[Senate Hearing 116-378]
[From the U.S. Government Publishing Office]
S. Hrg. 116-378
FEDERAL AND INDUSTRY EFFORTS TO IMPROVE
CYBERSECURITY FOR THE ENERGY SECTOR,
INCLUDING HOW TO IMPROVE COLLABORATION
ON VARIOUS CYBERSECURITY AND CRITICAL
INFRASTRUCTURE PROTECTION INITIATIVES
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
AUGUST 5, 2020
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the
Committee on Energy and Natural Resources
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
41-402 WASHINGTON : 2021
--------------------------------------------------------------------------------------
COMMITTEE ON ENERGY AND NATURAL RESOURCES
LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming JOE MANCHIN III, West Virginia
JAMES E. RISCH, Idaho RON WYDEN, Oregon
MIKE LEE, Utah MARIA CANTWELL, Washington
STEVE DAINES, Montana BERNARD SANDERS, Vermont
BILL CASSIDY, Louisiana DEBBIE STABENOW, Michigan
CORY GARDNER, Colorado MARTIN HEINRICH, New Mexico
CINDY HYDE-SMITH, Mississippi MAZIE K. HIRONO, Hawaii
MARTHA McSALLY, Arizona ANGUS S. KING, JR., Maine
LAMAR ALEXANDER, Tennessee CATHERINE CORTEZ MASTO, Nevada
JOHN HOEVEN, North Dakota
Brian Hughes, Staff Director
Lucy Murfitt, Chief Counsel
Jake McCurdy, Professional Staff Member
Robert Ivanauskas, FERC Detailee
Renae Black, Democratic Staff Director
Sam E. Fowler, Democratic Chief Counsel
Nicole Buell, Democratic Professional Staff Member
C O N T E N T S
----------
OPENING STATEMENTS
Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska.... 1
Manchin III, Hon. Joe, Ranking Member and a U.S. Senator from
West Virginia.................................................. 3
King, Jr., Hon. Angus S., a U.S. Senator from Maine.............. 4
WITNESSES
Gates, Alexander, Senior Advisor, Office of Policy for
Cybersecurity, Energy Security, and Emergency Response, U.S.
Department of Energy........................................... 6
McClelland, Joseph, Director, Office of Energy Infrastructure
Security, Federal Energy Regulatory Commission................. 14
Conner, Steven C., President, Siemens Energy, Inc................ 20
O'Brien, Thomas, Senior Vice President and Chief Information
Officer, PJM Interconnection, L.L.C............................ 28
ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED
Conner, Steven C.:
Opening Statement............................................ 20
Written Testimony............................................ 22
Responses to Questions for the Record........................ 80
Gates, Alexander:
Opening Statement............................................ 6
Written Testimony............................................ 8
Responses to Questions for the Record........................ 59
King, Jr., Hon. Angus S.:
Opening Statement............................................ 4
Manchin III, Hon. Joe:
Opening Statement............................................ 3
McClelland, Joseph:
Opening Statement............................................ 14
Written Testimony............................................ 16
Responses to Questions for the Record........................ 75
Murkowski, Hon. Lisa:
Opening Statement............................................ 1
O'Brien, Thomas:
Opening Statement............................................ 28
Written Testimony............................................ 30
Responses to Questions for the Record........................ 86
FEDERAL AND INDUSTRY EFFORTS TO IMPROVE CYBERSECURITY FOR THE ENERGY
SECTOR, INCLUDING HOW TO IMPROVE COLLABORATION ON VARIOUS CYBERSECURITY
AND CRITICAL INFRASTRUCTURE PROTECTION INITIATIVES
----------
WEDNESDAY, AUGUST 5, 2020
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The Committee met, pursuant to notice, at 10:07 a.m. in
Room SD-366, Dirksen Senate Office Building, Hon. Lisa
Murkowski, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. LISA MURKOWSKI,
U.S. SENATOR FROM ALASKA
The Chairman. Good morning, everyone. The Committee will
come to order. We are here this morning to examine federal and
industry efforts to improve the cybersecurity of the energy
sector, including efforts to improve collaboration on various
cybersecurity and critical infrastructure protection
initiatives. It has been more than a year since we last held a
hearing on cybersecurity for the energy sector, but I think it
is fair to say that this is always a timely topic. It is also a
critical priority that we cannot lose sight of, even as we
grapple with COVID-19, lest it become the source of our next
national crisis.
There have been a few noteworthy developments since our
last hearing. Earlier this year, the President issued an
Executive Order focused on securing the bulk power system from
both cyber and physical threats posed by hostile nation-state
actors. This is an effort that will be led by the Department of
Energy (DOE). Meanwhile, the Federal Energy Regulatory
Commission (FERC) has published a paper detailing a potential
structure for providing incentives to utilities to make
cybersecurity investments following up on a technical
conference examining the same issue in 2019. I am pleased this
morning to be able to welcome our witnesses from DOE and the
FERC and to look forward to hearing the latest from them. I
also welcome the witnesses representing industry which will
play an equally significant role in how these initiatives
unfold.
The threat of cyberattacks by foreign adversaries and other
sophisticated entities is real, and it is growing. As I
mentioned on the Senate Floor earlier this week when we
confirmed Mark Menezes, cyberattacks are near constant and only
growing more sophisticated. According to the latest worldwide
threat assessment from the Office of the Director of National
Intelligence, China, Russia and other foreign adversaries are
using cyber operations to target our military and our critical
infrastructure. Those near-peer adversaries already have the
capability to launch cyberattacks against our electric and gas
infrastructure. The COVID-19 pandemic has created a unique
opportunity for cyber criminals to attack our networks,
including critical energy infrastructure. The Department of
Justice (DOJ) recently issued a press release announcing the
indictment of two individuals backed by the Chinese Ministry of
State Security. DOJ noted these two individuals not only
targeted portions of our energy sector, including DOE's Hanford
site, but also entities conducting research on a Coronavirus
vaccine. We cannot allow hostile foreign nations to disrupt our
way of life.
Energy is the lifeline for all critical infrastructure
sectors, and protecting our critical infrastructure is the
first step in ensuring its continuity. Unfortunately, we have
already seen the real-world ramifications of cyberattacks on
the energy infrastructure, and this is most vividly seen in
Russia's attacks on Ukraine. In December 2015, Russian hackers
cut off power to nearly a quarter million people in Ukraine in
an attempt to disrupt and intimidate. In the summer of 2017,
Russian hackers infiltrated the industrial control system of a
Saudi Arabian petrochemical plant and disabled the plant's
safety systems. More recently, an advanced Russian government-
backed hacking group is alleged to have probed a U.S. energy
entity's network, according to a release the DOE issued in
January. We all know the stakes here. A successful hack could
shut down power impacting hospitals, banks, gas pumps, military
installations and cell phone service. The consequences would be
widespread and devastating and only more so if we are in the
midst of a global pandemic.
The Federal Government and industry focus on cybersecurity
is a major reason why the United States has not experienced an
attack like Ukraine's. Protection of our critical assets is a
shared responsibility demanding that federal, state and private
sector partners work together to improve cyber defenses and
coordinate responses to cyberattacks. The FAST Act of 2015
contained provisions authored by our Committee to codify the
Department of Energy as the sector-specific agency for the
energy sector and to provide the Secretary with authority to
address grid-related emergencies. We also sought to facilitate
greater information sharing by protecting sensitive information
from disclosure. Our American Energy Innovation Act also has
numerous sections to enhance government industry partnerships
in this space and establishes programs to enhance the cyber
posture of smaller utilities. Most recently, I introduced a new
bill, the Energy Infrastructure Protection Act, to update
provisions in the Federal Power Act and restrict federal
disclosures of certain sensitive energy information. I know
that there are a few who may disagree with that approach, but
the alternative, disclosing and displaying our vulnerabilities
for our enemies, will hardly make us any safer.
I am pleased to welcome a distinguished panel of witnesses
who are truly at the front lines of the effort to protect our
energy infrastructure from cyber threats. I thank you again for
being with us this morning.
I will now turn to my colleague and Ranking Member, Senator
Manchin, for his opening remarks.
STATEMENT OF HON. JOE MANCHIN III,
U.S. SENATOR FROM WEST VIRGINIA
Senator Manchin. Thank you, Chair Murkowski, for convening
this hearing today, and thank you to our witnesses for making
yourselves available to join us and discuss efforts to improve
the cybersecurity of the electric sector. As a Ranking Member
of both this Committee and the Senate Armed Services
Cybersecurity Committee, I am intensely focused on the security
of our energy infrastructure. We just had a meeting yesterday
on that, and it was quite enlightening. And the importance of
our discussion today against the backdrop of a global pandemic
is not lost on any of us, I believe, in this room.
The COVID-19 crisis has made our nation, the world, acutely
aware of the consequences of being underprepared for a
catastrophic event. The pandemic has forced the energy industry
to adapt to new challenges and vulnerabilities with more
employees working remotely. There are certainly lessons to be
learned from this moment in history about the need to invest in
protections to avoid, to mitigate and respond to events that
challenge our grid's resilience and thereby our national
resilience. You all know well that threats to critical
infrastructure are serious and increasing daily. In recent
months, federal officials have warned of rising cybersecurity
threats from China, and recent reports indicate Russia has
shown renewed interest in targeting the U.S. power grid. Then
last month, a national security agency and the Cybersecurity
and Infrastructure Security Agency (CISA) issued an alert
urging critical infrastructure operators to take immediate
action to secure their operation technology assets. Legacy grid
systems are/were not designed to defend themselves against
modern cyberattacks, and as they grow more and more connected
to the internet, our electric systems grow more and more
vulnerable. On top of that, IBM recently issued a report that
showed that the energy sector suffers particularly high costs
from state-sponsored cyber threats. Compared with the previous
year, the costs of cyber breaches are up 14 percent because of
the increased number of attacks targeting power grid
infrastructure and the magnitude of the damage caused.
There is a lot of work being done across the sector to
address these cybersecurity challenges. I would like to
highlight the good work of my colleague, Senator King, who
recently co-chaired the Cyberspace Solarium Commission. This
Commission issued a report this spring identifying a number of
recommendations to reduce the probability and impact of
cyberattacks of critical infrastructure which he presented to
the Senate Armed Services Committee yesterday, and it was truly
quite enlightening. Although the report is broad in scope, many
of the Commission's recommendations affect the electric
industry, and I look forward to hearing about the impact to the
electric sector today.
