[Senate Report 111-331] [From the U.S. Government Publishing Office] Calendar No. 617 111th Congress Report SENATE 2d Session 111-331 ====================================================================== GRID RELIABILITY AND INFRASTRUCTURE DEFENSE ACT _______ September 27, 2010.--Ordered to be printed _______ Mr. Bingaman, from the Committee on Energy and Natural Resources, submitted the following R E P O R T [To accompany H.R. 5026] The Committee on Energy and Natural Resources, to which was referred the Act (H.R. 5026) to protect the bulk-power system and electric infrastructure critical to the defense of the United States against cybersecurity and other threats and vulnerabilities, having considered the same, reports favorably thereon with an amendment and recommends that the Act, as amended, do pass. The amendment is as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. CRITICAL ELECTRIC INFRASTRUCTURE. Part II of the Federal Power Act (16 U.S.C. 824 et seq.) is amended by adding at the end the following: ``SEC. 224. CRITICAL ELECTRIC INFRASTRUCTURE. ``(a) Definitions.--In this section: ``(1) Critical electric infrastructure.--The term `critical electric infrastructure' means systems and assets, whether physical or virtual, used for the generation, transmission., or distribution of electric energy affecting interstate commerce that, as determined by the Commission or the Secretary (as appropriate), are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. ``(2) Critical electric infrastructure information.--The term `critical electric infrastructure information' means critical infrastructure information relating to critical electric infrastructure. ``(3) Critical infrastructure information.--The term `critical infrastructure information' has the meaning given the term in section 212 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 131). ``(4) Cyber security threat.--The term `cyber security threat' means the imminent danger of an act that disrupts, attempts to disrupt, or poses a significant risk of disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure. ``(5) Cyber security vulnerability.--The term `cyber security vulnerability' means a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes critical electric infrastructure to a cyber security threat. ``(6) Secretary.--The term `Secretary' means the Secretary of Energy. ``(b) Authority of Commission.-- ``(1) In general.--The Commission shall issue such rules or orders as are necessary to protect critical electric infrastructure from cyber security vulnerabilities. ``(2) Expedited procedures.--The Commission may issue a rule or order without prior notice or hearing if the Commission determines the rule or order must be issued immediately to protect critical electric infrastructure from a cyber security vulnerability. ``(3) Consultation.--Before issuing a rule or order under paragraph (2), to the extent practicable, taking into account the nature of the threat and urgency of need for action, the Commission shall consult with the entities described in subsection (e)(1) and with officials at other Federal agencies, as appropriate, regarding implementation of actions that will effectively address the identified cyber security vulnerabilities. ``(4) Termination of rules or orders.--A rule or order issued to address a cyber security vulnerability under this subsection shall expire on the effective date of a standard developed and approved pursuant to section 215 to address the cyber security vulnerability. ``(c) Emergency Authority of Secretary.-- ``(1) In general.--If the Secretary determines that immediate action is necessary to protect critical electric infrastructure from a cyber security threat, the Secretary may require, by order, with or without notice, persons subject to the jurisdiction of the Commission under this section to take such actions as the Secretary determines will best avert or mitigate the cyber security threat. ``(2) Coordination with canada and mexico.--In exercising the authority granted under this subsection, the Secretary is encouraged to consult and coordinate with the appropriate officials in Canada and Mexico responsible for the protection of cyber security of the interconnected North American electricity grid. ``(3) Consultation.--Before exercising the authority granted under this subsection, to the extent practicable, taking into account the nature of the threat and urgency of need for action, the Secretary shall consult with the entities described in subsection (e)(1) and with officials at other Federal agencies, as appropriate, regarding implementation of actions that will effectively address the identified cyber security threat. ``(4) Cost recovery.--The Commission shall establish a mechanism that permits public utilities to recover prudently incurred costs required to implement immediate actions ordered by the Secretary under this subsection. ``(d) Duration of Expedited or Emergency Rules or Orders.--Any rule or order issued by the Commission without prior notice or hearing under subsection (b)(2) or any order issued by the Secretary under subsection (c) shall remain effective for not more than 90 days unless, during the 90-day-period, the Commission-- ``(1) gives interested persons an opportunity to submit written data, views, or arguments (with or without opportunity for oral presentation); and ``(2) affirms, amends, or repeals the rule or order. ``(e) Jurisdiction.-- ``(1) In general.--Notwithstanding section 201, this section shall apply to any entity that owns, controls, or operates critical electric infrastructure. ``(2) Covered entities.