting that we clarify what
the definition needs to be under the Federal Power Act to deal
with that problem and we also clarify that, if there is an
additional emergency authority given to FERC, that it not be
restricted just to the section 215.
Mr. McClelland. No. I'm sorry, I probably wasn't clear.
We're going to keep working at section 215 definition of bulk
power system. The Commission does have an ability to initiate
proceedings and to clarify and issue directives on the
definition of bulk power system. It's just a time-consuming
process.
However, in a matter that affects national security, where
timely action and targeted action is critical, for instance to
the success of the military missions of the Department of
Defense, that definition is not acceptable. What we have asked
this committee to consider is that it not use that definition
of bulk power system and initiate a separate definition that
would clearly delineate where the Commission's authorities were
under these emergency actions.
The Chairman. OK. Let me defer to Senator Murkowski for
questions.
Senator Murkowski. Mr. Chairman, I appreciate you bringing
up both aspects. Certainly, the clarification on the Alaska,
Hawaii, and territories issue, but also to better understand
that, inadvertently perhaps, through our definition, we could
be laying vulnerable some of the larger cities, whether it be
Washington DC or New York.
Mr. Owens. Senator, may I just--if I might.
Senator Murkowski. Yes, Mr. Owens.
Mr. Owens. I don't necessarily agree with Mr. McClelland's
explanation. Let me see if I understand whether there is a gap
here in regulation.
When he was describing the city of New York, I believe that
he's describing local distribution issues, which I believe are
fairly handled by the companies and the State agencies. I don't
see a gap in their ability to respond to emergency situations.
They understand those systems extremely well. They work very
closely with the utility systems. They have a process where the
government and the industry clearly understand their respective
roles.
I don't believe there's any evidence to indicate that there
has been a failure of those agencies or those utilities to be
responsive to national threat. I would go back to 9/11 to just
suggest that you, where I believe that we all applauded the
efforts of the city of New York.
So, I don't necessarily agree with Mr. McClelland that we
need to extend FERC's jurisdiction all the way down to the
distribution level.
Senator Murkowski. I want to make sure that I clearly
understand this discussion because I think it is very, very
important.
Now, what you're suggesting, Mr. Owens, is that, through
the local distribution system, it has to be handled, and we
don't need to worry about it.
Mr. Owens. That's correct.
Senator Murkowski. As I understood, what we are attempting
to do through this legislation, is to allow for that authority
to the FERC, if that vulnerability is present.
But you're suggesting, Mr. McClelland, if we limit it to
the bulk power system, then we will not have the ability for
the FERC to intervene. Is that correct?
Mr. McClelland. Yes. I guess I would like to clarify. I'm
not certain that I've made my point clear.
Downtown New York City is served by a network of 138,000
volt facilities. If it's Congress' expectation that a
population center like downtown New York City would be covered
under an emergency provision like this, in other words that the
Commission would be able to implement mitigation measures that
would protect against cyber security threats and vulnerability
and New York City would be covered, then that would not occur
under the current definition of bulk power system in the
Northeast.
Senator Murkowski. Under the definition currently included
in this legislation or the definition that we are currently
operating under?
Mr. McClelland. The definition that we are currently
operating under in section 215 of the Federal Power Act.
So, my point was to make certain that if the committee
chose to exercise or to use the definition of bulk power
system, as it's used in section 215, it is subject to the
interpretation and application of the regional entities. In
this particular case, the regional entity has excluded the
network, the 138,000 volt network, that serves downtown New
York City and other major facilities such, I believe there are
some nuclear power plants that are also excluded from
regulation, interconnections with those nuclear power plants.
So I think it's an important distinction to make.
Senator Murkowski. Mr. Sergel.
Mr. Sergel. Thank you, Senator Murkowski. If we start, I
think, from section 215 that was put in place, perhaps that
will make it easier.
The Congress did just a fabulous job there, and I really
believe that, in defining the bulk power system as the users
and owners and operators of the bulk power system and left it
at that.
It has been the task of NERC, working with the Federal
Energy Regulatory Commission, to determine what precisely is
meant by the bulk power system. It is not defined, per se, nor
should it have been. But the law goes on to particularly
exclude distribution facilities. So, it's users and owners of
the bulk power system and the law specifically excludes
distribution.
What Mr. McClelland is saying is that, from time to time,
we find ourselves where that is problematic. What a surprise
that we find that it is problematic with respect to New York
City, where the number of distribution facilities are so
significant and the level, and sort of the voltage level, at
which they conduct business at distribution is so high. So, as
a consequence, it is a particular example of where it is a
challenge to determine. It does not mean that it is per se
excluded under that definition. We continue to work on that.
Senator Murkowski. I am going to move on because my time
has expired. I don't know whether we've clarified the issue or
further muddied it, but it sounds like we do need to work on
this just a little bit more.
Senator Shaheen.
Senator Shaheen. I actually would like to switch topics,
since I'm not any clearer on the answer to the previous
question.
I want to talk a little bit about standards because most of
you mentioned those in your remarks and this issue of adequate
standards as we are looking to change our energy foundation in
this country has come up time and time again.
So, I guess my first question to you, Mr. McClelland, is
you've stated in your testimony that the Department of Energy
views--actually I guess maybe I should direct this to Ms.
Hoffman. The Department of Energy views the development of
interoperability standards for Smart Grid technologies that
include cyber security protections as a key milestone. How
close are we to achieving that milestone and what kind of
progress has been made and what more do we need to do in order
to get there?
Ms. Hoffman. The National Institute of Standards and
Technologies convened a workshop on April 28th and 29th to look
at interoperability standards. One of the domains that was
discussed was cyber security standards. NIST will hold another
workshop May 19th and 20th to continue that discussion of
standards.
So, the standards process is moving as quickly as possible.
In the meantime, the Department of Energy has been working with
utility vendors to look at procurement strategies so that, as
utilities purchase Smart Grid technologies, they will have
current strategies to define what some of those cyber security
requirements should be in the interim, until the standards are
developed.
Senator Shaheen. Would anybody else like to address where
you think we are? Mr. Owens, you mentioned standards in your
testimony as well.
Mr. Owens. We are working very closely with Department of
Energy. In fact, I would even suggest that there's going to be
an important meeting on May the 18th, where we are going to
talk about some of the NIST standards and how we can move
forward in interoperability and we're very much in support of
the direction that has been carved out.
Senator Shaheen. Were you suggesting that there be
independent testing, separate from NIST, and how would you
envision that operating?
Mr. Owens. Yes. NIST is really complementary. When I spoke
to the independent testing of the various components that would
be comprising the Smart Grid, I was really speaking to the fact
that, in the absence of the NIST interoperability standards
right now, because the utility systems are beginning to move
aggressively toward Smart Grid, that we have a way that we can
verify that the technologies, the devices that are being
installed in our systems, are really cyber secure. That they've
gone through some independent testing, that we have a set of
standards that they have to meet. So that, when we integrate
them into the grid, we have a comfort level that those
facilities will not pose additional cyber vulnerabilities.
Senator Shaheen. So, again, how do you envision that kind
of independent testing? Would there be standards that the
manufacturer would have to meet?
Mr. Owens. It would be a set of standards that would be
developed and the manufacturers would be held to those set of
standards. There would be an independent tester that would make
sure that those component devices are consistent with the
standards.
If they're not consistent with the standards, obviously the
utility would say we don't want to install that piece of
equipment into our overall system because we're creating a
potential cyber vulnerability because it hasn't met the test.
So, it would be like a Good Housekeeping, Good Housekeeping
seal of approval. All vendors would have to comply. That is
actually what NIST is trying to do and this is complementary to
what NIST does, but recognizing that many of our systems are
already beginning to put in Smart meters and other elements to
the Smart Grid. We're suggesting that we try to do something
right away to make sure that there is consistency and that we
are not subjecting our system to cyber vulnerabilities.
Senator Shaheen. Do you have a proposal for who should do
that independent testing, who should be responsible for it?
Mr. Owens. No, I do not.
Senator Shaheen. Anyone else?
Ms. Hoffman. I think it's a great opportunity for the
market to develop capability in the testing and the
verification.
Mr. Owens. I would agree with that response.
Senator Shaheen. Thank you.
Senator Murkowski. Senator Corker.
Senator Corker. Thank you very much and thank all of you
for your testimony.
Mr. McClelland, I think the Chairman asked you about
whether you should or should not have the ultimate singular
authority to take actions on an emergency or expedited basis.
It was a pretty long answer and I think you were saying yes,
but I'd like yes/no answer.
Mr. McClelland. The Commission has requested that
authority, yes.
Senator Corker. So, the answer is yes.
I noticed, Ms. Hoffman, in your opening testimony that
Department of Energy is taking no position on this legislation
which, by the way, I find to be kind of odd, since this is sort
of in your wheelhouse. I don't know whether it's just due to
lack of staffing right now or what, but in the event the
legislation was changed so that FERC had solely that
responsibility, would Department of Energy wish to weigh-in on
the legislation at that time or does it agree with that
proposition?
Ms. Hoffman. You're correct, Senator. The Department does
not have a position on the legislation at this time. However,
with all emergencies within the Federal Government,
coordination and consultation are very critical in making sure
that everyone is on the same page with actions and responses.
Senator Corker. But consultation is interesting and we like
that too, I'm sure, but at the end of the day, are you agreeing
with the proposition that FERC should have, in an emergency you
can't have two or three folks, I assume, as mentioned by
others, issuing conflicting direction. You are agreeing then,
by lack of weighing-in, that FERC should have this
responsibility?
Ms. Hoffman. The Department does not have a position at
this time. I know the Secretary is committed to working with
the Administration on the goals and responsibilities, including
determining who should have that authority.
Senator Corker. But this legislation is going to determine
that authority. So, let me just, as a follow-up, could you get
the Secretary to tell us, yes/no, whether FERC should have this
responsibility by itself?
I do think it's problematic, when we're looking at
emergency issues, to have two organizations involved that could
issue conflicting direction. Could you get the Secretary to
tell us yes/no, whether it ought to be FERC or DOE? I think
most of us would probably be uncomfortable with both.
Ms. Hoffman. Sir, I can take the question for the record.
[The information follows:]
Senator Corker, when the Department of Energy and FERC were
established by the Department of Energy Organization Act, the Secretary
was given the authority to issue orders during an emergency for the
interconnection of facilities, generation, delivery, interchange, or
transmission of electric energy. FERC was given Federal Power Act (FPA)
authority to establish, review and enforce rates and charges for the
transmission and sale of electricity. DOE believes that these divisions
of FPA authority properly place the regulatory rate making
responsibilities of the FPA with FERC, and the authority to make
national emergency determinations with DOE.
The authority to determine whether an emergency exists under
section 202(c) of the FPA (16 U.S.C. Sec. 824a(c)) is a secretarial
authority which may be invoked by the Secretary of Energy upon the
Secretary's own motion or upon complaint. It is DOE's position that the
extraordinary authority to direct immediate emergency actions to
respond to and protect against particular immediate cyber risks,
whether they are identified as imminent threats or vulnerabilities,
should be vested in the Department of Energy. For several reasons, we
believe this emergency authority should be exercised by DOE, rather
than by an independent regulatory agency such as FERC.
Since 1977, when the Department of Energy Organization Act created
both DOE and FERC, the FPA section 202 emergency authority has been
vested in DOE. Throughout Administrations involving several different
Presidents and both parties, the Department has used this authority
judiciously but effectively to address particular situations in which
such an order was necessary to help ensure reliable supplies of
electric energy.
The Department has demonstrated that, when circumstances warrant,
it can exercise the section 202 emergency interconnection authority
very quickly. For example, on August 14, 2003, when the largest
electrical blackout in the history of North America occurred, DOE
exercised its section 202 authority by issuing an emergency
interconnection order only hours after the blackout occurred. It was
able to do so, in part, because the Secretary of Energy can issue
section 202 orders unilaterally, and need not convene meetings or
collect votes of other officeholders before exercising that emergency
authority.
New authority to deal with cyber emergencies also could be
exercised quickly and effectively by DOE. Moreover, we believe that an
extraordinary authority such as this is appropriately placed in a
cabinet department whose head is fully accountable to the President.
Independent agencies are just that, independent, with respect to many
decisions, and while that certainly is appropriate with respect to many
matters, we believe the exercise of emergency authority is not one of
those matters.
Finally, DOE is the agency that is most likely to develop or obtain
knowledge--either on its own or as a member of the intelligence
community (IC)--with respect to threats or vulnerabilities that might
give rise to the need for an emergency order. DOE regularly
participates with the other agencies who are members of the IC on a
variety of initiatives. It makes sense to vest an authority to act on
that information with the agency that is most likely to develop or have
knowledge about it, and that agency is DOE.
FERC should be authorized, after consultation with DOE, to issue
expedited reliability standards under section 216 of the FPA to respond
to cyber risks.
Ms. Hoffman. I would like to bring up emergency versus
vulnerability. The legislation brings up two aspects, one of
which is emergency authority with the determination that there
is actually a threat out there. The vulnerability part of the
language, as we read it, provides for an interim measure: if
there is a vulnerability that is discovered within the electric
sector, then there is action that may need to be taken on that
vulnerability, if that vulnerability is determined to have a
potentially significant impact to the electric sector.
So, one actually looks at a threat environment, and the
other one actually looks at a vulnerability that may be
discovered for which it may be prudent to take action on a
near-term accelerated basis.