A few months ago the President issued an Executive Order
directing the Department of Energy to identify foreign-made
grid components that pose an unacceptable security risk to the
U.S. power grid. While I support this action, I was concerned
that vendors and manufacturers of the grid equipment the order
targets were not being adequately consulted. Senator Risch and
I sent a letter to the DOE about these concerns and are eager
to see DOE utilizing the valuable knowledge and experience of
manufacturers as they implement this Executive Order. Having
both DOE and industry representatives here today, I look
forward to hearing how these engagements are going. There are
certainly opportunities for Congress to facilitate action in
this space as well, and I am proud that the American Energy
Innovation Act included several pieces of legislation that
support investments in programs that are of vital importance to
securing and protecting our critical energy infrastructure. The
bill would strengthen public-private partnerships like those I
know our witnesses will discuss today and included my and
Senator Murkowski's PROTECT Act which would establish
incentives for electric utilities to invest in advanced
cybersecurity technologies.
I am still committed to passing this comprehensive
bipartisan energy package so that these important programs can
be put into action. We have lots to do to protect and secure
our electric grid. I look forward to hearing from our agency
and industry witnesses today and what efforts are working and
what work still remains to be done.
Thank you, Madam Chairman.
The Chairman. Thank you, Senator Manchin, and you mentioned
the work of Senator King on the Cyberspace Solarium Commission.
Senator King, as a member of the Committee, has asked for a
brief moment here to introduce just that and, as you have
mentioned, he has had an opportunity before the Senate Armed
Services. It is important to acknowledge that work.
Senator King, if you would like to make any brief comment
about that before we turn to our distinguished panel, you are
certainly welcome to proceed.
STATEMENT OF HON. ANGUS S. KING, JR.,
U.S. SENATOR FROM MAINE
Senator King. Absolutely. Thank you, Madam Chair. You
outline very eloquently the danger, so I don't really have to
spend a lot of time on that. Everybody in this hearing knows
the level of risk that we have before us.
Just let me tell you a bit about the Solarium. It was
created in the 2019 National Defense Authorization Act (NDAA).
It was a national commission whose mission was to establish a
comprehensive strategy to defend this country in cyberspace.
The structure of the Commission was somewhat unique. It had 14
members including 4 sitting Members of Congress: myself;
Senator Ben Sasse; Congressman Mike Gallagher, a Republican
from Wisconsin; and Jim Langevin, who is a Democratic member of
the House and a member of the Armed Services Committee from
Rhode Island. We also had four members from the Executive
Branch and six members from the private sector. One of the most
valuable members of the entire Commission was Tom Fanning, who
is the CEO of the Southern Company, which I think is the second
largest electrical utility in the country. We had over 30
meetings. We had about 90 percent attendance at all of our
meetings, and we talked about a whole range of cyber issues.
Our report really boils down to three simple points. One is
reorganization. Reorganizing and organizing our government to
be responsive to this problem and not operate in silos.
Secondly is resilience. How to strengthen our resistance to
cyberattacks and how to build up our defenses, if you will. And
the third is response. How do we develop a deterrent doctrine
so that our adversaries have to feel that they will pay a price
for attacking this country, even if it is below the level of
the threshold of the use of force?
Energy, of course, is a major target. One of the
challenging parts of this problem, which you and Ranking Member
Manchin mentioned, is that this really has to be a partnership
between the Federal Government and the private sector. Eighty-
five percent of the target space in cyberspace is in the
private sector, a lot of that is the energy sector. And if
there is one thing we learned from the pandemic, it is that the
unthinkable can happen and a significant cyberattack is not
unthinkable. We know that it is being planned, and we know that
it is happening today. I spoke recently to a utility executive
who told me that his system is attacked three million times a
day, now, today. So this is not an abstract issue. This is
something that we have to address, and the Commission made a
number of legislative recommendations, more than two dozen of
which we hope will be included in the final National Defense
Act that is now headed to conference. I want to thank the
Committee and the Chair and the Ranking Member for their
cooperation on assisting us in getting those provisions into
the National Defense Authorization Act. There will be others
that we will be discussing over the next few months in this
Committee.
But I want to thank you for having this hearing. It is
incredibly important. This is one of our prime issues, and I
look forward to the testimony of our witnesses. Again, thank
you for your work on this and if we work together, we can
defend this country.
Thank you, Madam Chair.
The Chairman. Thank you, Senator King. Thank you for that
brief summation and to those of you, including Senator Sasse,
who were part of that very, very important Commission.
Let's turn to our panel this morning.
We have one of our witnesses that has joined us in person.
We thank you for that. Mr. Alexander Gates, who is the Senior
Advisor at the Office of Policy for Cybersecurity, Energy
Security, and Emergency Response. It is a long name. We call it
CESER there at the U.S. Department of Energy. We welcome you to
the Committee, Mr. Gates.
With us virtually today are Mr. Joseph McClelland, who is
the Director of the Office of Energy Infrastructure Security at
the Federal Energy Regulatory Commission. We welcome you, Mr.
McClelland.
Mr. Steve Conner is the President and CEO for Siemens
Energy, and we thank you for being part of this panel this
morning, Mr. Conner.
Mr. Thomas O'Brien is the Senior Vice President and Chief
Information Officer at PJM Interconnection. We appreciate that
you have joined us as well and look forward to your input to
today's discussion.
With that, we will go in the order that I have introduced
you. We will begin here in the Committee room with Mr. Gates.
We would ask you all to try to keep your comments to about five
minutes. Your full statements will be included as part of the
record, and then we will have an opportunity for questions from
those of us present and those of us online.
Mr. Gates, welcome, and again, thank you for your
leadership there at the Department of Energy. Please proceed.
STATEMENT OF ALEXANDER GATES, SENIOR ADVISOR, OFFICE OF POLICY
FOR CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE,
U.S. DEPARTMENT OF ENERGY
Mr. Gates. Thank you, ma'am.
Chairman Murkowski, Ranking Member Manchin and members of
the Committee, thank you for the opportunity to appear before
you to discuss the Department of Energy's important work to
protect the energy infrastructure from cyber threats. A
reliable, resilient and secure energy infrastructure is
critical to U.S. economic competitiveness, national security
and, to put it frankly, our way of life. As an organization
responsible for safeguarding the nation's nuclear stockpile and
as a member of the intelligence community, the Department of
Energy is keenly aware of threats to our national security.
Today that includes cyber threats to the energy sector. In the
2019 and 2020 worldwide threat assessment, the Director of
National Intelligence stated, ``Our adversaries and strategic
competitors will increasingly use cyber capabilities to seek
political, economic and military advantage over the United
States and its allies and partners. China, Russia, Iran, North
Korea increasingly use cyber operations to threaten both minds
and machines in an expanding number of ways, to steal
information, to influence our citizens and to disrupt critical
infrastructure.''
Within the Department, CESER and the Office of Electricity
form a nucleus that provides products and services that improve
the energy sector's cybersecurity and resilience. Whether it's
electricity, oil, natural gas or renewables, CESER endeavors to
increase the security of the United States' energy
infrastructure against all hazards through the following
priorities: improving emergency response and recovery,
expanding cyber discovery activities, creating high fidelity
situational awareness, providing more focused research and
development, further solidifying our partnerships and
increasing workforce development efforts. The Office of
Electricity, on the other hand, is focused on long-term
research and development to build a secure and resilient power
grid. The Office has four strategic priorities: building
advanced modeling capabilities, innovating in the field of
megawatt scale grid storage, improving grid operations and
performance through advanced sensing technology and securing
defense critical electric infrastructure.
Some key DOE initiatives that come out of those groups of
priorities include the Cyber Risk Information Sharing Program,
or CRISP, which is a public-private data sharing and analytic
platform that facilitates the timely, bidirectional sharing of
threat information amongst energy sector stakeholders. The
North American Energy Resilience Model (NAERM), which is a
modeling capability that analyzes risk and threats to the grid
and other interdependent infrastructures, provides operational
situational awareness. The Cybersecurity Testing of the
Resilience of Industrial Control Systems, or CyTRICS, tests
critical components to identify and mitigate embedded cyber
vulnerabilities in industrial control systems within the energy
sector. And, of course, Executive Order (EO) 13920, Securing
the United States Bulk Power System in response to the growing
threat the EO authorizes the Secretary of Energy, working with
other federal departments and agencies and the private sector,
to quickly and proactively protect the bulk power system.
Cybersecurity in the energy sector is a complex endeavor
that will require more authorities, laws, and in some respects,
an extreme level of collaboration to achieve. As a sector-
specific agency, the Department of Energy relies on strong
collaboration with FERC, NERC, and CISA, in order to make
progress. Utility owners, coordinating councils, and trade
groups are all very effective partners in this fight.
Collectively these entities form the fabric of a public-private
partnership that everyday serves to protect the nation's energy
infrastructure. Despite all the progress made to date, the
cyber threats to the sector are real and outpacing our
collective solutions. Still, more action is needed to make the
energy sector more resilient and cybersecure.
Thank you for this opportunity to appear before your
Committee. I look forward to working with you to address the
nation's cyber and physical security challenges to the energy
sector.
[The prepared statement of Mr. Gates follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Mr. Gates, thank you very much for that
testimony.
We will now go online to Mr. McClelland, with the Federal
Energy Regulatory Commission. Welcome.
STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ENERGY
INFRASTRUCTURE SECURITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Thank you, Chairman Murkowski, Ranking
Member Manchin and members of the Committee. Thank you for the
privilege to appear before you today to discuss potential
threats to the bulk power system in the United Sates. My name
is Joe McClelland, and I am the Director of the Office of
Energy Infrastructure Security at the Federal Energy Regulatory
Commission. I come before you as a Commission staff witness,
but I should note that my remarks do not necessarily represent
the views of the Commission or any individual Commissioner.
In the Energy Policy Act of 2005, or EPACT 2005,
specifically Section 215 of the Federal Power Act, Congress
entrusted the Commission to approve and enforce mandatory
reliability standards for the nation's bulk power system.