-- ``(A) In general.--An entity described in paragraph (1) shall be subject to the jurisdiction of the Commission for purposes of-- ``(i) carrying out this section; and ``(ii) applying the enforcement authorities of this Act with respect to this section. (B) ``Jurisdiction.--This subsection shall not make an electric utility or any other entity subject to the jurisdiction of the Commission for any other purpose. ``(3) Alaska and hawaii excluded.--Except as provided in subsection (f), nothing in this section shall apply in the State of Alaska or Hawaii. ``(f) Defense Facilities.--Not later than 1 year after the date of enactment of this section, the Secretary of Defense shall prepare, in consultation with the Secretary, the States of Alaska and Hawaii, the Territory of Guam, and the electric utilities that serve national defense facilities in those States and Territory, a comprehensive plan that identifies the emergency measures or actions that will be taken to protect the reliability of the electric power supply of the national defense facilities located in those States and Territory in the event of an imminent cybersecurity threat. ``(g) Protection of Critical Electric Infrastructure Information.-- ``(1) In general.--Section 214 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 133) shall apply to critical electric infrastructure information submitted to the Commission or the Secretary under this section to the same extent as that section applies to critical infrastructure information voluntarily submitted to the Department of Homeland Security under that Act (6 U.S.C. 131 et seq.). ``(2) Rules prohibiting disclosure.--Notwithstanding section 552 of title 5, United States Code, the Secretary and the Commission shall prescribe regulations prohibiting disclosure of information obtained or developed in ensuring cyber security under this section if the Secretary or Commission, as appropriate, decides disclosing the information would be detrimental to the security of critical electric infrastructure. ``(3) Procedures for sharing information.-- ``(A) In general.--The Secretary and the Commission shall establish procedures on the release of critical infrastructure information to entities subject to this section, to the extent necessary to enable the entities to implement rules or orders of the Commission or the Secretary. ``(B) Requirements.--The procedures shall-- ``(i) limit the redissemination of information described in subparagraph (A) to ensure that the information is not used for an unauthorized purpose; ``(ii) ensure the security and confidentiality of the information; ``(iii) protect the constitutional and statutory rights of any individuals who are subjects of the information; and ``(iv) provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.''. Purpose The purpose of H.R. 5026 is to amend the Federal Power Act to protect the bulk-power system and critical electric infrastructure against cybersecurity threats and vulnerabilities. Background and Need The electric infrastructure of the United States includes transmission lines, generation facilities, local distribution systems, and communications systems. As of 2009, there were 365,058 miles of transmission lines (rated 100 kV and above) in the United States, with an additional 31,000 miles of planned and conceptual additions forecast to be placed in service by 2019.\1\ The total net summer generating capacity as of December 31, 2008, was 1,010,171 megawatts and 2008 annual net electric power generation was 4,119 million megawatt-hours.\2\ This infrastructure serves over 143 million customers in the United States, across several sectors, including residential, commercial, and industrial. The components of the electric grid are highly interdependent, such that a line outage or system condition problems in one region can lead to reliability concerns in other regions. --------------------------------------------------------------------------- \1\North American Electric Reliability Corporation, 2009 Long-Term Reliability Assessment 2009-2018 (October 2009) at 26. \2\U.S. Energy Information, Administration Electric Power Annual 2008 (January 2010) DOE/EIA-0348 (2008) --------------------------------------------------------------------------- On August 8, 2005, the Energy Policy Act of 2005 (EPAct) was enacted into law. Title XII of EPAct added a new section 215 to the Federal Power Act. Under section 215, the Federal Energy Regulatory Commission (FERC) is charged with overseeing mandatory, enforceable reliability standards for the bulk power system. Section 215 also required FERC to select an Electric Reliability Organization (ERO) that is responsible for proposing reliability standards that are designed to protect and enhance the reliability of the bulk-power system and apply to users, owners, and operators of that system. The ERO is also authorized to impose penalties for violations of the reliability standards, subject to FERC review and approval. More than 1,800 different entities own or operate components of the bulk-power system that are subject to approved reliability standards. In 2006, the FERC designated the North American Electric Reliability Corporation (NERC) as the ERO. In its capacity as the ERO, NERC is responsible for developing proposed reliability standards. The process of developing reliability standards relies on an inclusive and public process that permits extensive opportunity for industry comment. This process is intended to develop consensus