Senator Corker. So, since there is a difference, are you
saying that DOE should look at the vulnerability issue and FERC
should command in the event of an emergency, is that what
you're saying? Or are you not going to weigh-in again?
Ms. Hoffman. The Department does not have a position at
this time.
Senator Corker. That's interesting. I assume there's some
staffing issues that maybe caused this and I certainly don't
want to in any way embarrass you. If you could maybe get
whoever it is that would like to weigh-in, to weigh-in on
behalf of the Department at the appropriate time before we pass
this out of committee, which I assume is going to be like in a
week, is that correct?
Senator Murkowski. I think it is scheduled for next week.
Senator Corker. That would be helpful to everybody. We
obviously want to work, as you mentioned, in cooperation.
Did you want to say something, Mr. McClelland?
Mr. McClelland. Yes. I would like to say that the draft
bill does make an important distinction between the
responsibilities of the Department of Energy and the FERC. The
bill designates the ability to address vulnerabilities to FERC
and threats to the Department of Energy.
So, in this particular draft, the Commission staff didn't
necessarily see a conflict or an overlap between the Department
of Energy's role and FERC's role.
Senator Corker. The industry folks agree with that?
Mr. Owens. We think that needs to certainly be a clear
understanding of who deals with cyber threats. So, if that's
the Department of Energy or FERC, as long as there's a single
agency, a clearly defined authority. With respect to cyber
vulnerabilities, I believe FERC already has the responsibility
and they have been implementing elements of that through their
standards under section 215 of the Federal Power Act.
Senator Corker. Mr. Sergel, you mentioned that y'all were
working on some of the definitional issues that, you know, New
York City has been thrown out multiple times during the course
of this testimony, that y'all were working on the definitional
language and that's evolving.
However, since this legislation is to focus on cyber
security and other kinds of things, would it be relevant for us
to work out that definitional language in advance of passing
this legislation or just leaving it somewhat abstract when, in
essence--I guess we're trying to figure out a way to actually
deal with real threats that exist. I'm just curious as to what
your response might be to that.
Mr. Sergel. We are attempting to work out the precise lines
of the definition between distribution, which is excluded from
section 215, and the bulk power system in which we have
authority. There are, not a long list, but certainly a list of
places where it's difficult, New York being the best example.
I think the question on the distribution side goes more to
the necessity of the authority that you want to grant in an
emergency as opposed to that.
So if, in fact, the authority of the--to act in an
emergency is intended to cover everyone, and you wish to do
that in this legislation, you would want to then specify who
that is and it would extend, for example, to those places that
are not interconnected with the United States, excluded from
section 215, Alaska and Hawaii and Guam, not interconnected. So
you would be extending the definition from 215.
If you just think of it, 215 is covering a portion, the
largest facilities, the largest lines, but it doesn't include
distribution. So, I would think you would want to say, what do
you what to include. I would go from 215 and then I would
decide what you were going to add. It's 215 plus.
If it was all of distribution, my own view is that all of
distribution is a reach, that that is not necessary here. But
then, at the same time, I understand where it should be broader
than the current definition of 215. Alaska, Guam, Hawaii,
potentially very large metropolitan areas like New York and
Washington which--military facilities, but I would add. I would
start from the definition of 215 and decide how much to add. If
you decided to add all of distribution, that would be one way
to do it.
Senator Corker. Madam Chairman, is it OK if I continue to
listen?
Senator Murkowski. Yes, that's fine.
Senator Corker. OK. Mr. Mosher.
Mr. Mosher. Yes, thank you, Senator. I would suggest that
the committee look and think seriously about starting in the
other direction and figuring out which customers you are trying
to protect and you're most concerted about.
Rather than encompassing all of distribution, if you're
concerned about New York City or Washington DC or military
facilities, then you need to talk--for example, starting with
military, with the base, commanders there, identify their
vulnerabilities an then assign authority or set up regulations
that would ensure that those particular facilities are
protected. That involves the relationship between the
particular distributing utility and the customer.
Now, New York City and Washington DC I know are areas of
particular concern. Frankly, I think that bulk power
reliability standards and the authority that is contemplated
for the Commission will, in fact, cause the utilities that
serve those areas to adopt standards and policies and to train
their personnel so that they will have cyber protection for the
entirety of the enterprise. That's the underlying part of the
NIST framework, is that it is not a facility-specific program,
that is NIST for cyber security.
Its about protecting your entire enterprise and making sure
there is no backdoor way of attacking the system. If you do it
for the entire utility, you are indirectly going to protect the
distribution facilities as a part of it.
Senator Corker. I know my time is way beyond over. Thank
each of you for your testimony.
I hope that what you may consider is that, my sense is that
we are going to have a markup on this very soon, is that, on
the definitional issue we just discussed, but also the
definitional issue of critical electric infrastructure and
cyber security threat, those two terms. I would encourage each
of you to submit to us some clarifications that you think might
be helpful to us.
Again, Ms. Hoffman, thank you very much for being a good
soldier today and hopefully somebody from the Department will
respond to the questions.
Thank you all very much.
Senator Murkowski. Thank you, Senator Corker. I think it is
important to note that we do have this on schedule for next
Wednesday for potential markup, if all goes as planned.
I think you have raised some good issues here today. It is
important to try to get that input from the Department and we
recognize that there is a lot happening, not the least of which
is that people aren't entirely in place and perhaps might not
be focused on this, but we are trying to move on it.
I might note, and it may have been already brought up by
the chairman, but we are not the only committee looking at the
issue of cyber security. There is legislation out there that
would have FERC be consulting with Department of Homeland
Security. You have also legislation coming out of the Commerce
Committee where it would be the Secretary of Commerce that is
providing the direction. You've got another bill that would
establish an Office of National Cyber Security Adviser within
the executive branch. So, it's kind of all over the board right
now.
I guess I'll throw-out this question to all of you. There
has been some discussion about whether or not we need a cyber
security czar. Is that where you go with it, Mr. Mosher?
Mr. Mosher. My view is that the committee ought to focus
here on the particular concerns of the electric power industry
and solve those as surgically as you can, because the issue of
cyber security is so much bigger than the electric power
industry.
The Federal Government, the executive branch, and Congress
need to come to a meeting of the minds of what that Federal
Government strategy is. Then you could do a comprehensive
strategy, whether it entails a cyber czar in the White House
with a special office there, whether the authority is assigned
to NSA, or whether it is shared with DHS. Those are sort of
level issues that are, frankly, much beyond our paygrade.
But we would like to see that our particular vulnerability
issues and authority issues are resolved pretty quickly. We
certainly are willing to work with the Congress to resolve that
as quickly as we can. We hope that we can work with you to get
something that we can all agree upon as part of the
comprehensive energy bill.
Senator Murkowski. Mr. Sergel.
Mr. Sergel. Thank you. I agree with Allen, but not just
overall, but within the specific confines of this bill as well.
That the emergency authority for cyber security is extremely
important to us. We need that. It is important to complement
our standards. Our standards are incomplete without that
authority.
So, it is taking action on those things that we can do
today to protect the bulk power system in that situation.
Certainly we will work to get our definitions as precise as we
can, to make that as effective--but it is to do that portion of
it that is so important. There's always the broader and larger
picture, but for this industry we need emergency authority
granted to a single agency.
Senator Murkowski. Now, that's fair and I appreciate that.
I was reading an article here that was posted in the Wall
Street Journal this morning and it attracts my attention
because it details a report that the air traffic data systems
in Alaska were shut-down by hackers. You know, when you're a
State like mine where everybody flies and you've got your air
traffic control systems that have been breached, this is a real
problem.
Not to suggest that it is greater than the electrical, we
recognize in today's world where we are connected in many
different ways, there is a level of vulnerability in our day-
to-day lives that we could never have imagined a couple of
decades ago. So, whether it is occurring with air traffic
control or electricity or just security in general.
Let me ask a question. We did not address this in our
legislation, but it's the issue of the potential costs. There
has been some concern expressed with the cost of compliance,
whether it's an emergency order through DOE or FERC's expedited
rules, and the concern that merchant suppliers can't pass these
costs on that they need to incur in order to address the cyber
security threats.
Do we just consider these costs as part of doing business
in today's world or should there be some kind of cost recovery
mechanism included in our legislation? Because, as I said, we
have not included it, but what's your position, Mr. Sergel?
Mr. Sergel. Just two things from me and then I'll turn it
over to David Owen.
First, the way standards are set under section 215 with the
industry participating assures that the costs of taking an
action are incorporated in the decision itself. Because it's
part of the process and it's reflected there and it's very
important.
The second is that 215 address the bulk power system
because it is the priority, it is the one in which we're most
in danger. I point to the length of time--we had an event in
Florida and it was over in an hour; whereas, the August 2003
blackout, it took days to recover from that same event in many
places. So, it is very important that we deal with the bulk
power system, large scale, are whole orders of magnitude
greater concern.
So, from the standpoint of what it costs, let the standards
and processes we have today do the job and focus on the bulk
power system. It is where the highest priority is. So, for
costs, those would be my suggestions.
Senator Murkowski. Mr. Owens
Mr. Owens. Soon after 9/11, FERC adopted a policy because
it recognized that companies wanted to secure their systems.
They said, in emergency situations, they would focus on getting
you cost recovery.
So, I think it's very, very appropriate for merchant
generators, who don't serve retail customers and don't go
before State PUC, that to the degree that we're responding to
emergency standards, standards relating to cyber, to reduce
cyber vulnerabilities and so forth, it is very, very
appropriate that they get cost recovery. I think that is very
consistent with how FERC has dealt with issues in the past.
Senator Murkowski. Mr. McClelland.
Mr. McClelland. I'd like to add to that. In fact, David
stole my thunder. The Commission did issue a policy statement
after 9/11 that said it would prioritize cost recovery filings
for security reasons, for security aspects. So, the Commission
is very aware of that.
As a staff member, I can say that it seems reasonable and I
would support, as a staff member, support cost recovery filings
in order to comply with measures necessary to protect the bulk
power system, be they cyber or be they physical.
If I could just stir the pot back up again, because it
seems like it's settled down a bit too much, back to the issue
as far as the definition of bulk power system. Smart Grid
actually would enable a new type of attack vector. Rick has
talked about the priority associated with the bulk power
system, but if you could imagine many millions and millions of
distribution meters being installed on the Smart Grid that have
a two-way communication capability and would be interacting,
perhaps, back to an ISO or some central control center, that is
another path, and a substantial path, for compromise. There are
several different attack vectors that can be associated with
the installation of those type meters.
So, it's a complex issue. It's ever-changing.
Senator Murkowski. Do we need additional Federal authority
as we reckon with the complications, as we look at the Smart
Grid?
Mr. McClelland. I think the committee needs to consider
that aspect and I think it needs to be well-aware that, as
Smart Grid is implemented, and as these devices, these formerly
dumb appliances that couldn't communicate now can communicate
in two directions, any time there's two-way communication,
there's a chance for cyber compromise.
The current draft does go through the distribution levels,
so it appears to be a mechanism by which Smart Grid could be
addressed. But it would be an expansion, a significant
expansion, of the Commission's authority, if the Commission
were selected as a lead agency to implement these mitigation
measures for the vulnerabilities.
Mr. Mosher. If I may?
Senator Murkowski. Senator Shaheen.
Mr. Mosher. Very briefly. The Commission has no rate
jurisdiction over distribution.
Mr. McClelland. That's right.
Mr. Mosher. So, if the costs are incurred at the
distribution level, then this should be something before the
State public utility commissions.
Also the mechanisms for guaranteed rate recovery for
independent power producers does give public power systems some
heartburn. I'll leave it at that.
Senator Murkowski. Senator Shaheen
Senator Shaheen. Thank you. I want to go back to the
definition because I guess I'm a little confused by the
previous exchange.
Because, as I look at the bill, it defines critical
electric infrastructure and would amend the Federal Power Act
and it seems to me it is a pretty comprehensive definition
because it defines it as ``systems and assets, whether physical
or virtual, used for the generation, transmission, or
distribution of electric energy affecting interstate commerce
that is determined by the Commission or Secretary'' however
that gets resolved ``are so vital to the United States that the
incapacity or destruction of the systems and assets would have
a debilitating impact on national security, national economic
security, or national public health or safety.''
I mean, I guess, as I read this definition, it would
address the concerns that you all were raising. Do you think
that that definition is not adequate? If it were adopted in the
bill.
Mr. Sergel. The definition in the draft legislation is the
broadest one possible.
Senator Shaheen. Right.
Mr. Sergel. You're are absolutely correct. It does not need
to be broader to increase the protections.
The current section 215 covers only the bulk power system,
the largest lines and plants, and the interconnected system in
the United States; therefore excluding both distribution and
Guam, Alaska, Hawaii as well.
Senator Shaheen. Right.
Mr. Sergel. I think NERCs position on this is that we start
from the bulk power system because it is the highest priority
that needs to be protected. Then additions to that definition
to expand it should be carefully done, because the authority
being granted here is so great.
Now, there's two different components of the draft. One
component of the draft is for emergency authority and, on that,
I would say----
Senator Shaheen. Which is the definition I just read.
Mr. Sergel. Yes. So, as it relates to giving emergency
authority on that expanded definition, we will all work to make
sure that we understand how that should be done and how it
should be done effectively.