Section 215 requires the Commission to certify an electric
reliability organization or ERO that is responsible for
proposing FERC Commission review and approval, reliability
standards or modifications to existing reliability standards
help protect and approve the reliability of the nation's bulk
power system. The Commission certified the North American
Electric Reliability Organization or North American Electric
Reliability Corporation, or NERC, as the ERO. Section 215 of
the Federal Power Act provides stakeholder input in the ERO's
development of reliability standards for a bulk power system.
This process works relatively well to develop standards to
address traditional operations and planning related reliability
events that may cause grid failures or blackouts such as from
improper vegetation management or failures associated with the
operation of protective equipment.
The nature of national security threats by adversaries
intent on attacking our nation's electric grid significantly
differ from the reliability of vulnerabilities that have caused
regional blackouts and reliability failures that we have faced
in the past. Widespread disruption of electric service can
quickly undermine the U.S. Government, its military and the
economy, as well as endanger the health and safety of millions
of our citizens. To help mitigate these advanced, persistent
and rapidly evolving threats, the Commission uses a two-pronged
approach regarding grid reliability employing mandatory
reliability standards to establish foundation of practices
while also working collaboratively with the industry, with
states and other federal agencies to identify and promote best
practices.
While NERC reliability standards are the foundation of the
Commission's work to address cybersecurity, there are
additional measures that can and should be taken to further
improve industry's cybersecurity posture in light of these
rapidly evolving threats. That is why the Commission
established our office, or OEIS. OEIS partners with industry,
states and federal agencies to develop and promote best
practices for critical infrastructure security. Working with
these organizations, OEIS helps identify new and emerging
threats, inform the private sector of them and then assist with
mitigating action. One example of OEIS' work is that we conduct
voluntary architectural assessments of utility computer
networks, reviewing everything from the configuration of legacy
equipment to the application of state-of-the-art protection
systems. Another example is OEIS works with the Office of the
Director of National Intelligence and the Department of Energy,
specifically CESER, to conduct briefings and exchange
information with state and industry officials about the current
threats industry is facing and what can be done to address
them. More broadly, OEIS works with the NERC Electricity
Information Sharing and Analysis Center (E-ISAC) to rapidly
issue bulletins and alerts informing industry of specific
vulnerabilities and threats as well as best practices that can
defend against them. And as a final example, OEIS assists with
the planning and execution of tabletop exercise and
participates in joint security programs with other government
agencies. In fact, just last week, OEIS assisted the National
Guard units and participating utilities in the New England
states to conduct Cyber Yankee, a simulated cyberattack on
utility networks. Exercises such as this are critical to
maintaining readiness and ensuring our ability to respond to
cybersecurity events.
In conclusion, cybersecurity threats pose a serious risk to
the bulk power system and its supporting infrastructures that
serve our nation. These are complex, persistent and fast-
evolving issues. Therefore, the Commission has adopted this
two-pronged approach to best address the important security
matters. Thank you again for the opportunity to testify today,
and I look forward to your questions.
[The prepared statement of Mr. McClelland follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Mr. McClelland, thank you for that. We
appreciate it.
Let's next go to Mr. Conner from Siemens Energy. Mr.
Conner, welcome.
STATEMENT OF STEVEN C. CONNER, PRESIDENT,
SIEMENS ENERGY, INC.
Mr. Conner. Thank you, Chairwoman Murkowski, Ranking Member
Manchin and members of the Committee, thank you for the
opportunity to testify today. My name is Steve Conner. I'm the
President of Siemens Energy, Inc., which is the U.S. regional
entity of Siemens Energy. We have more than 11,000 employees in
the U.S. supporting the country's grid operations at 21 power
equipment and manufacturing service and innovation sites. Our
headquarters is located in Orlando, Florida. The United States
is our company's largest market worldwide, and Siemens Energy
equipment provides secure, resilient technologies that support
one-third of America's total daily energy needs. We have been
working with our customers on solutions for the evolving
demands of industry and society for more than 150 years. We
have been a partner to the United States Government, America's
energy producers and its energy providers for decades. We have
a deep understanding of the safest and most resilient
infrastructure technologies and processes necessary to secure
one of our most essential national assets, America's power
grid.
Industrial cybersecurity is at the core of our Siemens
Energy business. Our products and solutions have industrial
security functions that are built in by design and turned on by
default. They support the secure operation of plants, systems
and machines and networks of our customers. We use this
experience and expertise to establish partnerships that advance
cybersecurity efforts. I would like to share with you some
example of those collaborations with both the public and
private sectors.
In 2018, we created the Charter of Trust which is now a
leading global initiative of companies and organizations
focused on securing critical infrastructure. We're a founding
member of the Energy Cybersecurity Alliance, a partnership of
energy companies, manufacturers and service providers. We have
a dedicated team of seasoned security experts which we call our
ProductCERT team that manages the receipt, investigation,
internal coordination and public reporting of security issues
related to the Siemens products solutions and services. Any
vulnerabilities discovered are shared with our governmental
partners. And just last week, the New York Power Authority
(NYPA) and Siemens Energy announced a new collaboration to
develop an industrial Cybersecurity Center of Excellence. It
will bring the public and private sectors together to develop
innovative cybersecurity best practices that will serve as a
model for deployment at other utilities. This first of its kind
Industrial Cybersecurity Monitoring Research and Innovation
Center will focus on detecting and defending against
cyberattacks on critical infrastructure owned and operated by
NYPA, the largest state-owned electric utility in the nation.
Successful solutions have potential to be deployed and
commercialized at other public and private organizations that
operate critical infrastructure across the U.S.
Supply chain security is just as important as
cybersecurity. By ensuring the security of our supply chain, we
enhance the reliability, security and resilience of America's
energy infrastructure. This depends on close collaboration and
involvement with our customers, partners, suppliers and
governments around the world to secure for our supply chain.
Some examples of our supply chain security policies and best
practices include a supply chain management standard that
performs regular supplier audits to address technical,
commercial and cybersecurity risks and opportunities. We
manage, track and control access to confidential data, chronic
development and source code, both physically and virtually. We
don't share any overall product development information with
the suppliers. And utilizing select components from qualified
suppliers only, which includes testing their hardware, software
and security, only then including them in an approved
components database. And lastly, we perform civil, criminal and
governmental-sanctioned background checks as necessary.
As you can see, Siemens Energy takes its responsibility to
secure our country's critical energy infrastructure by
collaborating with the public and private sector very
seriously. We are constantly looking for additional ways to
engage the public sector, including supporting vendor-driven
forums that would improve industry involvement and promote
wider discussion on the vulnerabilities and supply chain risks.
Thank you again for inviting me to testify, and I, along
with the 11,000+ U.S. employees of Siemens Energy, look forward
to the continued collaboration necessary to ``keep the lights
on'' in the U.S. energy infrastructure.
[The prepared statement of Mr. Conner follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Conner. We appreciate your
time before the Committee this morning.
Finally, let's go to Mr. O'Brien with PJM Interconnection.
STATEMENT OF THOMAS O'BRIEN, SENIOR VICE PRESIDENT AND CHIEF
INFORMATION OFFICER, PJM INTERCONNECTION, L.L.C.
Mr. O'Brien. Chairman Murkowski, Ranking Member Manchin and
Committee members, thank you for the opportunity to speak to
you today on this critical topic. I appreciate the opportunity
to represent PJM. I also appreciated the opening comments from
the Chairwoman and some of the things that she covered
specifically around the Energy Information Protection Act which
is something that's very important to us at PJM and the
industry.
I'd like to thank my fellow panelists for their insights
and contributions. I've worked with some of them in the past,
and I really appreciate everything that you do.
My written testimony covered a broad range of topics,
including PJM's current approach to managing cybersecurity,
partnership and collaboration, cybersecurity supply chain
considerations, workforce and training and longer-term
considerations. In my brief remarks, I will build off of some
of the key points from my fellow panelists and leave you with
three things for consideration and let the written testimony
speak for itself.
First, and this was highlighted by everybody, is
collaboration and partnership is essential between and amongst
government, industry and our service providers. It is essential
and no one can do it by themselves. I'd like to share a couple
of examples. DOE and DHS lead the charge on both classified and
non-classified briefings, and this is critical to industry for
managing priority and risk management. The Electric ISAC, which
is part of NERC, is the hub of information sharing for the
electric industry. They continue to evolve their information
sharing programs and the industry relies on that significantly.
The E-ISAC coordinates the cyber risk information sharing
program which is just one way to get intelligence on what the
adversaries are doing. DHS has a program for sharing threat
indicators with industry and something that we use at PJM.
I'd like to echo some of what Joe McClelland said. We work
with FERC on things like risk management, best practices, and
we appreciate their support. And again, I would emphasize the
importance of protecting critical information, which again, was
highlighted in the opening by Chairwoman Murkowski.
Now let's talk about compliance for a second. Just because
the electric industry is on the forefront of compliance, NERC
sets standards but they don't do it blindly. They do it with
industry engagement, and regional entities lead the audit
process which essentially drives transparency and allows for
consistency. I also wanted to speak to just one example that
PJM is involved with around fuel security. We're looking at a
phase three fuel security study at the moment. It's looking at
major interstate pipelines, modeling, both physical and cyber
scenarios and we've had great support from DOE, from FERC, and
we'd like to thank them for that.
The second takeaway that I'd like to leave with you is that
risk management must be informed by clear understanding and
appreciation of the adversary is informed by threat
intelligence, likelihood on impact and requires adequate
investments. On October 1st of 2020, the NERC cybersecurity
supply chain management standard will go into effect. That's an
excellent starting point for advancing controls to mitigate
risks and associated threats, and I'm sure that will continue
to evolve. Previously mentioned, we're looking at the impact of
the Executive Order and that has potential sweeping and broad
implications for the procurement of electrical equipment as
well as legacy equipment. And while ISOs and RTOs do not own
the assets, the order will have significant operational
planning and marketing impacts. Consistent with the feedback
from Bruce Walker from DOE, we agree that it should be a
surgical approach.
The final point that I'd like to leave you with is that
metrics and key performance indicators are critically important
to security operations. You can't improve what you don't
measure, and you need to establish key targets so you can see
how your progress is going. That will allow you to focus on
transparency and continued recruitment.
I'd like to thank you for the opportunity to appear before
this Committee. I look forward to your questions, and I
appreciate the opportunity to leave you with my three
takeaways: collaboration and partnership between government,
industry and our service providers is essential and no one can
do this alone; risk management must be informed by clear
understanding, appreciation of the adversary; and finally,
metrics and KPIs are necessary for a clear security operating
picture. Thank you for this opportunity.
[The prepared statement of Mr. O'Brien follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. O'Brien, and we thank each of
the panelists that have appeared before us this morning.
Mr. Gates, I want to start with you in terms of my
questions. I think everyone on the panel this morning has
mentioned the need and the necessity for collaboration and
partnerships, but we all know that it is one thing to say I am
going to partner with you, I am going to collaborate with you,
but you have to trust one another. And sometimes when we are
operating in a world of cybersecurity, you are not quite sure
who to trust.
So, as several have mentioned, the Executive Order on the
bulk power system is going to require enhanced information
sharing between the government and the entire energy sector,
including our utilities, our vendors and our manufacturers. If
you can speak to how, within DOE, we can improve the protection
of sensitive data that it receives from the industry and then
also, how can DOE improve its trust of the private sector when
sharing sensitive government information? I know, oftentimes,
what we will hear is the industry is required to give the
information, but they don't feel like they have been fully read
into the situations. And so, again, collaboration and
partnership are key and important, but that is also built on
trust. So can you speak to both sides of that, please?
Mr. Gates. Thank you, Senator. I'll address the protection
of the sensitive information from industry. That's always a
challenge. Certainly, as it relates to collecting data from the
Executive Order and the RFI that will allow us to implement the
Executive Order, the RFI went out in July and ends in August.
Protecting that information is, kind of, central to the
program. The Department, when you look at information sharing,
when you look at analysis and data gathering programs, not only
CRISP but the CATT program that you may have heard of, the
Cyber Analytics and Technical Techniques program. Those types
of initiatives are central to understanding what's going on and
then sharing information in a way that's protected. Liability
protections for companies, for example, is part of that
equation. The other part of that equation is the Department and
the government protecting less than classified but very
sensitive information. So we are designing systems and programs
that the Department of Energy protects secrets and sensitive
information in a number of endeavors from our science and
research initiatives with the national labs to our nuclear
stockpile and weapons protection programs, and cybersecurity is
another aspect of that.
As it relates to the sector trusting us, that's a tough
one, but if you just look at what's happened in the last four
or five months and our response to the pandemic, the sharing
that we've had with the different coordinating councils, the
use of the ISAC to share information, we think the trust in the
sector is growing, that the Government is actually figuring out
how to take even classified information through a process,
sanitize it in a way that it can quickly be distributed through
either CISA or the E-ISAC but out to the sector in timely
enough fashion that it actually makes a difference. We haven't
totally solved the problem, ma'am.
The Chairman. Right.
Mr. Gates. It's a work in progress, but we think the trust
issue, the trust equation is improving in favor of both the
Government and the sector.
The Chairman. Well, and I think we recognize that it has to
in order for this all to work.
Let me ask you one more question. Hopefully this one is
relatively brief. Many of us on this Committee have electric
co-ops and municipal utilities that have benefited from the DOE
initiative that is focused on improving the cyber and physical
security posture of the electric sector. In Alaska, we are
primarily served by our rural electric co-ops and our municipal
utilities. Last year, Congress agreed to appropriations report
language that encouraged CESER to continue this initiative. Our
energy bill also includes language that encourages these types
of public-private partnerships. We also established a grant
program to improve the cyber posture of our smaller utilities.
Can you give us any update on the status of this initiative?
Has any funding been released in this regard?
Mr. Gates. Ma'am, I'll get the exact details of the status
of the program to you after this session. But we are working
very hard to make sure that money flows to the sector and even
outside of that program, the small utilities are, they're a
soft, in some respects, a soft underbelly of the grid and we
take great pride in, you know, certain research and development
programs, like the Essence program that we think are going to
be valuable in providing those entities the same level of
protection as some of the larger utilities. So I'll get the
detailed answers to you.
The Chairman. Well I appreciate that and, again, that is
something that, I think, we recognize there is a vulnerability.
They may be small, but once you work your way in, you can do a
lot of damage there and recognizing the cost then to these
small, rural electric co-ops and our municipal utilities, this
is something that we have been focused on.
Let me turn to Senator Manchin.
Senator Manchin. Thank you, Madam Chairman.
First of all, to Mr. McClelland. As you are aware, Senator
Murkowski and I introduced the PROTECT Act last year. The bill
would establish incentives for electric utilities to invest in
advanced cybersecurity technology. FERC's recent staff white
paper exploring cybersecurity incentives considers several
options that could work to achieve some of the objectives laid
out in our bill. What are the next steps for FERC in
considering cybersecurity incentive options, and can you share
what some of the public comments have been in the docket?
Mr. McClelland. I think I found the unmute button. Thank
you, Senator, for the question and also I just want to thank
you for your work on the bill and your continued support and
interest in cybersecurity. The, as you're aware, the white
paper was a FERC staff white paper. It went out on June 18th as
a 60-day comment period. And the white paper proposes two
mechanisms of incentives. One is to exceed the current
obligation within the CIP, the NERC, Critical Infrastructure
Protection, or CIP, reliability standards, that would be, say,
for instance, if an entity went from a low designation to a
medium or a high designation.
The other is to follow the NIST framework. The NIST
framework was established by Executive Order in February 2013
and its purpose was to create a set of best standards that all
critical infrastructure sectors could share, all 16 sectors
could share. So the industry collaborated with government to
produce that NIST framework. It was revised, subsequently it
was revised twice. So it was produced in 2014 and revised in
2018. So the white paper proposes either or both of those
alternatives. We're awaiting comment. I don't have the status
of what the current comments are to that proceeding, but we'd
be happy to follow up with you.
Next steps would be to consider those comments and then use
that within the Commission as a mechanism to better understand
how, where industry would like, where the most effective place
to apply the cyber incentives might be.
Senator Manchin. Thank you, sir.
I only have a few minutes here, so I want to go through
some things very quickly, if I can.
Mr. Conner, we have talked about deterrents. How do we
deter other nations from hitting us, especially in our grid
system which would be very vulnerable and very harmful to our
country? I guess, retaliation. How do you believe the
retaliation--what we should do when we know these perpetrators
are continually trying to do all the damage they can--what type
of deterrents do you think that we, as the United States
Government, should take against these perpetrators? Should we
hit back? Should we hit back at their critical infrastructure
or just give them a warning or what is the recommendation?
Mr. Conner. Well, I think, as was mentioned earlier, we
can't have, we can't have something that really has no meaning,
but you know, it's true from our standpoint that, you know, the
technology that's out there, we have to continue to fight this.
This is not a matter of a ``nice to have,'' it's--or a ``needs
to have.'' This is a ``needs to have'' and it changes daily. So
as far as deterrents, you know, we don't really look at that
from Siemens Energy Inc.'s viewpoint, but I do--but I believe
there is something that we have to do to make it crucial for
people who want to come in and attack our grid system.
Senator Manchin. Yes. I would like to get some of you all's
input to try to make sure that we are not out of sync with the
rules of engagement, if you will, but we have used retaliation
from our nuclear response to let them know that we would hit
and hit hard. I think in order to stop this type of attack, we
have to make sure that they understand that we will use every
means that we have to come back at these countries who are
going at us, to hinder us, really, and harm us. I would love to
hear from you all in the industry, if you will.
Mr. Gates, if I can follow up real quick? Presidential
Policy Directive 21 designated responsibilities to different,
to various federal agencies, departments and agencies, to serve
as sector-specific agencies and support the private sector in
managing the risk and respective critical infrastructure
sectors. This recommendation was incorporated into the House
version of NDAA and will likely come up in conference. I
support these discussions and hopefully they acknowledge and
preserve the important role that DOE plays in protecting the
electric grid.
Mr. Gates, do you agree that DOE provides specific
capabilities and expertise as a sector-specific agency (SSA)?
Is there additional clarification that DOE needs to fulfill its
responsibility in this regard, and how do you all interact with
the sector-specific agencies to ensure their coordination, but
not duplication?
Mr. Gates. Thank you for the question, Senator Manchin.
I think in many respects the Department of Energy is a
unique SSA. Not only does the sector know us, but we know the
sector and, in many respects, we're part of the sector. As you
know, we're, we manage PMAs. We manage the SPRO. We're, in some
respects, an operator and those kinds of requirements are
important to us understanding what's going on, sharing
information with our partners. So I think that unique aspect of
DOE is important. It gives us credibility in the sector, and I
think it allows us to go at the cyber problem and other
problems really aggressively because, you know, you add our----
Senator Manchin. Yes.
Mr. Gates. ----our national lab complex and just the talent
and expertise we can bring to the problem. We think it's
important for us to serve a strong SSA role.
Senator Manchin. Thank you.
Thank you, Madam Chairman.
The Chairman. Thank you, Senator Manchin.
We will next go to Senator Cassidy, who is with us online.
Senator Cassidy. Hello, gentlemen. Thank you, Madam Chair.
Mr. Gates, last year we heard that one of the problems of
information sharing was getting security clearances for
partners in the private sector. Can you give us an update? Have
we been able to better gain those security clearances, which is
to say, better able to share this information?
Mr. Gates. Senator, I do not have an answer, a specific
solution. Clearing, you know, the thousands of owners in a way
that allows us to share highly sensitive information is an
incredibly difficult challenge. We've taken the, I think the
approach that is more historic in trying to make the
information still useful but not sensitive, so in a way that is
useful to the sector but doesn't threaten sources and methods.
It's a difficult challenge. It's been a difficult challenge
clearing just individuals who actually work in national
security. It's one that we need to tackle, but I'll give you an
update offline on the status of that action.
Senator Cassidy. I would appreciate that because, again, it
was identified as an issue a year ago and it does seem as if it
was highlighted a year ago as, kind of, the Achilles heel. And
so, however we can address that, that would be great. I will
accept that it should be offline.
Mr. Conner, as an equipment manufacturer, how do you feel
that this information sharing has progressed because it does
seem as if there is a threat. It seems, again, as an equipment
manufacturer, you need to be actively involved with the nature
of the threat.