For example then, when you move to the vulnerabilities
language, I would be willing to say I think that definition is
too broad for the vulnerabilities language because it would
give the authority to order distribution, order distribution
companies to take actions from the Federal Government which is
not in place today.
So I think that definition is broad enough to protect for
cyber security but is actually a reach too far with respect to
standard setting. On emergency authority, it is logical. On
standard setting, it is a reach too far.
Senator Shaheen. So, is everyone on the panel in agreement
that, in terms of a definition for an emergency situation, that
that definition is adequate? Or is there some objection from
the rest of you that that's going too far?
Mr. Mosher. It is my view that the definition goes too far
on distribution, even for emergency authority. To have a
regulatory program that is actually going to be effective, I
can see it cratering just in the number of entities that the
Commission would have to preestablish communication pathways to
make it work. If it has an authority to issue an emergency
order, then it presumably needs to know it's going to contact.
If it has to contact all of the roughly 1,650, one thousand six
hundred and fifty, municipal systems in the country that are
not on the NERC compliance registry, then the FERC would have
to establish who that contact person is, what clearances they
have, and have the ability to execute it. Now----
Senator Shaheen. If there's a current emergency----
Mr. Mosher. I'm sorry.
Senator Shaheen. If there is a current emergency, how does
that work? I mean, right now in the absence of this kind of
legislation to address cyber security, if there were an
emergency effecting the municipal utilities, how would that be
communicated to them?
Mr. Mosher. Today, within the scope of NERC's authority,
they're communicating primarily with the registered entities.
We are working to expand their ability to communicate through
the ESISAC, the Electricity Sector Information Sharing and
Analysis Center, excuse me for the acronym. We will be
improving it and have voluntary communications that well reach
basically all municipals over time, but it is not in place yet.
We, again, are trying to prioritize getting the
communications down where the risks are the greatest, which are
in the larger communities.
My concern is not in the emergency authority, but it is the
regulatory hooks that come with it and the effectiveness of the
communication to make sure that, for example, when Joe sends
out a directive, he needs to know if the other person on the
other end of the line has a security clearance. I know for a
fact that we can't get security clearances for all of these
entities. It would just overwhelm the capability of the FBI to
do, to get all of the clearances done. People change jobs and,
you know, people are performing multiple functions. It just
isn't going to work.
I am suggesting a more targeted approach going to defense
establishments and to addressing whatever concerns you have
with large cities. That could be the way of focusing, that
would be my recommendation.
Senator Murkowski. Mr. McClelland.
Mr. McClelland. When we meet as Federal agencies and we
discuss cyber security and cyber security issues that would
affect the electric utility industry, when we speak about the
electric utility industry, we say they're out in the wild. The
reason why we say that they're out in the wild is that they
don't have information regarding the current threats and the
current activities that are being propagated on the electric
grid.
One thing I would like to address that Allen had said was
that we needed a security clearance or would need a security
clearance to communicate with entities. Our assumption would be
that if we broadcast the information out to a large number of
entities, forget it. That information will be disclosed. So the
advisories or the orders that we would issue, the advisories
that NERC crafts and the orders that we would issue, would be
carefully crafted so as not to compromise national security,
but would provide clear direction.
The testimony that I gave today, the oral and written
testimony, was merely intended to reflect the fact, or inform
the committee, that there is a clear distinction between--there
is a limitation under 215 as to how far the Commission can
reach.
The Staff Draft, however, went much further and captures
even distribution. That capturing in effect, or that effect,
would in turn capture the Smart Grid meters, the meters that
would be deployed. We didn't address the complexities
associated with an agency and exercising that control. But the
definition seems to, and the testimony is intended to say, that
the definition is very broad. If the committee intends to move
in that direction, the committee should understand that Alaska,
Hawaii, the territories, and the larger urban areas should be
captured, from the Commission's perspective, and that we were
advising you in regard to that definition.
In other words, the definition appears to be adequate and
separate from the definition of bulk power systems in 215.
Senator Shaheen. But that's why I'm still confused.
Because, if the definition says it would cover any system that
would have a debilitating impact on national security, economic
security, public health or safety, why would that not then
effect Alaska, Hawaii, and the territories?
Mr. McClelland. I think the question would be what was
intended by the draft and how does the Federal Power Act
capture Hawaii--Alaska and Hawaii and the territories.
Senator Shaheen. So, do you also share the concern
expressed by others on the panel that this definition is too
broad?
Mr. McClelland. It depends on what the intent of the
committee is. If the intention or the direction of the
committee is to ensure that the agencies, the Department of
Energy and the Federal Energy Regulatory Commission, would have
sufficient authority to be able to address cyber security
threats that could affect the United States, could impact the
mission of the Department of Defense, the military facilities,
then no. I would say no, the definition is not too broad, if
you intend to capture Alaska and Hawaii and the territories.
If, however, you intend to limit it to say, the continental
United States, in just the definition of bulk power system
under 215, then you should be advised that there are
limitations with that definition and complexities associated
with the interpretation and the administration of that
definition.
That, in and of itself, if one is speaking about national
security, that could render the actions ineffective. If there
is disagreement about where it applies and how it applies and
whether or not it goes to a downtown urban area and there is
some room for interpretation or discretion, you really can't be
sure that the directive you've issued will be effective to
address the cyber security concerns.
Mr. Owens. Senator, can I try to just simplify this? I
think we are making it a little bit too complicated.
You asked if the definition is too broad. If you are
seeking to define a national emergency and you know the
components that make the electric system, the definition covers
the broadest of the electric system.
But then if you're speaking to how do I define a cyber
vulnerability and what is the level or the scope of authority
of the Department of Energy and the Federal Energy Regulatory
Commission, you are raising a different set of issues. So, we
have to separate cyber threat from cyber vulnerability. In a
cyber threat, you certainly do, even Allen's members want to
know, that if there is a cyber threat it needs to be well-
communicated to them so they can take corrective action, so we
don't have widespread disruption.
So I don't think anybody has a problem with that. We need
to make sure that there is a single agency that has that
responsibility and we are clear and there is ongoing
communication with the utility and people that have security
clearances, so they can huddle together and say, here the
solutions to deal with this immediate threat.
Senator Shaheen. OK. Can I stop you right there? Because
that is not what I heard Mr. Mosher say.
Mr. Owens. No, I just changed it a little to say----
Senator Shaheen. Yes, you did. Do you agree with what he
just said?
Mr. Mosher. Yes, I do. If you're talking about
communication----
Mr. Owens. Yes.
Mr. Mosher [continuing]. Then I agree and what David was
saying is we get the experts together talking to the Federal
Government, experts from the industry, experts from the
government, distill the threat down to something that is
actionable.
Mr. Owens. Exactly.
Mr. Mosher. Take out, because of a need-to-know basis, take
out all of the underlying threat information that should be
classified, tell the entities what to do.
Mr. Owens. Exactly.
Mr. Mosher. That can be communicated. Now the question
where we may differ is on whether there is a regulatory
structure that is imposed upon this to say that if the entity
that receives the information does not comply, then there will
be sanctions.
Mr. Owens. Exactly.
Mr. Mosher. it's when you get to the sanctions that the
process breaks down because the regulatory burden increases.
The entities that receive this information are going to respond
to it, but they're very different in their capabilities to
respond to this information. They are different in the
vulnerabilities that they present to the Nation. Small
municipals with one stoplight aren't in the same category as
PEPCO.
Mr. Owens. That's right.
Senator Murkowski. Senator Corker.
Senator Corker. I think this hearing is coming to a close
pretty soon and we've got a four page bill, OK. It's not like--
it's pretty short.
I think we've found through this Q&A time that it maybe
doesn't adequately address some of the definitional issues that
are important to each of you that actually have to do this on a
daily basis and you're asking what the intent of the committee
is.
Look, I mean, we're Senators. You know, let's face it, we
do not understand fully, as each of you do, and that's why
you're here, exactly how this language effects you on a daily
basis. I think our concern is--we're concerned about cyber
security, OK? We're concerned about making sure that Americans,
including those in Hawaii and Alaska, wake up and have power to
do the things they need to do and that our country has the
ability, through its military, to do things necessary.
So, I would suggest that the four of you, and if the DOE
determines it wants to weigh-in, and I think it might, that
y'all take these four pages and make it work and give us the
input back. Even if it's six pages, OK, to sort of deal with
this. I mean, it's evident that you guys have a wealth of
knowledge that we don't, that's why you're here. I would just
ask you to help us with this. Because it sounds like that we,
in some ways, in trying to solve this problem and could raise
more questions than answers.
So I'll conclude with this, at least my portion of it. Mr.
McClelland, you mentioned that there are issues in addition to
cyber security that we need to be addressing. That there are
other national security threats to reliability and I'm
wondering if, in this little four-pager that we have, that
could be five, six, seven, eight, are there are other powers,
as it relates to the reliability side, that you feel like we
ought to be addressing for FERC right now?
Mr. McClelland. Is that a question now?
Senator Corker. Yes.
Mr. McClelland. Oh, I'm sorry.
Senator Corker. That wasn't a yes/no one, that was a----
Mr. McClelland. Oh, yes.
Senator Corker. No, no, no. That was not a yes/no one, OK.
Mr. McClelland. Yes, there are. Our point in the oral
remarks and the written testimony is that there are physical
attacks that can occur on the power grid and those attacks can
be just as devastating as cyber attacks.
So if Congress would entrust an agency to exercise, be able
to exercise directives, not ask for voluntary measures, but
exercise directives over the industry, the affected industry
for cyber, our position is that it should consider, or it
should also grant the agency an extraordinary ability, or
ability under extraordinary circumstance, to also exercise
actions against physical threats.
A good example is a bulk power system transformer. If there
were some, if there were some issue, if there were some
information, that would indicate that these transformers were
affected, the affected agency or the agency in charge could
then issue a directive to help or to give guidance to the
affected industry to protect those transformers. Perhaps
relocate the transformers or take other actions in order to
secure those transformers for a period of time.
Senator Corker. So, I noticed the two guys on the end sort
of shrieking. So----
Mr. McClelland. Yes, I wouldn't be surprised. We all know
each other.
Mr. Mosher. There are numerous police agencies in the
United States and the FERC is not among them.
Mr. McClelland. Right
Mr. Mosher. Particularly for municipal utilities, where we
have a local police department, they are frankly very good at
maintaining local security. They know who isn't from the
community and is lurking around the substation.
I agree with Joe that there are physical concerns security
concerns. I do not think that the FERC is the appropriate
agency to undertake that.
Mr. Owens. I would agree with. I think that there are other
agencies that have that responsibility. I think Joe is right
that there are elements of our system that present some
vulnerabilities.
He mentioned specifically transformers and we already have
an industry effort underway to make sure that we can secure, if
we have a disruption in our transformers, we have an inventory
of transformers that can be quickly mobilized so that we can
make sure that electric service is restored very quickly.
FERC has blessed that approach, but FERC is not the agency
that deals with all the physical aspects of our systems. I
think that there does need to be coordination. If that is what
Joe is indicating, I do agree with him that there needs to be
ongoing coordination between the Federal Government and the
State and local agencies.
Senator Corker. Mr. Sergel.
Mr. Sergel. On physical security, I worry that too many
agencies that are qualified will show up to help. On cyber
security, I lie awake at night worrying that no one will show
up. It's cyber security emergency legislation that is
absolutely essential.
There are physical issues, they are real. But, again, I
agree with my associates that that is not--first, it is not the
priority that I have but it's also--others would be the ones
who would be better suited to do that.
Mr. Owens. Right.
Senator Corker. Madam Ranking Chairman, I think we've had
some great witnesses and I do--did I say ranking chairman? Yes.
Acting chairman, acting chairman.
I do wonder if we are ready to do this next week. Either, I
mean, I know it is just a short piece of work, four pages, but
it seems like a very, very important issue and it seems like
that these witnesses have some clarifications that could be
incredibly helpful. Either they have some quick work to do and
all of us just sort of sit around and think that what they do
is good or maybe we ought to think about may be looking at this
some more.
I know you're very concerned. I've heard you talk several
times about cyber security and I know the Senator from New
Hampshire is, too. I know our whole country is. I just wonder
if we're adequately addressing this right now, so.
Senator Murkowski. Thank you Senator Corker. I think we all
share the concerns and I'm pretty certain that the folks within
the White House are very keyed on this as well. Whether it's
cyber security within the power grid or, as I mentioned, cyber
security issues that crop up in our aspects of day-to-day life
in commerce.
But the problem is is that perhaps they have not moved as
quickly in determining how they are going to approach the issue
of cyber security.
Again, I threw out this whole discussion about a cyber
security czar. I'm not convinced it is necessarily needed, but
I think it speaks to the issue that we're faced with today.
There is a level of vulnerability that we have, the smarter
that we get. Our ability to utilize new technologies, and Smart
Grid is a perfect example of how it makes our life better and
more efficient, but exposes us to a level of vulnerability if
we don't build securities into our system. We've got to be on
top of this in a very, very strong way. So, the issues that
have been presented today, I think, have been very helpful.
I think you're right, Senator Corker, we have recognized
that, as part of a Comprehensive Energy Bill, we would be
foolish not to include some aspect of cyber security into an
energy piece, but how we define it and who we place in charge
is key and it is critical that we do our best to try to get it
right.
So, I appreciate the input from the witnesses here today
and the good exchange from committee members this morning.
Thank you.