Mr. Conner. Yeah, as I mentioned earlier, we have a number
of tools, you know. Collaboration, I think Mr. O'Brien talked
about, nobody can do it alone. So we have a number of tools
that we go out with our partners and our customers on/with,
when we take a look at, for instance, the DOE talking with
them. We just had a meeting end of June with Secretary
Brouillette and talked about what we can do on the order to
help, kind of, guide this along. But again, I think it's hey,
the collaboration, I think is good. We can always improve
things, and we need to continue to improve things to keep this
moving forward.
Senator Cassidy. Mr. Conner, I am also very interested in
counterfeit goods and the ability of counterfeit goods to
basically serve as a sabotage instrument, and you mentioned the
quality control that you have in order to prevent that from
occurring. Can I ask, does any of your supply chain go through
China? I say that because we know that the People's Liberation
Army has allegedly inserted chips into servers that would allow
information to go back, chips that were only found with
forensic engineering. So again, to what degree do your supply
chains go through China and do we have such a risk?
Mr. Conner. Very minimal, very minimal supply chain usage
for us out of China. We do have facilities in China, and we do
serve that market. That's not on Siemens Energy Inc. side, my
side in the U.S., but that's on the larger part of Siemens
Energy as a whole. What we actually go through, as I mentioned
in my testimony, we actually have preapproved vendor lists and
these vendors have to go through rigorous testing. We take a
look at all their products and then----
Senator Cassidy. Let me ask, because I heard your
testimony. I have also become aware that having a network of
vendors represents a security challenge for actually the parent
company, if you will. If it is a vendor to the Department of
Defense (DoD) that they can, kind of, work their way up the
information chain into a prime contract. Similarly, since we
are concerned about the cybersecurity of our grid, the
cybersecurity of Siemens itself, I am sure that you have a
number of cyberattacks as well. With this network of providers/
vendors, how does Siemens avoid cyber espionage upon what you
are doing and on cyber sabotage?
Mr. Conner. Well, we actually have a significant group both
in the U.S. and globally that goes through and tests every day.
We get attacked thousands of times a day. I think somebody
mentioned earlier, 300 million times a day. I don't think it's
that much, but again, ours is, we have the, our approved vendor
list. We go through and we have, to the extent we find
something or from a compliance standpoint somebody doesn't meet
that requirement, we kick them off. So it's almost, it's a
significant amount of business that they would lose. And we
also do, as I mentioned earlier, we do background checks and
even through governmental, even the U.S. Government on who
we're going to utilize as vendors, et cetera, to make sure they
meet all the requirements to avoid having any counterfeit parts
in our systems.
Senator Cassidy. Okay.
Thank you, Madam Chair. I yield the floor.
The Chairman. Thank you, Senator Cassidy.
Senator King.
Senator King. Thank you, Madam Chair.
There is one subject that we have not touched on today. It
is not really within the jurisdiction of this Committee, but I
just mention it in this context and that is the vulnerability
of water systems. There was a recent alleged attack by Iran on
an Israeli water system. Fortunately it was defended against
successfully, but we have something like 50,000 water
companies, separate water companies, in this country and that
is a risk that the Congress needs to address.
Secondly, an issue that has not come up yet today is the
gas pipeline system, and in New England about 60 percent of our
electricity comes from natural gas and all the natural gas
comes through the pipeline system. So at least in our region,
and I suspect in other areas of the country, the pipeline
system is part of the energy grid. You can protect the energy
grid, but if the gas can't get through for some reason, the
lights are still going to go off. My concern is TSA, in 2005,
was given the authority to regulate the pipeline system. They
were given the authority to issue regulations which they never
have, and I am reminded of Lincoln's famous letter to
McClellan, ``If you're not gonna use the army, perhaps you
could lend it to me for a while.'' If TSA is not going to use
this authority, perhaps we should give the authority to
somebody who will use it because this is an enormously
important part. They are relying entirely on voluntary self-
regulation. I just don't think that is adequate given the level
of risk. And I know that FERC has an interest in this. This is
something I very much want to follow up on.
A couple more specific questions to our panelists. Mr.
O'Brien, do you red team your system? Do you do pen testing to
see whether you have vulnerabilities? Do you have hackers for
hire to test the security of your system?
Mr. O'Brien. Yes, thank you for the question, Senator King.
We do a couple things. One is we do continuous red teaming, and
we partner with an outside firm that's constantly probing our
system and looking for issues. Secondly, we do what we call
compromise assessments. We've brought in a top forensics
company, Mandiant, to comb through our network looking for
issues. And finally, we do internal audits, penetration testing
and all that. So yes, we do. Thank you.
Senator King. That is very reassuring.
I want to ask Mr. Gates and Mr. McClelland the same
question. I was very disturbed a year or two ago when we had a
hearing on this subject when I asked the fellow from NERC, do
you red team? Do you pen test? And the answer was, I don't
think so or something to that effect. Do you, as the agencies
that are looking after this incredibly important
infrastructure, do you do penetration testing and red teaming
on the networks that you are responsible for?
Mr. Gates?
Mr. Gates. Senator King, thank you for that question.
In the context of the federally-owned assets, the PMAs, the
SPRO, there is a red teaming of other, kind of, security
measures that are taken to verify certain aspects of the
defenses of the system and----
Senator King. What about the private systems that are part
of your responsibility?
Mr. Gates. So in that respect, and that's where the ESCC,
the ONG, SCC and other forms are important where we can advise
and consult and recommend defensive services such as red
teaming, such as pen testing.
Senator King. So the answer is no, you don't do this
yourself. Is that correct?
Mr. Gates. So we don't do it ourselves and we're not, we're
not designed, CESER wasn't designed to provide that service.
Senator King. But wasn't CESER designed to protect the
grid?
Mr. Gates. It's designed to protect the grid, yes, sir, but
through using----
Senator King. Isn't protecting the grid determining whether
it is safe?
Mr. Gates. It is, but using the authorities and the
resources that have been allocated to do that mission which we
believe we're operating in, we could do more, perhaps we should
do more. I don't know if it gets to the level of pen testing or
red teaming. There are certain people on my staff who would
love to take that on. But again, right now, in the role with
the responsibilities and authorities we have and the
partnerships, it's an advisory service that we're providing at
this point.
Senator King. Well, if you need additional authorities, I
hope you will take for the record a question to let us know
what additional authorities you need. I don't see how you can
carry out a mission of protecting the grid without testing the
grid's vulnerability.
Mr. McClelland, I did not get a chance to follow up, but I
want to ask, I want you to think about the same question.
Finally, Madam Chair, I just hope that we could follow up
this hearing with a hearing on the natural gas pipeline system,
because I think it is a crucial part of our energy system and I
am very concerned that we don't have the level of standards,
testing and examination on that system that we have on the
grid.
Thank you very much, Madam Chair, I appreciate it. I yield
the floor.
The Chairman. Thank you, Senator King, and know that I
certainly agree in terms of our energy infrastructure as it
relates to our pipelines.
I don't see Senator Gardner on--I know he is popping in
between three hearings this morning--so let's go to Senator
Hyde-Smith.
Senator Hyde-Smith. Thank you, Chairman Murkowski, and
thank you, panel, for appearing today because your testimony is
very valuable to this Committee. Your insight is very
important, and I certainly appreciate you guys taking the time
and being with us today.
My question is for all of you. It is well known that our
nation's critical infrastructure is under constant threat of
attack from our adversaries as we have been discussing. Couple
this with the aging and fragile nature of systems running
critical energy delivery systems and you have a potential
recipe for disaster with our aging infrastructure. I know a lot
of time and resources are dedicated to implementing the best
practices and standards to secure these assets; however, best
practices and standards do not often stop increasingly
sophisticated bad actors for long. In your judgment, how much
more should we be investing in time and resources recruiting
private or government entities that specialize in protecting
the energy sector and counteracting these threats?
We will start with whoever wants to go first.
Mr. Gates. Thank you for the question, Senator Hyde-Smith.
Investment is always a tricky and difficult question,
particularly from the government perspective when you have, you
know, so much private ownership of an entity. So finding the
right balance is a challenge. I think I can say, as you've
stated, we're not investing enough, but how much of that should
be public or private investment is a fair question. As Senator
King mentioned regarding the pen testing, there are other
security services that can be provided to identify threats. I
think what we're doing in the Department to create products
like the NAERM, the North American Energy Resilience Model,
DCEI, CRISP--I think those are things that are helping, but
more can be done on the ground to help sense more, to provide
more analysis to identify threats more quickly and mitigate
them.
What that investment looks like, I can't say, but I know
it's not enough. The system is so large and expansive and you
have such a different kind of stakeholder--stakeholders that
can invest a lot on their own--and then you have communities
that are on limited budgets. So it's a complicated problem that
needs to be addressed, but it will require more investment.
Mr. O'Brien. Yeah, Senator Hyde-Smith, this is Tom O'Brien
and I would add to what Alexander Gates discussed is, you
brought up a really good point that there are legacy systems
and there's older systems that are out there and we need to
protect our systems. And I would go back to what we talked
about earlier around the cybersecurity framework. We know how
sophisticated the adversaries are. We still need to be able to
protect our assets. We need to be able to detect when a bad
actor is getting into our systems and we need to be able to
recover and respond when that happens. That will require
increased investment by everybody and I think it needs to scale
based on the risks that you have. So just as a short answer,
that would be my feedback.
Thank you.
Senator Hyde-Smith. Thank you.
Mr. McClelland. If I might add, Senator, just add one other
perspective?
Our office conducts individual assessments at utility
networks. In many cases, these networks are large and complex.
They're having tens of thousands of points. One of the
recommendations we make, because it is so difficult, the
challenges so sophisticated, and it's so rapid as far as its
movement, one of the recommendations we make is that the
utilities consider hiring outside expertise, contractors, that
would assist during an emergency. So if their systems were
breached, if they were having difficulty, they would bring in
the outside contractors who have already helped preconfigure
and arrange those networks so that they could be more
resilient, better able to come back online and then it wouldn't
be a matter of scrambling to try to find a contractor that
could provide some assistance at the last minute.
So we actually focus this more toward the private sector to
say FERC can provide cost recovery. We can provide incentives.
We're seeking comments about how those incentives and that cost
recovery structure would best benefit the private sector, but
at the same time, we are offering recommendations to address
the issue that you raised.
Senator Hyde-Smith. Thank you very much.
My second question----
Mr. Conner. Yes, Senator----
Senator Hyde-Smith. I am sorry.
Mr. Conner. I was just going to respond.
Senator Hyde-Smith. Oh.
Mr. Conner. You know, as I mentioned earlier, Senator, in
my responses, companies of all sizes need the technology
workforce and the resources to manage these attacks and
critical infrastructure. Cyberattacks are not going to be going
away and we need to defend against them and make it a priority.
And you know, I talked about the latest collaboration that we
have with NYPA, New York Power Authority, to put together a
state-of-the-art cyberattack and critical infrastructure group
there. So, you know, the intent is that as we learn things in
industry, as the governments learn them, as the states learn
them, that we all collaborate and then we actually can filter
that down and share that, those solutions, amongst the other
utilities, not only energy, but I think we had mentioned water
earlier, Senator. So things that we can learn there as well.
Senator Hyde-Smith. Thank you very much.
Madam Chairman, I have a second question, if we have time
for that? We will be brief.
The Chairman. Go ahead.
Senator Hyde-Smith. It is on the cybersecurity defense,
just the collaboration. Mr. Gates, this will be to you. With
respect to protecting our nation's critical energy
infrastructure, please provide the Committee with your primary
recommendations on how the Department of Energy, the
intelligence community and the private sector can collaborate
better to defend against these cyber threats from, obviously,
foreign adversaries, more effectively? Just on the
collaboration.
Mr. Gates. Well, fortunately, we're working from a decent
base with the CRISP program, the briefings that we provide the
sector and our collaboration with the IC. The IC is, of course,
the Intelligence Community, is critical. It is better to engage
the adversary outside of our networks instead of inside. That
shouldn't be the first point of an engagement. And so, the IC's
role in that is critical and that's not just my bias because
that's where I sort of grew up, but the collaboration is
getting stronger. It needs to get better. It needs to be
seamless, and it needs to be real time.
The Solarium Commission proposed some things that kind of
speak to that, but I think more can happen. Information sharing
and, ma'am, you mentioned the trust issue earlier, when you're
talking about the Intelligence Community, sensitive information
and sharing it rapidly, that those are oxymorons in some
respects. We need to do more to figure out how to get useful,
kind of, sensitive information into the hands of network
operators so they can make decisions and take actions. It's a
work in progress. I will be--I would gladly provide you a list
of recommendations on how to improve that process.
Senator Hyde-Smith. Thank you very much.
The Chairman. Thank you, Senator.
Let's go to Senator Cortez Masto.
Senator Cortez Masto. Thank you. Gentlemen, thank you so
much for this important conversation. I want to thank the Chair
and Ranking Member for holding this hearing.
Let's talk a little bit about workforce. I know, Mr. Gates,
in your testimony you highlighted one of the priorities for
CESER is to build a superior workforce. And then Mr. O'Brien,
in your testimony, you also highlighted that the future success
on the electricity industry depends on the development and
leadership of the next generation of utility employees
including cybersecurity analysts. So let's start with both of
you and, Mr. Gates, I will start with you. Can you speak more
about DOE's efforts and methods to deliver on your goals of
building a superior workforce? And then Mr. O'Brien, I would
ask you to also talk about the importance of the need for
building that cybersecurity workforce across both the public
and private energy sectors. Mr. Gates.
Mr. Gates. Thank you, Senator.
This is a challenge for the country. Most of the estimates
are that even, you know, at current rates we're going to be
short of not only IT cybersecurity professionals, but it's even
starker when we talk about industrial control systems. We
started a number of initiatives from CyberForce, for example,
to help with training of those who are inclined to enter this
space as a profession. We think there's more that can be done.
Certainly we're looking at models, similar to the Center of
Academic Excellence that DHS and NSA run for cybersecurity and
intelligence programs. We think there's a carve-out possible
for those who are inclined to go into defensive industrial
control systems. Using our national lab complex, we actually
started this year a collaboration with one of the military
academies to do internships to get them training with one of
the national labs in this area and we think there's just more.
This is something where it's not just the Department, but the
government and the private sector will need to invest to get
the experience, the senior and junior engineers more training,
those who are in the business and build on ramps for those
coming out of college or in college to enter the business so we
can build that, not only cybersecurity workforce, but one
that's, kind of, geared toward the energy sector.
Senator Cortez Masto. Thank you.
Mr. O'Brien, your thoughts on what more we can be doing?
Mr. O'Brien. Yeah, thank you for the question and I think
you're highlighting a really good point that the supply and
demand on cybersecurity resources is somewhat problematic, and
from our perspective we're looking at growing talent from the
inside where we can and we've established things like
rotational development programs and really teaching people the
business, teaching people the different technologies so that
they can fight the cybersecurity issue. I think the other thing
that we've done, and it's yielded some pretty good results, is
we have some great partnerships with, you know, academia. We've
had great partnerships with DoD, DOE and really engaging our
workforce on that. The E-ISAC has done a very nice job with
workshops and you've really got to commit to getting your
people to those so that they can learn.
And then the other thing that I referenced in my testimony
was I think we need to look at the diversity inclusion as an
opportunity for untapped potential and that's something that
we're doing at PJM.
Thank you.
Senator Cortez Masto. Thank you. I cannot stress that
enough, and we have had hearings in other committees where the
diversity inclusion is key to increasing that workforce and it
is a power that has not been tapped into. So thank you for
that.
Mr. Gates, I want to also highlight the fact that just in
June of this year the University of Nevada Reno, where I
graduated from, their Cybersecurity Center and DOE's Nevada
National Security Site announced a partnership for
cybersecurity research and collaboration. I cannot thank you
enough for that, but most importantly, I am excited because it
gives the opportunity for a number of graduate and
undergraduate students to engage in and have hands-on research,
on research, education, training and career development. I
think more of that needs to occur. I applaud you on taking
advantage of that, so thank you.
I know my time is almost up. I will submit the rest of my
questions for the record.
Thank you.
The Chairman. Thank you, Senator.
Continuing on Senator Cortez Masto's questions regarding
the workforce, Mr. O'Brien, I know that--and we have had
conversations here this morning about supply chain security--
you have spoken to this issue as well as Mr. Conner. But not
only does PJM purchase from around the world, so when we think
about supply chain there, you also hire employees, contractors
and consultants that come from other places around the world.
How can you be certain that you are not hiring an insider
threat? How do you address that challenge?
Mr. O'Brien. Well, first and foremost, that's very
difficult because, you know, a foreign adversary that has
intent may very well find ways to get in, but the things that
we do is, you know, we have pretty good security background
checks and that's both for, you know, contractors and for
employees. The other thing that we do is, you know, and
obviously I wouldn't get into the details, but we have an
insider threat program where we're looking at, you know, the
activities of what's happening inside our walls and those are
things that are very important because if you put your head in
the sand around the insider threat, it can be problematic. But
I will just summarize it with good background checks, good
interviewing, good references and making sure you have the
solid insider threat protocol. Thank you.
The Chairman. Thank you.
Mr. Conner, do you want to add anything to that?
Mr. Conner. Yes, thank you for the question.
No, I think we actually make sure we do the background
checks here as well and we also, because this is relatively
new, you know, have actually been setting up programs with
universities to try to run a curriculum to how do we get the
training there. So more homegrown, we don't like to bring in
people from the outside to be doing some of this work for us.
So I think if you take a look at the programs we've put in,
along with the universities for the training, it's gone a long
way for us.
The Chairman. I appreciate that.
Let me go to you, Mr. McClelland, and this is with regards
to how we protect sensitive data. On an annual basis FERC
requires our electric utilities to submit detailed data on
their power grid operations. Form 715 requires utilities to
submit maps and diagrams of the grid as well as actual grid
data in electronic format. We acknowledge, FERC acknowledges,
that this data is critical energy infrastructure information
and treats it as such. The first question here though goes to
FERC's policy of releasing the data to the public on the basis
of the public's right to know. I think we are all in favor of
levels of transparency, certainly. In general, the public does
have a right to know, but when it comes to schematics of
critical energy infrastructure information, it seems reasonable
to me to be, perhaps, a little more circumspect here. Should
FERC consider changing its policy regarding the release of this
critical energy infrastructure information to a need to know
basis?
Mr. McClelland. Thank you, Chairman, I appreciate the
question.
FERC has to balance or must balance the right to know with
the sensitivity of the information. The CEII program that we
conduct provides necessary but limited release of that
information. In addition, all requesters are required to submit
in writing their need for, to attest to and demonstrate their
need for this information. FERC then verifies that request. It
can do so with business references and online tools and after
verification, FERC does require the execution of a non-
disclosure agreement. That non-disclosure agreement carries
with it sanctions if that non-disclosure agreement is violated
and those sanctions can include a loss of access to CEII as
well as criminal prosecution.
To date, FERC is not aware of any individual that's
violated, intentionally violated, that non-disclosure
agreement.
The Chairman. So Mr. McClelland, how does FERC audit how
members of the public use that CEII information that they have
received? Is there a follow-on? You mentioned the non-
disclosure, they then receive the information. What then
happens next in terms of just ensuring that there has been that
level of compliance?
Mr. McClelland. Well, FERC doesn't actively monitor those
that sign non-disclosure agreements and receive the
information, but FERC, however, has investigated allegations
that non-disclosure agreements have been violated and followed
up appropriately.
The Chairman. So is it your view that perhaps FERC should
look to strengthening the provisions in the non-disclosure
agreements?
Mr. McClelland. Well, to date, the non-disclosure agreement
process has worked for FERC. As I said, we're not aware of any
intentional violations of that non-disclosure agreement for
those that have received CEII information.
The Chairman. Okay.
Let me ask, I know Senator Manchin had asked about the
white paper that FERC recently did. In the white paper, there
is an observation that the standards-making process--for the
mandatory reliability standards--the standards-making process
``does not lend itself to addressing rapidly evolving
cybersecurity threats.'' Does Congress or does FERC need to
change the development process for these standards?
Mr. McClelland. Well----
The Chairman. If you recognize that it is that cumbersome.
Mr. McClelland. I'm sorry, I'm glad you asked the question,
Chairman.
That's why FERC uses a tool called Approach. And the
reliability standards, although they can be, they aren't
required to be best practices. And in the context of these
advanced persistent threat adversaries that are specifically
targeting our most critical infrastructure facilities with
precision and with advanced tools and techniques, the
Commission has found that it's necessary to use a dual-pronged
approach. It's not to say that the standards development
process isn't working because it's providing excellent
foundational standards that really are a shining example across
all of the infrastructure types, but those are foundational
practices.