[Whereupon, at 11:45 a.m., the hearing was adjourned]
APPENDIX
Responses to Additional Questions
----------
Federal Energy Regulatory Commission,
Washington, DC, May 8, 2009.
Hon. Jeff Bingaman,
Chairman, Committee on Energy and Natural Resources, U.S. Senate,
Washington, DC.
Dear Mr. Chairman: Thank you for the opportunity to testify before
the Senate Energy and Natural Resources Committee on May 7, 2009 on
cybersecurity of the nation's electric grid. Enclosed are my responses
to the post-hearing questions that you and Senator Murkowski have
submitted.
Also enclosed is a one-page document with edits to the Joint Staff
bill on two issues addressed in my testimony. First, the edits would
broaden the bill to cover not only cyber vulnerabilities and threats
but also other national security vulnerabilities and threats. Second,
the edits would include additional information within the scope of
subsection (f), on protection of critical electric infrastructure
information.
Should you need additional information, please do not hesitate to
get back in touch with me.
Sincerely,
Joseph McClelland,
Director, Office of Electric Reliability.
[Enclosure.]
Responses to Questions From Senator Bingaman
Question 1. In your view is the authority granted in the proposal
sufficiently broad to allow protection against all cyber security
threats and vulnerabilities? Does the provision cover Alaska, Hawaii,
and distribution systems?
Answer. Yes, my view is that the draft bill provides adequate
authority on each of these points. First, the draft bill allows
protection of critical electric infrastructure against all cyber
security threats and vulnerabilities. Second, as to Alaska and Hawaii,
the draft bill covers systems and assets used to produce, transmit or
deliver ``electric energy affecting interstate commerce.'' It is
Commission legal staffs view that the Commission could reasonably find
that electric energy in Alaska and Hawaii affects interstate commerce.
Finally, the draft bill includes systems or assets used for
``generation, transmission, or distribution'' (emphasis added) if they
are ``so vital to the United States that the[ir] incapacity or
destruction ... would have a debilitating impact on national security,
national economic security, or national public health or safety.''
Question 2. The condition that allows a utility, under current NERC
standards, to accept the risk of inaction is a little puzzling to me.
Does that mean that, if a utility says that it is willing to accept
liability for all the costs of a massive outage, perhaps into the
hundreds of billions of dollars, it does not have to take steps to
prevent that outage? Is there any requirement for indemnification or
warranty that the utility would be able to bear the cost?
Answer. While the current CIP (cyber security) standards have
several requirements that allow an ``acceptance of risk'' in lieu of
mitigation, the standards do not make clear the legal liability for
such acceptance of risk. For example, Requirement R3.2 in CIP-007-1
states: ``The Responsible Entity shall document the implementation of
security patches. In any case where the patch is not installed, the
Responsible Entity shall document compensating measure(s) applied to
mitigate risk exposure or an acceptance of risk.'' The Commission's
Order No. 706 required replacing the unilateral acceptance of risk with
a ``technical feasibility'' exception mechanism that includes an
independent approval. Version two of the CIP standards recently
approved by the NERC Board of Trustees deletes all uses of the
``acceptance of risk'' language. Version two has not yet been filed
with the Commission. Depending on the time required for the version two
CIP standards to be filed and approved, under the effective date
provision embedded in those standards, they could be effective as early
as January 1, April 1 or September 1 of 2010. (The applicable provision
in the standards makes them effective on the ``first day of the third
calendar quarter after applicable regulatory approvals have been
received.'')
Question 3. How long did it take for these NERC rules to he
developed, and how much longer might it take to get them amended to
correct the weaknesses?
Answer. It took approximately three years for the NERC rules to be
developed. The CIP standards began as the Urgent Action (UA) 1200
standard (voluntary standards), which became effective in 2003. It was
intended to he temporary measures until permanent ones could be
developed and agreed upon. The current CIP standards replaced the
UAl200 standard on June 1, 2006, after they were approved by the NERC
Board of Trustees, and were filed with the Commission on August 28,
2006. After considering public comments on the issuance of a Staff
Preliminary Assessment and on a Notice of Proposed Rulemaking, the
Commission approved the CIP standards on January 18, 2008, but
immediately directed NERC to make substantial modifications. NERC
formed a standards drafting team to address those Commission
directives. That team is addressing the required modifications in
phases. The first phase has been drafted and recently approved by the
NERC Board of Trustees. Once it has been filed with the Commission, and
if it is approved by the Commission, that version (version two) will
then he mandatory and enforceable in the continental United States.
Depending on the time required for the version two CIP standards to be
filed and approved, under the effective date provision embedded in
those standards, they could he effective as early as January 1, April 1
or September 1 of 2010. (The applicable provision in the standards
makes them effective on the 'first day of the third calendar quarter
after applicable regulatory approvals have been received.'') The same
drafting team has been working on an anticipated phase two and a phase
three to address the remaining Commission directives for modifications.
I do not have a good estimate of when phase two or phase three of the
modifications will take effect.
Question 4. You say that NERC reported that only 29% of utilities
reported owning any critical assets. Do you have an idea of how many
utilities own critical assets?
Answer. As a point of clarification, NERC reported that only 29% of
Generation Owners and Generation Operators reported identifying at
least one critical asset. NERC also reported that approximately 63% of
Transmission Owners identified critical assets. The Commission does not
have any data on how many utilities own critical assets. However,
NERC's Compliance Registry Matrix identifies a total of 1,555 Generator
Owners (GOs) or Operators (GOPs) and 321 Transmission Owners (TOs).
NERC standard CIP-002 is entitled ``Cyber Security Asset
Identification'' and it requires these entities to develop a ``risk-
based assessment methodology'' to use in identifying their critical
assets. The entities are then to use this methodology to self-determine
their critical assets and subsequently, critical cyber assets that are
captured by the cybersecurity standards. In Order No. 706, the
Commission directed NERC to, among other things, provide guidance on
the development and application of the risk-based assessment and to
implement independent reviews of the individual entity's critical asset
determinations. The NERC survey described on page 6 of my written
testimony is part of this still-ongoing effort.
Question 5. We have tried not to eliminate the NERC standards
setting process in our bill. The intent is that FERC establish
standards for vulnerabilities as quickly as possible, that could then
be superseded by NERC standards when such are developed that the
Commission finds acceptable under the statute. Is this your reading of
it as well?
Answer. I agree that the bill does not eliminate the NERC standards
setting process. The Commission would have the ability to move quickly
and effectively to address vulnerabilities under the new provision,
followed by standards development activities by NERC pursuant to FPA
section 215.
Question 6. In your view is the authority granted in the bill broad
enough to protect against all cyber security threats and
vulnerabilities, including those originating on distribution systems
and in Alaska and Hawaii?
Answer. Yes, for the reasons explained in response to Question No.
1, above.
Responses to Questions From Senator Murkowski
Question 1. The industry witnesses before us today urge Congress
not to broaden federal jurisdiction in the cyber arena to extend to the
local distribution system. But, if Congress limits any new federal
authority to the Bulk Power System, aren't we leaving cities like New
York and Washington vulnerable to a cyber attack?
Answer. Yes, the current definition of Bulk Power System leaves
certain cities, such as New York, vulnerable to a cyber attack. When.
NERC proposed its first set of reliability standards, it asked that the
applicability of the reliability standards be limited to facilities
generally rated at 100 kV and above subject to the individual
determinations of the regions. In Order No. 693, the Commission
accepted this proposal but expressed concern about potential gaps in
coverage. Since then, the regional definition applicable to Washington,
D.C., has been strengthened adequately to include the transmission
systems serving the city, but a different regional definition excludes
most of the network facilities in the New York City area. Moreover, the
Bulk Power System is statutorily defined as excluding facilities used
in local distribution. The draft bill's language is broader than the
Bulk Power System and would allow the Federal government to protect
against such a gap.
Question 2. In the 2005 Energy Policy Act, Congress created an
Electric Reliability Organization--which is now NERC--to develop
mandatory and enforceable reliability standards, including cyber
security standards, for the electrical grid. While this ``Section 215
Process'' provides for extensive stakeholder involvement, FERC has
complained that the process is too time-consuming, does not allow
timely changes, and does not protect security-sensitive information. I
am concerned that even though we learned about Aurora in 2007, the NERC
standards will still not be in place until 2010. Do the witnesses agree
that the additional federal authority, beyond the Section 215 process,
is needed for cyber security protection?
Answer. Yes.
Question 3. Section 215 of the Federal Power Act gives FERC the
authority to oversee mandatory, enforceable reliability standards for
the Nation's bulk power system, but excludes Alaska and Hawaii. What
are the challenges in including Alaska, Hawaii, and the territories in
cyber security action?
Answer. The Commission would need to learn about the facilities
that provide electric service in these States and territories, and
establish a communication protocol to convey information and
directives.
Question 4. We can have the most secure systems here in the U.S.,
but we are interconnected with our northern and southern neighbors.
What kind of coordination do we have with Canada and Mexico today? How
much of an impact on the U.S. would there he from a cyber-intrusion
into the Canadian or Mexican systems?
Answer. The Commission and DOE maintain close coordination with
Canadian and Mexican governmental officials and regulators;
representatives from the three countries communicate by telephone or
meet frequently. Officials in Canada and Mexico are well aware of the
risks of cyber-intrusion, and the need to protect against such
vulnerabilities and threats. The impact on the United States from a
cyber-intrusion in Canada or Mexico is difficult to predict, and could
vary widely based on the nature and location of the intrusion, as well
as the system conditions at the time an intrusion occurs or is
activated.
Question 5. Some of the industry witnesses have argued that
Congress should provide emergency/expedited authority to either DOE or
FERC--but not both. How do you respond?
Answer. The comments that supported giving the authority to either
FERC or DOE but not both seemed to flow from a concern that there would
be an overlap. However, the draft bill authorizes FERC to address
vulnerabilities while authorizing DOE to address threats, so it is not
clear that there will be an overlap. If circumstances arose in which
the statute allowed both agencies to act, the agencies would need to
coordinate their efforts appropriately, and I believe the agencies
would act timely and responsibly in doing so. The FERC, which currently
is the Federal agency statutorily responsible for overseeing
reliability, has the expertise and processes in place to timely and
effectively issue orders directing necessary actions to address
reliability vulnerabilities or to address threats in emergency
situations, to ensure that the actions ordered do not conflict with
other reliability requirements, and to enforce its orders. The FERC
also has many years of experience in reacting promptly to industry
urgent action needs.
Question 6. You testified that the legislation should address not
only cyber security threats but also extend to other national security
threats to reliability. What additional authority does FERC require?
Answer. Physical or non-cyber events or attacks can damage the grid
as much as, or more than, cyber attacks. While law enforcement agencies
may be able to inform utilities about known or suspected threats, and
provide or enhance protection against certain threats, I am unaware of
any federal agency or law enforcement agency with authority to require
utilities to take preventative actions to mitigate non-cyber
vulnerabilities or threats to the power grid even if they endanger
national security. It is impossible to speculate as to what specific
non-cyber vulnerabilities and/or threats might materialize in future
years, although it is certain that when such issues arise, it cannot be
assured that they will be dealt with in a timely and effective manner
unless a Federal agency is already authorized to require appropriate
action. These non-cyber events might vary significantly and range from
natural causes such as solar-magnetic storms to deliberate and
coordinated attacks on specific equipment such as bulk power
transformers. Broadening the draft bill to include non-cyber
vulnerabilities would authorize regulatory requirements, quickly if
necessary, to install and actuate protection measures against a solar
storm (or threat of an electromagnetic pulse attack) or the stockpiling
and sharing of costs for spare transformers. If the Congress does not
enact a provision to enable the Commission to act to protect the power
grid from such threats, there will be a gap in protection of the grid.
Question 7. When FERC issues an alert or advisory for industry to
take a voluntary action, such as in response to the Aurora
vulnerability, what is the compliance rate?
Answer. I am not aware of calculations of compliance rates, since
some NERC issuances do not recommend specific actions and all are
merely voluntary. NERC, and not FERC, issues alerts to address
vulnerabilities or threats that are not covered by the reliability
standards. Since the Aurora advisory, NERC has restructured its alert
process, with Commission oversight. NERC now has three levels of
alerts, and also issues awareness bulletins. Not all alerts require any
feedback from industry. The three alert levels are: Industry
Advisories, Recommendations to Industry and Essential Action Alerts.
The Essential Action Alerts are the highest urgency alerts, and are
most like the Aurora alert. Since putting this mechanism in place, no
Essential Action Alerts have been issued. Voluntary compliance with
these advisories has not been the subject of any audit--by NERC or the
Commission. Thus, the effectiveness of these alert efforts is
uncertain.
Attachment
I. Changes to Address Non-Cvber Vulnerabilities or Threats
A. In section (b)(1), after ``cyber security
vulnerabilities'' insert ``or other national security
vulnerabilities''.
B. In section (h)(2), after ``a cyber security
vulnerability'' insert ``or national security vulnerability''.
C. In section (c)(1), after both references to ``cyber
security threat'' insert ``or national security threat''.