The Commission, and we've heard this earlier from several
Senators, the Commission's--it's recognized the need to convey
this most sensitive information to our utility partners so that
they can quickly react to it. In that context, and I just want
to highlight one small example. We do work very closely with
the Director of National Intelligence, the National
Counterintelligence and Security Center. They convey one day
read in clearances. So a process that could take a year or more
to conduct, we can get and we have, we've gotten state
officials and industry officials quickly cleared and then
brought them in for group classified briefings and working
sessions to make sure they understand the threat that's before
them. We identify the best practices to mitigate against them
and then they go out and take care of that. In the meantime,
FERC then considers whether it would be appropriate to follow
on with actions and activities pursuant to the reliability
standards.
The Chairman. Let me ask you one more question on the white
paper as well. Do you think that the white paper's proposal of
financial incentives for the industry will be helpful or will
it just serve to increase rates because, you know, you have the
potential for a tradeoff here between higher rates or better
protection? And so, is that the answer there in terms of that
protection, is the financial incentive?
Mr. McClelland. Well, we hope so. We did solicit two
separate mechanisms by which industry can react and then
propose comments back to the incentives. But it really, the
fundamental, it's really just three questions that I think
summarize this issue very succinctly. The third question is do
you know where best practices belong because not all facilities
are created equally. Some facilities are extremely strategic in
nature and you can bet that's where our adversaries will be
targeting. So we hope or believe that the white paper that we
developed, the application of those incentives can be used to
target those critical facilities to deny the adversary access
and then in the future even exploit of those facilities.
So, and that would be also cost-effective. So instead of
requiring everyone to establish a best practices and follow
those best practices through a mandatory requirement, we can
strategically select those facilities and then apply these best
practices to them. And we're hopeful we get great comments back
on that incentives white paper. We're very hopeful about that.
The Chairman. I am sure you will get comments.
[Laughter.]
I appreciate that, Mr. McClelland.
I am going to give my colleagues an opportunity for a
second round, but Senator Risch has just joined us. Senator, if
you would like to ask a question before we turn to Senator
Manchin.
Senator Risch. Thank you very much. Thank you, Madam
Chairman.
Cybersecurity is really important, and obviously this
Committee has overlapping jurisdiction with a number of other
committees.
The Chairman. With everybody.
[Laughter.]
Senator Risch. Yes, with everybody, I guess that is right.
In Idaho, we are particularly sensitive to all this because
of the Idaho National Laboratory (INL). The Idaho National
Laboratory, as everyone knows, is the birthplace of nuclear
energy in America and it is now, it has been the flagship for
nuclear energy, really, in America and in the world. Now the
flag is going up for cyber because at the INL they have some
unique capabilities that really call out for them to be the
flagship lab also for cybersecurity. This is the result of
their decades of experience in control systems. Obviously since
it was the birthplace of nuclear power, control systems played
a very, very important role as they went forward building the
52 different experimental--or some experimental, some actual--
nuclear reactors that were built at the laboratory. Those
control systems were critical. They have great expertise in
that regard, plus they have some test beds that are important.
So the result of that is the INL is moving forward very rapidly
in the cyberspace.
I have a question for Mr. Gates I would like to ask and
have him talk to us a little bit about the role that the INL
and the other labs are playing in this regard. And as we know,
earlier this year the Cyberspace Solarium Commission released
dozens of recommendations to better secure the nation from
cyberattacks--very important because this is so critical in our
infrastructure and everything else. The Department of Energy
national laboratories are playing a key role in this effort to
move these recommendations forward. In Idaho we have the Idaho
National Lab, as I said, which is the only national laboratory
explicitly mentioned in this report and that, of course, is
because of its expertise that I just described and also because
of their outsized role and growing role in cybersecurity.
So again, the question I have for you, Mr. Gates, is that
as Congress looks as we all, in Congress, look to implement
many of the recommendations in this report, can you please talk
a little bit about what you think the INL, the role the INL can
play in that regard and the role that any other of the labs
might play in that regard? INL certainly has a unique place and
unique capabilities, but I would like to hear your observations
in that regard.
Mr. Gates. Thank you, Senator Risch.
INL, it's in many respects, particularly in the area of
control systems, it's a first among its equals. Certainly,
CESER and the Department, the sector, relies on many labs. If
you look at what we are doing with NAERM, you know, there are
eight national labs that are collaborating on that project that
will allow us to obtain high-fidelity situational awareness on
the grid. INL is one of them. But INL has really taken a
leadership role on some of our critical programs, CyTRICS, for
example, where we're going to be testing systems down to the
component level to look for and eliminate vulnerabilities. That
program, I mean, INL is best suited for it. It was, CyTRICS,
was designed with INL in mind and what that is going to allow
us to do is push the adversary further out of the
infrastructure using that and other programs. CyTRICS, centered
at INL, is also going to allow us to execute the Executive
Order. It's a key component to DOE's ability to implement
139920.
There are other programs. Just this year, I mentioned
earlier that we sent a few Coast Guard cadets to INL for an
intern program and we think that's a model for how to get
training into the hands of those who will be helping us defend
control systems, whether they're controlling a weapon system or
whether they're controlling part of the critical
infrastructure. So that's just one of many programs. We rely on
INL's expertise, even in classified settings. There's work
that's just uniquely suited for INL, but many of our other
national labs, it's almost a superpower for the Department of
Energy, our ability to rely on national labs to help us solve
problems and then get them into the sector.
Senator Risch. Thank you very much, and I appreciate your
reference there to the national security matters and also the
classified nature. Sometimes when I am home in Idaho I try to
explain to people what they do at the INL. I can tell them
about some things and I can't tell them about others. Even the
ones that are classified are incredibly important. So thank you
for your work, I sincerely appreciate it.
Thank you for holding this hearing, Madam Chairman. I
appreciate it.
The Chairman. Thank you, Senator Risch. As you know, I have
been out to INL, have seen it, can't talk about it.
[Laughter.]
Senator Manchin.
Senator Risch. Some of it.
The Chairman. Some of it.
Senator Manchin. Thank you, Madam Chairman.
To Mr. Gates and Mr. Conner, I mentioned earlier I am
pleased to see DOE taking steps to ensure that we have safe and
secure supply chains for bulk power systems. However, in moving
forward with identifying grid equipment that is at risk or
equipment that could be part of a prequalified list, it is of
credible importance that the manufacturers of electric
equipment are utilized for their knowledge and expertise. I
know the Executive Order established a task force to engage
with the energy industry, but manufacturers were not
specifically included in that process.
Mr. Gates, has the DOE considered establishing a task force
equivalent for the manufacturers to the electric equipment to
inform DOE to get response back for them and how is DOE fully
engaging with these stakeholders?
Mr. Gates. Thank you for that question, Senator Manchin.
You know, since the issuance of the Executive Order, DOE has
held over 90 calls, not only to the asset owners, but that also
includes manufacturers. So they're part of the equation. And
even in part of the CyTRICS program which is a key element of
executing the Executive Order, we've already signed two
companies. We're engaging others directly and having a
conversation. A lot of those discussions are in the context of
the broader vulnerability identification and elimination
aspect, but we're also talking about implementation of the
Executive Order.
So over 3,000 individuals have engaged the Department since
the issuance of the Executive Order. Some of them are
manufacturers, a lot of utility owners, suppliers, and we're
comfortable, though we've taken the letter to heart and we're
making sure that we're covering all our bases, we're
comfortable with our engagement strategy so far and we seek to
do more of that because we do want to be thorough and it
requires a partnership. We can't go it alone. So, you know,
your letter was taken to heart, sir.
Senator Manchin. Thank you, sir.
Mr. O'Brien, as the largest grid operator in the country, I
appreciate that PJM takes cybersecurity seriously. The states
and utilities that make up PJM service territory which includes
my State of West Virginia vary a lot in their ability to
address and get ahead of the cyber grid threats leaving an
important role for PJM to make sure the system is not made
vulnerable by any one actor who does not get it up to the
standards that you are asking for. So my question would be,
what are the biggest risks in the PJM territory that you are
concerned about and what can other grid operators learn from
what you have been able to address with these threats?
Mr. O'Brien. Yeah, thank you, Senator.
I think from my perspective, certainly from an operating
control aspect, is the biggest risk to PJM is that there's
significant compromise of our members. I mean, we rely on
information and data that comes into PJM and we're running all
types of real-time analysis to keep the lights running. But if
there is any case where the telecommunications system is down,
we can't get that data, that information. I think it's a really
high risk----
Senator Manchin. Let me ask you this, Mr. O'Brien. Are you
all able to run scenarios that you can test to see if they are
up to your standards, even if they are reporting they are? Do
you do, kind of, cyber test, if you will, to see if you are
able to get into their system or basically show they have,
still, some vulnerabilities?
Mr. O'Brien. No, we don't do that. I mean, that's something
that we don't, you know, feel is in our jurisdiction based on
how we operate. We do collaborate a lot with the members, but
no, we don't do, you know,----
Senator Manchin. Well, let me ask Mr. Gates. Let me ask him
then.
From the DOE, Mr. Gates, does any, I mean, if our systems
are telling you, whether it be in West Virginia or any other of
the PJM states or any other areas of our country, if they are
not, if they are actually not really hardening their systems to
protect against the cyberattacks, how are you able to detect
it? Do you just have to wait until something happens or are you
all checking to see if they are doing it?
Mr. Gates. We're not. There is a reporting mechanism in
place.
Senator Manchin. No one is checking, I can tell right now.
No one. No one is testing to make sure. If I wanted to find out
if you did what you told me you did, I would have one of my
smart people try to hack into that and see if I show the
fallacy there. So we are not doing those types of tests?
Mr. Gates. I think that's fair, though if you look at what
CISA is doing, some of the work they're doing in the sector and
the Department and the advice from FERC and NERC, there are
mechanisms to engage them, but as far as overseeing the
implementation of certain things in a private utility, again,
there are some limitations in the current----
Senator Manchin. Well, again, I would ask PJM. Mr. O'Brien,
how do you all plan to continue monitoring these evolving risks
if you really can't check to see if they have been hardened? It
can't be done. Has the risk been eliminated?