II. Changes to Broaden Protection of CEII
Revise section (f) by adding the text underlined below:
Section 214 of the Critical Infrastructure Information Act of
2002 (6 U.S.C. 133) shall apply to critical electric
infrastructure information submitted to, or developed by, the
Commission or the Secretary under this section to the same
extent as that section applies to critical infrastructure
information voluntarily submitted to the Department of Homeland
Security under that Act (6 U.S.C. 131 et seq.) If a rule or
order issued pursuant to this section contains critical
electric infrastructure information or if information in the
record associated with such rule or order constitutes critical
electric infrastructure information, the Commission or the
Secretary may make the rule, order or information non-public in
whole or in part.
Responses to Questions From Senator Bayh
Question 1. In your agency's view, would the proposed legislation
drafted by the Committee on Energy and Natural Resources be
complementary of various other legislative efforts to address the issue
of cyber security in other sectors (banking, commerce, military, and
intelligence)?
Answer. Yes, the proposed legislation would be complementary to
other legislative efforts addressing cyber security in other sectors
such as banking, commerce, military, and intelligence. The legislation
directs FERC to address cyber security vulnerabilities of the Nation's
critical electric infrastructure. By doing so, the legislation places
the responsibility and authority to address cyber security
vulnerabilities of the electric grid with the agency that is already
charged with regulating reliability and cyber security of the bulk
power system and is therefore experienced and expert in these matters.
It does not preclude or discourage FERC from working with other
agencies or even a central authority (if Congress or the President
elects to establish one) to address and mitigate these issues. In fact.
I believe that in order to be effective, the Commission would need to
coordinate closely with other agencies and bring all resources and
expertise to bear on the particular vulnerability or threat presented.
FERC already works closely with agencies such as DOE, DoD, DHS, NRC,
CIA and others in these matters and expects to continue to do so if the
proposed legislation is passed--even in combination with other cyber
security legislative efforts affecting other industries and agencies.
Question 2. If this legislation is enacted, how would new DOE and
FERC authorities be complementary of the other efforts to ensure
cybersecurity undertaken by the Executive Branch and of each other?
Answer. As I mentioned previously, even if Congress or the
President were to create a central authority, FERC expects to
coordinate as appropriate with that authority to effectively establish
and implement cyber security measures necessary to address
vulnerabilities. Should the proposed draft retain the separation of
FERC and DOE responsibilities, FERC expects to coordinate with DOE in
order to prevent overlap of our orders and enforcement actions
regarding FERC's responsibility to address ``vulnerabilities'' and
DOE's responsibility to address ``threats''. Again, FERC already
coordinates with many other agencies such as DOE, DoD, DHS, NRC and CIA
to avoid duplicative or conflicting actions. At times, as during
Aurora, FERC worked closely with the Executive Branch which convened
interagency meetings to coordinate the actions of all federal agencies
in order to assure an effective and comprehensive plan. Therefore,
action to formalize an Executive Branch role is not expected to cause a
conflict, overlap or other adverse effect on FERC's role.
Question 3. Currently, how are DOE and FERC coordinating with all
of the other agencies and departments involved in cyber security (for
example, DHS, DoD, and the Intelligence Community)?
Answer. In addition to excellent working relationships and issue-
based contacts between staff members of FERC, DOE, DoD, DI IS, CIA, and
NSA, there are several formal processes that engage our agencies.
a. FERC participates as a member of the Energy Sector
Government Coordinating Council co-chaired by DOE and DHS. The
Council is organized to coordinate security activities of
federal agencies in the Energy Sector. The Council also
facilitates interaction with the energy industry's members
through their sector coordinating councils.
b. Defense Science Board--I have served as a resource to the
energy task force evaluating specific physical and cyber
vulnerabilities and their impact to the mission-critical
functions of the armed services. As part of this assignment, I
have helped to conduct briefings of the Senate's Armed Services
staff members as well as briefings of senior DoD officials at
the Pentagon.
c. Joint Projects and Studies--FERC has conducted independent
studies and has initiated joint studies with other agencies
such as DOE, DoD, and others to evaluate physical and cyber
security vulnerabilities and to identify effective mitigation
techniques.
d. Memorandums of Understanding--FERC has executed an MOU
with the NRC and meets with staff to discuss cyber security
issues of the power grid and how they could affect the
operation and security of the nuclear power plants. In fact,
FERC just recently issued an order after considering comments,
including from the NRC staff, to eliminate a gap in regulatory
coverage of cyber security standards in the ``balance of
plant'' portion of nuclear generating plants not directly
related to the nuclear safety, security or emergency
preparedness.
e. Industrial Control Systems Joint Working Group (the WG)--
FERC participates in the WG that is organized and run by DHS.
The WG encompasses cyber security issues for all sectors, and
involves governmental and industry organizations.
Question 4. How will these efforts be affected by the President's
cybersecurity review?
Answer. We have not yet seen the President's cybersecurity review
and therefore cannot comment on its effect on our responsibility
regarding the Bulk Power System or its interaction with the proposed
legislation. However, I can reiterate that FERC is a regulatory agency
and is expert at crafting orders, issuing them quickly when necessary,
conducting fair proceedings for the regulated community, and enforcing
its orders and directives. FERC has the statutory responsibility to
oversee the reliability and cyber security of the nation's power grid.
I believe that any new cyber security initiative or review should
consider FERC's statutory responsibility and expertise to protect the
electric infrastructure that our country depends upon for its safety,
economy, and military preparedness. Should the proposed legislation
pass, I expect that this will complement FERC's existing authorities to
protect reliability of the transmission grid by allowing FERC to
immediately address vulnerabilities to the Nation's critical electric
infrastructure. In the event that the President's cybersecurity review
leads to the creation of a new Executive Branch role, as in the past
FERC would coordinate with this function to assure that its actions are
effective and comprehensive in the context of the actions of the other
agencies.
______
Responses of Allen Mosher to Questions From Senator Bingaman
Question 1. In your view is the authority granted in the proposal
sufficiently broad to allow protection against all cyber security
threats and vulnerabilities? Does the provision cover Alaska, Hawaii,
and distribution systems?
Answer. APPA has assumed that the question is directed to cyber
security threats to and vulnerabilities on the electric system. Based
on that premise, the proposal, through the Section 224(a)(1) definition
of ``Critical Electric Infrastructure,'' is sufficiently broad to allow
protection against cyber security threats and vulnerabilities to
electric system assets, including generation, transmission and
distribution. In fact, APPA is concerned that the scope of the proposed
authority is overly broad, in that the inclusion of distribution
facilities may tax the scarce resources needed to mitigate risks
associated with attacks on the bulk power system.
APPA is also concerned that the scope of this authority may not be
clearly delineated and may overlap with authorities reserved to state
and local regulatory bodies. APPA continues to oppose granting
emergency authorities to FERC over distribution facilities.
The phrase at page 1, line 10, ``affecting interstate commerce''
could be interpreted to imply that the covered distribution facilities
may be used to provide electric service in interstate commerce. Under
that interpretation, Hawaii and Alaska would not be covered by the
proposal.
But the text ``affecting interstate commerce'' could also be
interpreted to imply that interruption of service through attacks on
critical electric infrastructure would have a debilitating impact on
the operations of electric customers. In that event, Alaska, Hawaii and
all distribution electric assets, including private networks owned by
non-utilities, might be covered.
Question 2. You agree that it would be appropriate for FERC to
issue ``interim measures'' to protect against the Aurora vulnerability.
Do you not believe that there are other vulnerabilities that deserve
this same treatment? What if, next week, we discovered eight others?
Should we not allow FERC to issue interim measures for all
vulnerabilities?
Answer. APPA's support for FERC authority to address the Aurora
cyber-security vulnerability is based on the recognition that current
NERC Critical Infrastructure Protection reliability standards do not
encompass all bulk-power system facilities and that the Aurora Advisory
identified certain vulnerabilities that can and should be addressed
now. The primary message of the Aurora advisory--that utilities should
secure utility operating data and control systems from unauthorized
remote access--is fundamental. One important set of lessons to be
learned from Aurora is that advisories need to be clearly describe the
nature of the vulnerability and that not all recommended mitigation
measures work in all situations. The Aurora advisory process then in
existence lacked the needed processes to clarify or refine the actual
advisory and receive feedback from industry experts before it was
issued to the industry as a whole.
A comprehensive set of mandatory reliability standards will provide
a framework for systematic analysis and response by bulk power system
asset owners to new vulnerabilities. Thus, as specific new
vulnerabilities emerge in the future, they can and will be addressed,
either through new NERC standards for the bulk power system or through
the development of interpretations of then-existing CIP standards.
FERC's existing authority under FPA Section 215 to direct NERC to
submit a new or revised reliability standard addressing a specific
matter, in conjunction with improved government-industry communication
processes should obviate the need for FERC authority to direct interim
measures.
Question 3. We have included the sensitive information protections
from the Critical Infrastructure Information Act. Are these protections
not sufficient? If not, what would be?
Answer. No. Unfortunately, the Critical Infrastructure Information
Act appears to protect only voluntary data submittals by private sector
entities to the Department of Homeland Security and possibly other
federal agencies. Submittals required by regulatory orders, data
exchanged by private sector entities, information exchanged among
entities during NERC standards development processes, and
communications by federal, state, municipal and other locally owned
utilities with third parties do not appear to be covered by the
referenced act.
APPA recommends that the Committee examine closely the language of
Section (f) of H.R. 2165, introduced into the House of Representatives
by Rep. Barrow on April 29, 2009.
APPA will also provide additional draft statutory language to
address the particular concerns of state and locally-owned utilities as
soon as possible.
Responses of Allen Mosher to Questions From Senator Murkowski
Question 1. The industry witnesses before us today urge Congress
not to broaden federal jurisdiction in the cyber arena to extend to the
local distribution system. But, if Congress limits any new federal
authority to the Bulk Power System, aren't we leaving cities like New
York and Washington vulnerable to a cyber attack?
Answer. On balance, no. Protecting the bulk power system from cyber
attack necessarily entails taking measures to ensure that the bulk
power system is not vulnerable to attacks originating on the
interconnected distribution system. Such attacks could be propagated
either through utility system data and control systems used perform
both transmission and distribution functions, or through attacks on
customer devices that might be propagated upward and adversely affect
power characteristics on the bulk power system (e.g., real and reactive
power demands, frequency, voltage, etc.). In the former case,
integrated utilities have an interest in protecting both their
transmission and distribution systems from attack and will apply cyber
security measures throughout their systems. In the latter case, proper
design and certification of Smart Grid devices will ensure that cyber-
security capability is built in rather than added in a patchwork
process after the fact. Finally, distributions utilities in major
cities and their retail regulators will respond to threat and
vulnerability information made available through NERC ES-ISAC and DOE
information sharing and analysis programs.
Question 2. In the 2005 Energy Policy Act, Congress created an
Electric Reliability Organization--which is now NERC--to develop
mandatory and enforceable reliability standards, including cyber
security standards, for the electrical grid. While this ``Section 215
Process'' provides for extensive stakeholder involvement, FERC has
complained that the process is too time-consuming, does not allow
timely changes, and does not protect security-sensitive information. I
am concerned that even though we learned about Aurora in 2007, the NERC
standards will still not be in place until 2010. Do the witnesses agree
that the additional federal authority, beyond the Section 215 process,
is needed for cyber security protection?
Answer. As I noted in my testimony, APPA supports authority for
FERC to issue emergency orders in response to an imminent threat. APPA
also supports authority for FERC to direct entities subject to Section
215 to take interim measures to secure their bulk power system assets
from the vulnerabilities described in the Aurora advisory.
APPA also agrees that the NERC standards development process can be
complex and time consuming. Nonetheless, APPA fully supports Congress'
decision in the Energy Policy Act of 2005 to rely upon the Section 215
model of an industry-based Electric Reliability Organization--NERC--to
develop reliability standards that are technically sound, well
understood and broadly supported by the 1800 entities within the
electric power industry that have to live with these standards on a
day-to-day basis. The additional time required to develop standards
through this process helps ensure that technical issues are resolved up
front by industry experts and that potential unintended consequences
(such as a cyber-security rule that might impair real time operating
procedures) are addressed early on.
NERC has adopted procedures that provide for emergency standard
development to quickly fill gaps that may be identified in existing
reliability standards. NERC's rules of procedure and reliability
standards development process provide for a two-step response. Where
the nature of the underlying threat or vulnerability and the associated
mitigation measures are well-defined, cyber-security experts from NERC
and the electric industry collaborate with federal government agencies
and other sources (e.g., US-CERT) to craft an advisory with recommended
or essential actions to be taken by the applicable entities (generally
owners and operators of the potentially affected bulk power system
assets). Essential action advisories must be approved by the NERC Board
of Trustees. Each entity that receives an essential action or
recommended action advisory must respond to NERC that it has received
the advisory and must describe the actions it has taken. If the
underlying threat or vulnerability is sustained in nature and is not
addressed by an existing reliability standard, an emergency standards
development process can be initiated resulting in the development and
approval of a new or revised reliability standard within days.
APPA does believe that existing law makes it difficult to protect
security-sensitive information during the standards-development
process. This would appear to be true regardless of whether such
standards were developed by stakeholders through NERC's standards
development procedure or by and FERC through some form of public notice
and comment. FERC witness Joseph McClelland raised similar concerns.
Question 3. You mentioned the need for a greater flow of
information from the government to industry on cyber security threats.
What is the current process/course of action for cyber security threats
for the private sector? Why do you want DOE as the lead and how would
having a Cyber Security Czar in the White House impact that flow of
information?
Answer. APPA suggests that NERC is better equipped than APPA to
provide a full description of its processes and responsibilities as the
ES-ISAC. See the response to Question 2 for a brief overview.
APPA sees several advantages to placing DOE in the lead role with
respect to communications with the electricity sector. First, DOE has
that role as the Government Coordinating Council for the energy sector
today. DOE both understands the energy sector and has access to high-
level intelligence information from other cabinet-departments and
intelligence agencies, allowing it to act as a conduit, filter and
translator of intelligence threat and vulnerability information into
actionable forms that may be used by the electric utility industry.
Finally, as described by DOE witness Patricia Hoffman, the Department
is the federal agency that is best situated to help improve the
technological state of the art in cyber-security, while advancing other
important energy policy goals such as the deployment of Smart Grid
technologies.
APPA does not have a position on whether a Cyber Security Czar
should be established in the White House or whether the flow of threat
and vulnerability information from government to industry might be
improved by such an action. APPA merely observes that a narrow,
surgical approach to addressing cyber security issues based on existing
FERC and DOE authorities would be less likely to come into conflict
with Congressional and Executive Branch decisions on how to better
align the federal government's cyber-security strategy as a whole.
Question 4. It has been suggested that the draft legislation we are
considering could be duplicative and cause confusion by giving parallel
powers to DOE and FERC for cyber security threats and vulnerabilities.
How does the Electricity Sector Information Sharing and Analysis Center
(ES-ISAC) fit into the picture in disseminating these potential new
rules and orders to the electricity industry? Does information flowing
through this Center help reduce any confusion or is it more about which
agency has the lead?
Answer. APPA suggests that NERC is better equipped than APPA to
provide a full description of its processes and responsibilities as the
ES-ISAC. See the response to Question 2 for a brief overview.
APPA believes information should continue to flow through the ES-
ISAC regardless whether such information originates within the federal
government or from public-private partnership arrangements,
universities or equipment vendors and manufacturers. Under the current
legal framework, the ES-ISAC is responsible for issuing alerts to the
entire electric sector. These alerts are described as advisories,
recommendations or essential actions. Recommendations and essential
action alerts are accompanied by suggested mitigation measures. ES-ISAC
alerts are separate and distinct from NERC's responsibility as the ERO
to develop and enforce mandatory reliability standards. The ES-ISAC is
not structured as a body with appropriate governance, due process and
compliance procedures to act as a vehicle to disseminate and ensure
compliance with rules and orders.
______
Responses of David K. Owens to Questions From Senator Bingaman
Question 1. In your view is the authority granted in the proposal
sufficiently broad to allow protection against all cyber security
threats and vulnerabilities? Does the provision cover Alaska, Hawaii,
and distribution systems?
Answer. The language in the joint staff draft appears intended to
protect against all cyber security threats and vulnerabilities,
including those affecting distribution systems and Alaska and Hawaii.
However, just as it is impossible as a practical matter to absolutely
guarantee 100% electric system reliability all of the time, a 100%
threshold for cyber security is virtually unattainable. Perfect
security is not a static, or even realistic, goal for security
professionals, including those in the electric utility industry,
because the technologies utilized by the industry, as well as the
techniques pursued by cyber adversaries, are continuously evolving.
EEI and its member companies believe there is considerable
strategic value in demonstrating to our cyber adversaries the ability
to respond to a threat with swift, unambiguous action. That is why we
support designating a single federal regulatory authority that, in case
of an imminent emergency threat, could issue clear actionable orders
and, where necessary, enforce those orders.
In crafting legislation, Congress should try to avoid inadvertently
creating a framework that could weaken grid security rather than
strengthening it. For example, the inclusion of an overly broad
diversity of assets and systems, as proposed in the joint staff draft,
could significantly complicate the task of quickly writing unambiguous
orders for actions to be taken to mitigate the threat, with significant
risk that such orders would be ineffective or could cause other
unintended adverse consequences. Also, attempting to address every
single cyber security threat or vulnerability is inconsistent with a
fundamental tenet of security, i.e., the use of risk analysis to
prioritize resources. The technical comment at the end of the
Department of Energy's prepared testimony submitted for the May 7
hearing is a good description of such an approach. Using a risk-based
approach means protecting against threats or vulnerabilities with the
highest consequences to reliability or public welfare and safety. This
is why Federal Power Act (FPA) section 215 focuses on protecting the
reliability of the North American bulk power system.
Question 2. Is it not true that threats to the bulk power system
can come from attacks through distribution system control systems? If
so, should we not protect against those possible attacks as well as
those that come from transmission system control systems?
Answer. Under current North American Electric Reliability
Corporation (NERC) standards, if an attack on a distribution control
system could impact the bulk power system, that piece of distribution
equipment would be covered by NERC standards and authority under FPA
section 215. Thus, EEI would argue that protection already exists
against possible attacks on the bulk power system through distribution
control systems.
Responses of David K. Owens to Questions From Senator Murkowski
Question 1. The industry witnesses before us today urge Congress
not to broaden federal jurisdiction in the cyber arena to extend to the
local distribution system. But, if Congress limits any new federal
authority to the Bulk Power System, aren't we leaving cities like New
York and Washington vulnerable to a cyber attack?
Answer. No. In the Energy Policy Act of 2005, Congress wisely left
the definition of the ``bulk power system'' flexible to allow the
inclusion of assets to address special circumstances such as those
posed by major cities like New York City and Washington, DC. In effect,
there is not a single definition of ``bulk power system'' for the
entire country, but instead each region has its own definition crafted
to reflect the unique system design, operating and engineering
characteristics, and asset makeup in that region. This flexibility
provides FERC the ability to exercise discretion to include specific
areas or assets, including some distribution assets where necessary for
reliability purposes. In fact, FERC has pending in docket RC09-3 a
filing by NERC to include additional assets in New York City, and has
already acted in an earlier docket to include additional assets in
Washington, DC.
Question 2. In the 2005 Energy Policy Act, Congress created an
Electric Reliability Organization--which is now NERC--to develop
mandatory and enforceable reliability standards, including cyber
security standards, for the electrical grid. While this ``Section 215
Process'' provides for extensive stakeholder involvement, FERC has
complained that the process is too time-consuming, does not allow
timely changes, and does not protect security-sensitive information. I
am concerned that even though we learned about Aurora in 2007, the NERC
standards will still not be in place until 2010. Do the witnesses agree
that the additional federal authority, beyond the Section 215 process,
is needed for cyber security protection?
Answer. As stated in our testimony, EEI agrees that it is
appropriate for Congress to provide federal energy regulators with
explicit new statutory authority to address imminent and serious
emergency cyber security threats. Any new authority should be narrowly
tailored to deal with real emergencies; overly broad authority could
undermine the collaborative framework that is needed to further enhance
security.
It is important to note that current law already provides the means
to address the many non-emergency cyber security issues in the electric
industry. Any new emergency authority should be complementary to
existing authorities under FPA section 215, a proven approach that
relies on industry expertise as the foundation for developing
reliability standards.
Question 3. You mention the need for manufacturers of grid
equipment and systems to build security into their products. Is the
electric industry able to use procurement power to persuade vendors to
deliver these safe systems, or is the industry too diverse in the
systems and technologies they use to have the ability to influence
product design? Isn't part of the problem that many of these systems
are manufactured overseas?
Answer. Procurement contracting is one way the industry can attempt
to get vendors to build additional security into their products.
However, EEI believes that building security into electric utility
systems is too important to deal with solely on a contract-by-contract
basis. Relying on this approach assumes that every utility has adequate
expertise to negotiate in the procurement process for appropriate
security protections, and that every vendor has adequate expertise to
fulfill requirements made by the customer. The experience of EEI
members has not shown these assumptions to be true. EEI believes that a
uniform set of appropriately rigorous testing criteria, administered by
a third party expert who would certify that the criteria had been
applied and passed, would mitigate these issues.
The National Institute of Standards and Technology (NIST) effort to
develop a smart grid interoperability framework offers opportunities in
this area. NIST plans to develop vendor and manufacturer certification
guidelines as part of the third phase of this effort. Overseas
manufacturers could be subject to the same certification processes.
Another advantage of smart grid vendor and manufacturer security
verification is that it could help state utility regulators objectively
evaluate utilities' capital expenditures for inclusion of reasonable
cyber security as a criterion for cost recovery purposes. This also
could help indirectly encourage manufacturers of grid equipment and
systems to build security into their products.
Question 4. You have stressed that information sharing on the
government's part is a vital component in cyber security. Which federal
and state agencies/departments do you coordinate with on cyber security
threats and vulnerabilities? Are there instances when intelligence and
law enforcement officials have not shared actionable information in a
timely manner?
Answer. The electricity industry coordinates with and has received
classified briefings from many federal agencies on cyber security
issues, including the FBI, DHS, DOE, FERC, the NRC, CIA, Department of
Commerce, DoD, and ODNI. Many agencies, in particular DOE, also work
closely with industry personnel to educate and assist them in
developing strong cyber security strategies. Electric utilities are
eager to learn any information that helps them more effectively and
efficiently secure their systems, and EEI very much appreciates the
efforts of these agencies in helping utilities improve their cyber
security.
EEI believes that Congress should encourage a consultative
relationship between utilities and government agencies as a necessary
component of securing systems, and should not rely solely on a broad
regulatory approach to achieve effective security. It is inevitable
that the most sophisticated expertise on addressing the latest
cybersecurity threats will rest in federal agencies with national
security responsibilities. This information cannot be made available to
electric utility personnel, who nevertheless under the proposed
legislation could be expected to share responsibility for national
security. Expertise in reliably and safely operating electricity assets
in a large integrated system rests within the electric utility
industry. EEI believes that security is enhanced by leveraging both
types of expertise to identify efficient and effective techniques for
securing electric industry systems.
Question 5. A company in Alaska tells me that it is possible to put
a one-way regulator on cyber networks so information can flow out from
the network to managers that need access to the data, but data cannot
be sent back into the network from a remote source--ie: an outside
attack. Do you view a one-way flow regulator as a feasible solution?
Answer. There are solutions that can be placed on networks which
allow a secure one-way communication of data between networks of
different security levels. This is a feasible option, which is already
being used by some utilities, but only as part of an overall defense-
in-depth cyber security program.
______
Responses of Richard P. Sergel to Questions From Senator Bingaman
Question 1. In your view is the authority granted in the proposal
sufficiently broad to allow protection against all cyber security
threats and vulnerabilities? Does the provision cover Alaska, Hawaii,
and distribution systems?
Answer. The jurisdictional scope described in the Joint Staff Draft
is the broadest that I can conceive. It covers generation,
transmission, and local distribution. It covers Alaska and Hawaii. The
use of the phrase ``affecting interstate commerce'' has been construed
by the U.S. Supreme Court to be coterminous with the full extent of the
Congress's authority under the Commerce Clause of the U.S.
Constitution. Thus, I don't see that anything is left out. If Smart
Grid devices were implicated in a cyber threat or vulnerability, they
would be covered. As well, the language appears broad enough to reach
third-party communications providers if they were implicated in any
threat or vulnerability. Because I do not have access to information
regarding the full range of cyber security threats and vulnerabilities
facing the United States, I cannot say whether the proposed Joint Staff
Draft grants sufficient authority to allow protection against ``all
cyber threats and vulnerabilities.''
Question 2. You suggest that we should not give FERC authority to
establish standards pending the outcome of your deliberations. Do you
not think that it is important to protect these critical assets during
the years that it takes to get a standard through your organization?
Answer. NERC believes the Congress should adopt legislation
granting an agency of the Federal government emergency authority to
address an imminent cyber security threat. Each of the examples given
in testimony by the witness for the Federal Energy Regulatory
Commission involved situations where the action needed to occur to
address ``threats to national security quickly'' and ``require
immediate action'' (Prepared Testimony of Mr. McClelland, page 8), as
well as when ``there may be a need to act decisively in hours or days''
(Prepared Testimony of Mr. McClelland, page 9). That is what emergency
authority is all about. A grant of emergency authority, such as that
granted to the Department of Energy under the draft legislation, will
provide the Federal government the authority it needs to address any
specific situation that must be addressed in ``hours or days.''
NERC now has in place a baseline set of standards designed to
protect the security of the bulk power system. NERC's Critical
Infrastructure Protection standards cover these broad categories:
Sabotage Reporting
Critical Cyber Asset Identification
Security Management Controls
Personnel & Training
Electronic Security Perimeter(s)
Physical Security of Critical Cyber Assets
Systems Security Management
Incident Reporting and Response Planning
Recovery Plans for Critical Cyber Assets
These nine standards, encompassing roughly 45 individual
requirements, are already in effect. Audits for compliance with 13
requirements in these standards will begin for a certain set of
entities on July 1, 2009, with audits beginning for the remaining
requirements and remaining entities in 2010.
NERC and the industry are working to improve and strengthen those
standards, including addressing the modifications directed by FERC in
Order No. 706. NERC, working with industry security and operations
experts and FERC staff, has divided that work into two concurrent
phases. Last week, industry stakeholders approved phase one of the
improvements by an 88% affirmative vote. On May 6, 2009, the NERC Board
of Trustees approved those phase one revisions to the Critical
Infrastructure Protection standards. These revisions will be filed
shortly with FERC for approval and, if approved, they will become
binding and enforceable. Phase two revisions are already underway and
are expected to be complete in 2010. NERC and industry experts will
continue their work to improve those standards further in the months
ahead.