Mr. O'Brien. Yeah, I think, Senator, the thing that we rely
on, relative to our members, is, you know, the NERC compliance
and they're all held to a standard, they're held to an audit
and we're counting on that. Now we do a lot of collaboration
and discussions on best practices, but it's not within our
jurisdiction to actually red team or try to hack into their
systems right now.
Senator Manchin. Well, we will have to check with NERC
then. We have to check with somebody to see if somebody is
checking anything.
Alright, thank you.
Thank you, Madam Chairman, and thank all of you. I am very,
very appreciative.
The Chairman. Thank you, Senator.
Senator Hoeven has joined us.
Senator Hoeven. Thank you, Madam Chairman.
My first question is to Mr. McClelland. As consumers we
have benefited from centralized baseload generating assets and
our ability to [inaudible]--to provide power, especially during
extreme weather events, polar vortexes and so forth. And we now
see more centralized, intermittent generation on the grid and
so forth which creates opportunities, but also, risks. Mr.
McClelland, what measures has [the company] taken to manage
liability and cybersecurity risks in these new technologies?
Mr. McClelland. So as users, owners and operators of the
power grid, these facilities may be subject, would likely be
subject to the NERC reliability standards if they reach a
certain threshold and they are interconnected to the bulk power
system. So that's where the Commission's jurisdiction is, under
the Federal Power Act, Section 215. If these facilities
interconnect to the bulk power system, they'll be held to that
minimum standard. And in addition, Senator, we do have a
program, a collaborative program that is available to any
entity where we will, for instance, do an onsite assessment of
their facilities, identify vulnerabilities and then assist them
with mitigating action. So it's the same level of
accountability that all generation resources under the
Commission's jurisdiction would have.
Senator Hoeven. Does Congress need to provide the FERC with
any additional tools or capabilities to make sure that FERC is
continuing to protect and improve the reliability of the bulk
power system?
Mr. McClelland. Well, the Commission now is using a dual-
fold approach. So we're establishing baseline standards and
they're good, the reliability standards for cybersecurity
through the NERC process, but this process is open and
deliberative and it's not necessarily reflects best practices.
On the other side, we're collaborating very closely with the
intelligence community. That'd be our friend, Alex Gates at the
Department of Energy, Department of Homeland Security and other
agencies to stay current on those threats. And then we're
actively engaging with industry to push out this information so
that they can be aware of the threats. This bill would actually
add to that authority. It would add to our voluntary assistance
work with industry, providing us with additional authorities.
Senator Hoeven. For Mr. Conner, how do we continue to
strengthen the relationship between the public and private
sectors to ensure that information is shared and also protected
from inappropriate disposal?
Mr. Conner. Yes, thank you for the question.
I think, as we mentioned earlier in my testimony, if I just
take a look at the partnership that we've done with NYPA.
That's more on the public side. That was just last week, and
it's to develop the new think tank with them. I also take a
look at all the partnerships that we have in the private sector
with some of our vendors and our supply chain management. And
as I also testified earlier, we make sure that despite all of
that, that we actually do testing on hardware, software,
security testing of everything that we get out of our suppliers
as well to cover that side.
So I think it's collaboration. We talked about it earlier.
Nobody gets there by themselves, but it's continue to
collaborate and communicate across the board.
Senator Hoeven. And then for Mr. Gates. Do you believe that
the Department of Energy has sufficient ability over the
nation's energy delivery system to properly address the attacks
and vulnerabilities----
Mr. Gates. Thank you for the question, Senator.
I'm not sure anyone has the visibility to address all the
threats. If we had that visibility, whether it was the
Department, whether it was in the private sector, we would be
doing more to develop solutions and push the adversary further
away from our infrastructure. But that's why investments like
NAERM and developing other tools and why information sharing
through the ISACs and other mechanisms, the intelligence
briefings, are so important. But we do need better tools. We
need better sensors, and we're investing in that. We need
better analytics which we're developing at the national labs.
Pulling all that together to have better situational awareness,
high fidelity is the answer. We haven't achieved it yet, but it
is a goal and it's a pressing goal for the Department.
Senator Hoeven. Is there additional assistance Congress can
provide or resources, in your opinion, at this time that would
be critical to test?
Mr. Gates. There's always room for additional support, sir.
Targeted support at specific programs that allow us to develop
some of these solutions more rapidly is always effective,
making it easier for us to fund pilots and work with the
national labs, with the private sector. There are pretty
interesting developments in private industry, tools that are
useful for us, but even that requires integration and testing.
So clearly, the whole sector, including the Department could
use more support.
Senator Hoeven. But you don't have a specific in mind?
Mr. Gates. I do have specifics in mind, sir, and I would
gladly provide those to you offline.
Senator Hoeven. Alright. Thank you very much.
Thank you, Madam Chair.
The Chairman. Thank you, Senator Hoeven.
Gentlemen, we appreciate the discussion that we have had
here this morning. I know Senator Manchin and I have no further
questions.
Senator King, did you have anything further that you wanted
to add?
Senator King. Yes, just two things.
The first, Senator Manchin, in your usual commonsense way,
you put your finger on something very important which we talked
about earlier which is red teaming or hackers for hire or
penetration testing, whatever you want to call it. We need more
of it. We need authority to do it in Mr. Gates' agency and
perhaps at FERC. People can certify that they are secure but
there is no way to really test that until you have really tried
to penetrate their network. So I have asked Mr. Gates to supply
us with what he feels he needs in the way of additional
authorities to make that happen. So I want to associate myself
with that question.
One other question that has not come up today, and I don't
know whether this should be to Mr. McClelland or to Mr. Gates,
but isn't distributed energy, that is, generation at the home
or in the neighborhood which is now available to us in part
through the use of solar, isn't that part of a national
security solution to try to avoid the risk of the giant grid
with the giant generating plant that if it goes online,
everybody goes down? Is anybody thinking about that? Mr. Gates,
is that something that you all have looked at?
Mr. Gates. Senator King, it is something the Department is
concerned with, particularly when we look at some of the grid
modernization initiatives, you know, baking security into that
modernization, whether they're microgrids and so forth is an
important aspect of it. But there are those who also believe
that if we don't bake in security that we're distributing the
problem. Those systems still are dependent on technologies
that, you know, could be vulnerable and just change the nature
of an attack, make it a----
Senator King. But if you have a solar array on your house
that supplies your needs, you don't care if something happens
to a generating plant 200 miles away. That is my point. It
seems to me that there is a resilience redundant kind of effect
here, and I realize integration into the grid and all those are
technical questions, but the decentralization, I mean, the
whole history of our electrical system has been centralization.
We are now in a place where technology allows us to
decentralize, and it seems to me that could be an important
advantage in terms of securing electric supply to individuals
and businesses.
Mr. McClelland, are you guys looking at that at FERC?
Mr. McClelland. Thank you, Senator, for the question.
In some ways, and to add to Mr. Gates' point, in some ways
the addition of new technologies, new systems, especially
supply chain concerns can complicate security. However, to your
point, there's a vast reduction of interdependencies associated
with a self-sufficient plant. So I think that so long as the
facility, and I am speaking for myself, so long as the facility
is secure, has/is abiding by best practices to counter those
adversarial attacks, it certainly makes it easier to protect a
self-contained, fuel secure facility, such as renewables versus
a facility that depends on many other types of infrastructure
to produce generation.
Senator King. Thank you.
Thank you, Madam Chair, I appreciate it.
The Chairman. Thank you.
This has been a really instructive hearing, again, and I
appreciate the input that we have received, not only from those
within the Department, the agencies, but also the private
sector. I think it was important to have that.
Senator Manchin. Can I say one thing?
Senator King, Angus, are you still on?
The Chairman. Yes.
Senator Manchin. Angus, the only thing I wanted to ask, I
know you asked directly with DOE if they could check, you know,
by basically hiring the real smart people we talk about that
are able to find out if we are on our game or not.
Senator King. Right.
Senator Manchin. But how about with PJM? Are they not
responsible then, basically if they are the carrier, I mean,
they are one of the largest in the country? They are all over
my state. Should they not be----
Senator King. I asked PJM that question and I think the
response was that they do do pen testing and red teaming. Isn't
that correct, Mr. O'Brien? I thought that was what you said.
Mr. O'Brien. Yeah, thank you. Let me clarify. We do
extensive red teaming on our own systems. We do extensive
penetration testing on our own systems. What we don't do is red
teaming and penetration testing on our member company systems
where data flows into us. So that's the little nuance to the
question.
Senator Manchin. So you don't have the jurisdiction for
that, is what you are saying, why you don't do it?
Mr. O'Brien. We do not. No.
Senator Manchin. Okay. Angus, that gives us something else
to work on.
The Chairman. Yes.
Mr. O'Brien. And again, I think NERC plays a role in that
as well.
Senator Manchin. Sure.
Mr. O'Brien. With the--thank you.
The Chairman. But that is your vulnerability. You can be
secure here----
Senator Manchin. Absolutely. Absolutely.
The Chairman. ----but then feed into where you are.
Senator Manchin. I just want to thank Angus, Senator King,
and Congressman Gallagher for what they have done in the last
two years. I mean, it is truly amazing and it needs to be
brought--it is just common sense. It is just pure common sense.
And we have to do all the checking we can. So maybe this is
something that we could work on with NERC and get some of these
barriers broken down for you so we really have thorough
checking and thorough testing.
Thank you.
The Chairman. Well, I think we recognize that the threat
from cyber, whether it is to our energy systems or any aspect
of, really, our economy, there is vulnerability that we
recognize and again, we are talking about collaboration, we are
talking about partnership, built on the trust. And so how we
can help facilitate that is important. When you can't trust,
you have to test. Trust but verify. I think this is some of the
conversation that we have had here today.
There are some requests that Committee members have made
that, I think, Mr. Gates, you acknowledge that you would be
able to provide members of the Committee a response. We look
forward to that and if other members have further questions for
the record, we would hope that you would be able to respond.
We appreciate the time that you have given us and the
information that you have provided us as we focus on this
critically, critically important aspect of protecting our
energy sector.
With that, the Committee stands adjourned.
[Whereupon, at 11:53 a.m. the hearing was adjourned.]
APPENDIX MATERIAL SUBMITTED
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]