Please note that NERC has procedures that enable it to adopt
standards in substantially less time than ``years.'' To respond to the
need for standards to address pressing reliability or security
concerns, NERC can employ its urgent action standards development
process. Under its current construct, a proposed standard can be
processed through approval in approximately two months. Modifications
to this timeline are under review and are to be presented for NERC
Board approval in early August. These changes would dramatically reduce
this approval timeframe to as few as 10 days once a team drafts the
proposed standard. These timelines are impacted by the time needed to
craft the standard in response to the identified threat or
vulnerability.
If NERC needs to develop a reliability standard in response to a
critical issue that is so confidential that information can only be
shared on a ``need to know'' basis, NERC will use all the steps in the
standards development procedure, but will limit the participation and
the amount of information released within some of the steps of the
procedure. This balances the need to preserve the integrity of the
reliability standards development procedure with the need to preserve
the confidentiality of information that, if exposed, could put the
reliability of the bulk power system at risk.
Question 3. Do you know how long it will be before NERC is able to
address the weaknesses in the standards remanded by the Commission?
Answer. The Commission did not remand NERC's Critical
Infrastructure Protection standards. Instead, the Commission approved
those standards, stating:
In approving the CIP Reliability Standards, the Commission
concludes that they are just, reasonable, not unduly
discriminatory or preferential, and in the public interest.
These CIP Reliability Standards, together, provide baseline
requirements for the protection of critical cyber assets that
support the nation's Bulk-Power System. Thus, the CIP
Reliability Standards serve an important reliability goal.
Further, as discussed below, the CIP Reliability Standards
clearly identify the entities to which they apply, apply
throughout the interconnected Bulk-Power System, and provide a
reasonable timetable for implementation. (Order No. 706, para.
24.)
Those standards are now in effect. Users, owners, and operators of
the bulk power system are in the process of coming into compliance with
those standards, in accordance with the implementation timetable
approved by the Commission. In Order No. 706, the Commission also
directed NERC to make a number of improvements in the Critical
Infrastructure Protection standards, and NERC is in the process of
doing that now.
As described in my response to the prior question, this week NERC's
Board of Trustees approved the first phase of the improvements to the
standards directed by the Commission. The phase one improvements
include removal of the ``reasonable business judgment'' test and the
``assumption of risk'' criterion. The improvements also strengthen
senior management's accountability for implementation of critical
infrastructure protection programs within each company. Related
procedural rules will provide for audits of technical feasibility
exceptions claimed by users, owners, and operators of the bulk power
system. NERC and industry security and operations experts are now
working on the second phase of the improvements directed by the
Commission. NERC expects to complete phase two during 2010.
Responses of Richard P. Sergel to Questions From Senator Murkowski
Question 1. The industry witnesses before us today urge Congress
not to broaden federal jurisdiction in the cyber arena to extend to the
local distribution system. But, if Congress limits any new federal
authority to the Bulk Power System, aren't we leaving cities like New
York and Washington vulnerable to a cyber attack?
Answer. The greatest risk to the Nation is threats to the bulk
power system, and Congress should make sure that risk is addressed.
State commissions and local authorities can act to protect local
distribution facilities if they have access to prompt actionable
information on which to base any requirements they might impose.
However, the vast majority of the information about the risks and
threats to the electric system is in the hands of Federal authorities,
and much of that information is classified. Getting actionable
intelligence and mitigation measures in the hands of state and local
officials who already have authority to act to protect the cyber
security of their cities is the best way to protect those localities.
Question 2. In the 2005 Energy Policy Act, Congress created an
Electric Reliability Organization--which is now NERC--to develop
mandatory and enforceable reliability standards, including cyber
security standards, for the electrical grid. While this ``Section 215
Process'' provides for extensive stakeholder involvement, FERC has
complained that the process is too time-consuming, does not allow
timely changes, and does not protect security-sensitive information. I
am concerned that even though we learned about Aurora in 2007, the NERC
standards will still not be in place until 2010. Do the witnesses agree
that the additional federal authority, beyond the Section 215 process,
is needed for cyber security protection?
Answer. NERC believes the Congress should adopt legislation
granting an agency of the Federal government emergency authority to
address an imminent cyber security threat. Each of the examples given
in testimony by the witness for the Federal Energy Regulatory
Commission involved situations where the action needed to occur to
address ``threats to national security quickly'' and ``require
immediate action'' (Prepared Testimony of Mr. McClelland, page 8), as
well as when ``there may be a need to act decisively in hours or days''
(Prepared Testimony of Mr. McClelland, page 9). That is what emergency
authority is all about. A grant of emergency authority, such as that
granted to the Department of Energy under the draft legislation, will
provide the Federal government the authority it needs to address any
specific situation that must be addressed in ``hours or days.''
Standards are different, because they prescribe the actions and
practices that all entities, large and small, must follow day in and
day out. Standards-setting is intentionally a deliberative process that
involves the application of expertise in many disciplines. Entities may
be subject to fines of up to $1,000,000 per day per violation for
failure to comply with standards. The electricity production and
delivery system is technically very complex, so it is important in
establishing standards that there be no unintended consequences that
may actually reduce the reliability or security of the system. NERC now
has in place a baseline set of standards designed to protect the
security of the bulk power system. NERC's Critical Infrastructure
Protection standards cover these broad categories:
Sabotage Reporting
Critical Cyber Asset Identification
Security Management Controls
Personnel & Training
Electronic Security Perimeter(s)
Physical Security of Critical Cyber Assets
Systems Security Management
Incident Reporting and Response Planning
Recovery Plans for Critical Cyber Assets
NERC and the industry are working to improve and strengthen those
standards, including addressing the modifications directed by FERC in
Order No. 706. NERC, working with industry security and utility experts
and FERC staff, has divided that work into two concurrent phases. Last
week, industry stakeholders approved phase one of the improvements by
an 88% affirmative vote. On May 6, 2009, the NERC Board of Trustees
approved those phase one revisions to the Critical Infrastructure
Protection standards. NERC and industry experts will continue their
work to improve those standards further in the months ahead.
To respond to the need for standards to address pressing
reliability or security concerns, NERC can employ its urgent action
standards development process. Under its current construct, a proposed
standard can be processed through approval in approximately two months.
Modifications to this timeline are under review and are to be presented
for NERC Board approval in early August. These changes would
dramatically reduce this approval timeframe to as few as 10 days once a
team drafts the proposed standard. These timelines are impacted by the
time needed to craft the standard in response to the identified threat
or vulnerability.
If NERC needs to develop a reliability standard in response to a
critical issue that is so confidential that information can only be
shared on a ``need to know'' basis, NERC will use all the steps in the
standards development procedure, but will limit the participation and
the amount of information released within some of the steps of the
procedure. This balances the need to preserve the integrity of the
reliability standards development procedure with the need to preserve
the confidentiality of information that, if exposed, could put the
reliability of the bulk power system at risk.
Question 3. Why isn't the existing Section 215 process sufficient
to address cyber security threats and vulnerabilities? Should we extend
any new authority to physical assets?
Answer. As indicated in my response to earlier questions, the
Section 215 standards-setting process cannot adequately deal with
imminent cyber security threats. Standards prescribe the actions and
practices that all entities, large and small, must follow, day in and
day out. They are not capable of dealing with specific, targeted
imminent threats that must be addressed ``in hours or days.'' Granting
an agency of the Federal government authority to deal with emergency
threats will address the gap that currently exists. With authority to
deal with emergency situations in place, NERC can continue to work
through its more deliberative standards development process, using
security and operations experts, to make continuous improvements in the
underlying standards. NERC does not believe it is necessary for
Congress to extend new authority for the protection of physical assets.
Sufficient authorities and agencies already exist to deal with risks to
physical assets, including local and state police, the Federal Bureau
of Investigation, and the Departments of Defense and Homeland Security.
Question 4. In your written testimony, you say that in the case of
an imminent cyber security threat, authority to direct action should be
vested, as appropriate, in the Federal government of Canada. Could you
please describe a scenario where the Canadian Government should have
the authority to direct action? Directed at companies operating within
the United States?
Answer. I did not mean to suggest the Canadian government should
have any authority to issue directives to companies operating within
the United States. Rather, my testimony reflected that fact that the
interconnected bulk power system is international in scope. It spans
both the U.S./Canadian border and the U.S./Mexican border. Just as NERC
believes it imperative that the U.S. Federal government have emergency
authority to deal with imminent cyber security threats, NERC also
believes that appropriate governmental authorities within Canada and
Mexico should exercise emergency authority for imminent cyber security
threats within their respective jurisdictions. The international,
interconnected nature of the bulk power system does mean it is critical
for authorities in all jurisdictions to coordinate their actions in
dealing with imminent cyber security threats, so that they do not
unintentionally cause unintended consequences that occur as a result of
the actions they do require.
Question 5. Could you expand on the education challenges the
industry faces in ensuring that each entity understands the cyber
security challenges facing them and efforts that are being made to
overcome those challenges?
Answer. The electricity industry is very accustomed to dealing with
risks to the bulk power system, and users, owners and operators deal
with risks such as severe weather, forest fires, mechanical breakdowns,
and equipment failure every day. The cyber security challenges are
different in kind, because they can be intentional, targeted attacks
from remote locations, perhaps by hostile nation-states. And unlike the
other location-specific risks that users, owners, and operators are
accustomed to dealing with, the cyber security challenges can be very
broad in scope and affect multiple assets simultaneously. The
implications of this difference impact traditional thinking at a very
basic level: even the criteria used to define a ``critical asset'' in
the cyber world are different than those typically applied in
traditional planning and operating analysis.
Within the last year, NERC has worked extensively to help the
industry better understand the potential risks associated with
significant cyber vulnerabilities. These efforts have taken a number of
forms, but began with NERC's formation of a Critical Infrastructure
Protection program. In August of 2008, NERC hired security expert
Michael Assante as Chief Security Officer (``CSO'') to lead the program
and has recently brought additional expertise on board to support his
efforts.
NERC has also formed an Electricity Sector Steering Group
comprising seven CEO-level executives from all sectors of the electric
industry to provide overall policy guidance to NERC's Critical
Infrastructure Protection Program and achieve greater CEO-level buy-in
from industry executives. This group first met at NERC's 2008 Cyber
Security Summit held in coordination with four government agencies in
September 2008. The event was attended by 130 industry executives and
covered various security-related topics. In addition to this initial
session, NERC has subsequently arranged for special and classified
briefings for industry executives in the United States and Canada with
the intelligence community. NERC expects to continue this outreach,
with another session currently being planned for December 2009.
Webinars and other communications materials have been another key
component of NERC's educational outreach. NERC's CSO has spoken at a
number of industry web-based and in-person events. NERC has also given
significant support to the organization of security conferences, such
as the SCADA Summit meeting held in conjunction with the annual SANS
Summit in February. Additionally, NERC is currently developing a five-
part webinar series designed to educate stakeholders about requirements
in NERC's CIP standards.
NERC's alerts mechanism has acted as yet another educational tool.
In addition to their primary role of providing actionable information
to industry, regular issuance of advisories has certainly helped to
sensitize the four to five thousand individual alert recipients to
these issues. In addition to its alerts, NERC has also begun to issue
critical infrastructure ``awareness bulletins'' regarding critical
infrastructure concerns as they arise.
In February of 2009, NERC also launched its ``Network Hydra,'' a
network of industry security professionals who are regularly convened
via conference call and e-mail to discuss emerging cyber security
issues.
NERC also facilitates its Critical Infrastructure Protection
Committee, a group of approximately thirty industry professionals
dedicated to discussing and producing guidance related to critical
infrastructure concerns to the industry. The group meets face-to-face
quarterly and via conference call as necessary. NERC staff is in close
coordination with the ``Executive Committee'' of this Committee on a
weekly basis. As an example of its work, the group has recently posted
a set of guidelines for critical asset identification for industry
comment and plans to finalize these documents in the coming months.
NERC views the standards development process itself as a key
educational tool as well, as drafting the standards drives many
discussions within the industry as groups seek to provide comment and
vote on the standards.
Finally, regular correspondence with the industry, via letters such
as CSO Michael Assante's April 7th letter, the monthly newsletter, and
through a ``CSO blog'' that will become available on NERC's website in
the coming week, also provide an important educational mechanism for
the industry.
______
Responses of Patricia Hoffman to Questions From Senator Bingaman
Question 1. In your view is the authority granted in the proposal
sufficiently broad to allow protection against all cyber security
threats and vulnerabilities? Does the provision cover Alaska, Hawaii,
and distribution systems?
Answer. The proposed language gives the government new authority to
require entities that own and operate the electric power system to
address newly discovered vulnerabilities and threats. The definition of
critical infrastructure in the proposed language is sufficiently broad
to encompass Alaska, Hawaii, and distribution systems.
Question 2. Are there other vulnerabilities described in the Idaho
National Laboratory report besides the Aurora vulnerability?
Answer. Yes. The Idaho National Laboratory (1NL) 2008 Common
Vulnerabilities Report summarizes vulnerability findings from 16
control system assessments performed at the Department's National SCADA
Test Bed (NSTB) from 2003-2007. INL found these vulnerabilities as part
of its systematic testing program, in which they assess energy control
systems for potential vulnerabilities and then work closely with
vendors on specific mitigations. The Department published the common
vulnerabilities (those found in at least two of the control systems
tested) and the appropriate mitigation strategies to help owners and
operators better protect their systems from cyber attacks. Although
sensitive technical details are not included in this public report, it
does provide generalized analysis and steps asset owners can take to
evaluate their system and implement appropriate mitigations.
Understanding the types of vulnerabilities commonly found and how to
mitigate them can help protect systems currently in development, as
well as those already installed in critical infrastructure
applications. The report does not cover the Aurora vulnerability.
Question 3. You mention a number of efforts to develop technologies
and systems to prevent cyber attacks. How can you be sure that they
will be implemented by utilities?
Answer. The Department recognizes that the best way to ensure that
technologies address market needs and are implemented by utilities is
to work in partnership with the utility owners and operators, equipment
vendors, industry associations, and the research community throughout
the technology development process. For national laboratory-led
projects, each lab works closely with utilities to identify the end-
user requirements and then develops the fundamental technology which is
typically commercialized by the private sector. For example, the
Pacific Northwest National Laboratory is working with several utilities
(Alliant Energy, NiSource, Progress Energy, Entergy Corporation, et al)
to develop a security state visualization tool of the cyber security
status on a utility communications network. The tool will provide real-
time situational awareness and enhanced decision-making through fusion
of advanced technologies in perimeter security, network traffic
analysis, and signature-based intrusion detection. The utilities are
helping to develop use cases and the system requirements.
For industry-led projects, the Department selects projects on a
competitive basis and requires a minimum 20%-50% cost sharing from the
private-sector partners, depending on the stage of research and
development. A good example of success in this area is the Bandolier
project, led by Digital Bond. Digital Bond is working closely with
utilities and control systems vendors to develop security software
templates for control systems. The templates are used to audit the
security settings against an optimal security configuration. So far,
templates have been released to audit systems from seven vendors, and
are available for a nominal subscriber fee on Digital Bond's website.
The Department also ensures that technology development projects
leverage industry expertise and insight through the Energy Sector
Control Systems Working Group, an industry-government advisory group of
technical experts that was formed under the Critical Infrastructure
Partnership Advisory Council. For example, the Department conducts
annual peer reviews of its cyber security projects and engages the
Working Group to guide the technical and commercial direction of each
project.
Question 4. Is it clear that the bulk power system can be attacked
through control devices and communications systems connected to
distribution systems, as well as transmission systems?
Answer. Because of the interconnected nature of electric power
transmission and distribution systems, we believe it is possible for
attacks at the distribution system to have an impact on the
transmission system. The exact nature of these consequences is
dependent on the specific scenario and the impact or consequence of a
specific attack must be evaluated on a case by case basis.
Responses of Patricia Hoffman to Questions From Senator Murkowski
Question 1. The industry witnesses before us today urge Congress
not to broaden federal jurisdiction in the cyber arena to extend to the
local distribution system. But, if Congress limits any new federal
authority to the Bulk Power System, aren't we leaving cities like New
York and Washington vulnerable to a cyber attack?
Answer. States and local governments generally have jurisdiction
over distribution systems. If the various State regulatory authorities
don't adequately address cyber security requirements, we will continue
to have a regulatory gap that could expose the electric power
infrastructure to unmitigated vulnerabilities.
Question 2. In the 2005 Energy Policy Act, Congress created an
Electric Reliability Organization--which is now NERC--to develop
mandatory and enforceable reliability standards, including cyber
security standards, for the electrical grid. While this ``Section 215
Process'' provides for extensive stakeholder involvement, FERC has
complained that the process is too time-consuming, does not allow
timely changes, and does not protect security-sensitive information. I
am concerned that even though we learned about Aurora in 2007, the NERC
standards will still not be in place until 2010. Do the witnesses agree
that the additional federal authority, beyond the Section 215 process,
is needed for cyber security protection?
Answer. Federal authority will be required beyond Section 215 for
cyber security protection in emergency situations when there is a need
to take action as well as to address a newly discovered vulnerability
that, if exploited, would have a debilitating impact on national
security, economic security, and/or public health or safety (e.g.
Aurora). Because cyber security vulnerabilities (which may or may not
have an impact on the electric power grid) are discovered on a routine
basis, the Department also believes there must be a deliberate and
comprehensive process to determine if a newly discovered vulnerability
warrants emergency action. All such vulnerabilities, and potential
mitigation measures, must be thoroughly evaluated on a scientific basis
to determine the impact and risk to the nation in the event the
vulnerability was exploited. Any decision to act or issue an order must
be based on sound risk management principles and judgment coupled with
engineering analysis, testing, and verification considering the
characteristics of the vulnerability, the capabilities of the threat,
likelihood of attack, the potential consequences to the nation should
the vulnerability be exploited, and the cost of mitigation.
Furthermore, prior to issuing an emergency order, any proposed
mitigation action must be thoroughly and comprehensively evaluated to
determine its effectiveness, impact on performance of the power grid,
and possible unintended consequences. Finally, the Department believes
that this determination must be made through deliberation between
cabinet-level agencies including the intelligence community.
Question 3. How does the Department of Energy fit into the nation's
overall cyber security structure? How do you work with FERC and what
other agencies do you coordinate with? Which is the lead agency?
Answer. At the Cabinet level, the Secretary of Energy is a member
of the National Security Council (NSC), whose members provide top level
policy advice to the President and oversight in areas that include
cyber security. The Secretary is also a member of the Homeland Security
Council (HSC), which also provides top level policy oversight in cyber
security. The Department participates on the Deputies committee of the
NSC/HSC when they meet to provide policy oversight on cyber security,
and the Department also participates on the NSC/HSC Interagency Policy
Committee for the global information and communications infrastructure,
a policy coordination group. DOE also has representation on a lower
level interagency cyber security task force that is carrying forward
some of the implementation planning from the previous Administration's
Comprehensive National Cyber Security Initiative. Further, the
Department's Office of Intelligence and Counterintelligence is active
within the intelligence community on cyber security coordination and
planning.
Under Homeland Security Presidential Directive 7, the Department
leads critical infrastructure protection (physical and cyber) in the
energy sector--including electricity, oil, and natural gas operations--
and chairs the Government Coordinating Council (GCC) for Energy, which
includes the Department of Homeland Security (DHS) and FERC. In this
role, the Department works closely with industry members on the
Electric and Oil & Gas Sector Coordinating Councils (SCC) to develop a
Sector-Specific Plan, which outlines goals for public-and private-
sector security activities, including protecting critical
infrastructure from cyber threats. The Department has also formed the
Energy Sector Control Systems Working Group (with representatives from
the DHS National Cyber Security Division, DHS Science and Technology
Directorate, the Oil and Natural Gas SCC, and the Electric SCC) that
serves as the primary mechanism to oversee the implementation of the
Roadmap to Secure Control Systems in the Energy Sector. The Department
also works closely with the Department of Homeland Security on the
Cross Sector Cyber Security Working Group and the Industrial Control
Systems Working Group.
Question 4. We know that making our grid smarter could also
increase our vulnerability to cyber attacks. I understand that NIST is
addressing the issue of cyber security as it works on the Smart Grid
interoperability standards. FERC has also developed a Policy Statement
on this issue. Is additional federal authority needed to deal with
cyber security issues in the context of Smart Grid?
Answer. The Department is working with the private sector to
develop cyber security requirements for the Smart Grid to ensure that
cyber security is built into the design from technology development to
deployment. The National Institute of Standards and Technology (NIST)
is not developing standards, per se, but is developing an
interoperability framework that will identify the types of standards
that will be needed and track the status of standards for the Smart
Grid. NIST is also coordinating the development of cyber security
standards through the appropriate standard development organizations.
At this time, we do not foresee the need for additional federal
legislation to accomplish our goal through public-private partnerships.
The Department will continue to work with NIST to accelerate the
development of a framework for the complete suite of interoperability
standards. Once a standard is completed by the applicable standards
development organization, the Federal Energy Regulatory Commission will
issue a rulemaking to adopt the standard as required under the Energy
Independence and Security Act of 2007.
Question 5. What role did the Department of Energy play in the
President's recent interagency cyber security review?
Answer. At the request of the Director of the 60-day review team,
the Department temporarily assigned a senior-level representative with
extensive experience in working with the energy sector on issues
related to cyber security to work directly with the interagency review
team. The Department provided technical assistance, background and
situational analysis, and proposed options to consider for enhancing
cyber security in the energy sector. The Department also provided
assistance in evaluating the status of the nation's cyber security
efforts in the energy sector, an understanding of agency relationships,
status of ongoing projects, and strengths and weaknesses of current
partnerships. In response to several data calls, the Department also
submitted an inventory of departmental expertise, programs, and
funding. Finally, as principal member of the Interagency Policy
Committee, the Department provided comments on the draft report that is
currently under review at the policy level.
Question 6. An example was given at last week's Senate Homeland
Security Committee hearing where the Chief Information Officer of the
Air Force, after watching an NSA test team break into the military
service's system fairly quickly, asked the NSA team to help them
develop a more secure system. By asking the attacking team for
assistance, they put in place a more standard configuration that blocks
most attacks, allows for quick security patches, and saves them money
in procurement costs. Have DOE and FERC done anything similar to this?
Answer. Yes. The Department uses a systematic method for assessing
the cyber security of energy control systems using its expertise in
``Red Teaming'', which has evolved over decades as the steward of the
nation's nuclear arsenal. The Department uses the recognized
capabilities of its national laboratories to test systems from an
adversarial perspective, identify vulnerabilities, and work with
vendors on mitigation strategies. For example, the Department uses a
Red Team approach at the National SCADA Test Bed (NSTB) to conduct
vulnerability assessments of control systems (this does not include
active testing on ``live'' production systems which could cause a
system failure and loss of electricity). In partnership with numerous
vendors, NSTB has performed rigorous vulnerability assessments on 90%
of the current market offering of SCADA and energy management systems
(EMS) in the electric sector, and 80% of the current market offering in
the oil and gas sector. Through 20 test bed and on-site field
assessments, NSTB has delivered vulnerability information and
recommendations for security improvements to vendors including ABB,
Areva, GE, OSI, Siemens, Telvent, and others. Vendors have used this
information to build more secure systems and both vendors and asset
owners have also used it to better secure systems already in place.
Vendors have developed 11 hardened control system designs following
vulnerability assessments at the Test Bed, and 31 of these are now
deployed in the sector. Vendors have released several software patches
for use by 82 system applications in the sector. In addition, INL
releases generalized findings from vulnerability assessments in its
Common Vulnerabilities Report, which includes mitigation strategies
asset owners across the sector can use to better secure their systems.
Findings from NSTB vulnerability assessments have also been translated
into several training courses, including the Red Team/Blue Team
Advanced Training. In this weeklong course, nearly 80 energy sector
asset owners and operators have participated in a hands-on exercise
either attacking or defending a control system environment, and have
learned skills and techniques they can apply immediately in their own
systems.
Responses of Patricia Hoffman to Questions From Senator Bayh
Question 1. In your department's view, would the proposed
legislation drafted by the Committee on Energy and Natural Resources be
complementary of various other legislative efforts to address the issue
of cyber security in other sectors (banking, commerce, military, and
intelligence)?
Answer. The cyber security requirements for a cyber-physical system
like the electric power grid are quite different than the requirements
for information systems and networks used for commerce or banking. For
example, the primary cyber security driver for the banking sector is to
protect the confidentiality of the data. For many elements in the power
grid, availability of data is the primary driver.
Question 2. If this legislation is enacted, how would new DOE and
FERC authorities be complementary of the other efforts to ensure
cybersecurity undertaken by the Executive Branch and of each other?
Answer. The proposed legislation provides the DOE emergency
authority to address an imminent threat and provides FERC emergency
authority to address vulnerabilities. The Administration is currently
conducting a cyber review across the federal government and since the
report has not been issued, the Department cannot comment on how the
proposed efforts would be affected.
At the Cabinet level, the Secretary of Energy is a member of the
National Security Council (NSC), whose members provide top level policy
advice to the President and oversight in areas that include cyber
security. The Secretary is also a member of the Homeland Security
Council (HSC), which also provides top level policy oversight in cyber
security. The Department participates on the Deputies committee of the
NSC/HSC when they meet to provide policy oversight on cyber security,
and the Department also participates on the NSC/HSC Interagency Policy
Committee for the global information and communications infrastructure,
a policy coordination group. DOE also has representation on a lower
level interagency cyber security task force that is carrying forward
some of the implementation planning from the previous Administration's
Comprehensive National Cyber Security Initiative. Further, the
Department's Office of Intelligence and Counter Intelligence is active
within the intelligence community on cyber security coordination and
planning.
Question 3. Currently, how are DOE and FERC coordinating with all
of the other agencies and departments involved in cyber security (for
example, DHS, DoD, and the Intelligence Community)?
Answer. Under HSPD 7, the Department serves as the lead federal
agency for coordinating critical infrastructure activities in the
energy sector, including cyber. In this capacity, the Department chairs
the Energy Government Coordinating Council whose members include DHS,
FERC, DHS, DOD, Nuclear Regulatory Commission, FBI, Natural Resources
Canada (NRCan) et al. The Department participates with the intelligence
community mainly through the DOE Office of Intelligence and
Counterintelligence.
Question 4. How will these efforts be affected by the President's
cybersecurity review?
Answer. Since the report on the President's 60-day cyber security
review has not been issued, the Department cannot comment on the how
the proposed efforts would be affected.