on the need for, and the substance of, proposed standards. The standards development process includes the following key steps: nomination and public posting; industry review of comments; redrafting as necessary; formal balloting; and approval by NERC's board of trustees. Proposed standards are submitted to FERC for review and final approval. However, FERC cannot prescribe standards under section 215, but it has authority to direct NERC to develop standards or to modify existing standards. The scope of the reliability standards is limited by section 215's definition of the bulk-power system, which specifically excludes ``facilities used in the local distribution of electric energy.'' Accordingly, these standards do not apply to lower-voltage distribution facilities that serve critical electric infrastructure, such as certain defense facilities and other end-users of electricity. For example, this excludes virtually all of grid facilities in some large cities (e.g., New York), which precludes FERC action to mitigate cyber or other national security threats to reliability that involve such facilities in major population areas. In addition, the provisions of section 215 do not apply to Alaska or Hawaii, where a number of important defense facilities are located. Standards relating to electric infrastructure cyber security represent one category of reliability standards. In August 2006, NERC submitted eight proposed cyber security standards, known as the Critical Infrastructure Protection (CIP) standards to FERC for approval under section 215. As defined by NERC for purposes of the CIP standards, critical infrastructure includes facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the electric system. NERC and its members worked for approximately three years to develop these standards before they were submitted to FERC for approval. In January 2008, FERC approved the CIP reliability standards while concurrently directing NERC to develop significant modifications addressing specific concerns. NERC addressed some of the FERC directives in subsequent versions of the cybersecurity standards. These revisions are effective April 1, 2010 and October 1, 2010, respectively. Notably, some entities were required to be fully compliant with all the CIP requirements as of July 1, 2010. In addition to proposing new standards to FERC, NERC also reviews and modifies existing reliability standards. For example, further revisions to cyber security standards have been proposed based on unsatisfactory results from industry surveys of critical asset identification. In a December 2008 self-certification study, NERC reported that only 29% of generation owners and operators reported identifying at least one critical asset; approximately 63% of transmission owners identified critical assets. NERC expressed its concern with these results but an April 2010 survey does not indicate improvement in coverage. Public reports relating to cyber vulnerabilities of and threats to the electric grid have increased in recent years and have been the subject of several hearings in the 110th and 111th Congresses. Such threats may arise across the vast array of communicating devices on the grid, requiring rapid and often confidential responses. In 2007, in an experiment (dubbed ``Aurora''), researchers from DOE and the Idaho National Laboratory demonstrated that an attacker could hack into the control system of an electric generator or other rotating equipment connected to the grid, causing severe physical damage to the equipment. The experiment raised the possibility that large, coordinated attacks could damage the nation's electric infrastructure, resulting in billions of dollars in damage that could take months to repair. Electric grid vulnerabilities also present risks to U.S. defense assets. Much of the energy infrastructure upon which the Department of Defense depends is commercially owned. An October 2009 report by the Government Accountability Office concluded that of the Department of Defense's 34 most critical global assets, 31 rely on commercially operated electricity grids for their primary source of electricity.\3\ --------------------------------------------------------------------------- \3\U.S. Government Accountability Office, Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DOD Critical Assets (Oct. 2009) (GAO-10-147). --------------------------------------------------------------------------- The NERC process of developing and approving standards is necessary but not sufficient to protect the system against specific and imminent threats, particularly in emergency situations. The standards development process is designed to rely on industry expertise with respect to specific problems with long histories and defined data. It is also structured so as to permit opportunities for industry and public comment. FERC can direct NERC to develop a reliability standard to address a particular matter, including cyber security threats or vulnerabilities, either via the regular process or under an expedited schedule. However, many cyber security events require quick responses and significant changes that are not necessarily based on operating experience. In circumstances involving a cyber security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months, or years. Existing NERC processes for adoption of reliability standards do not offer a timely means of responding to imminent cyber security threats and vulnerabilities. Legislative History Representative Markey introduced H.R. 5026 on April 14, 2010. The House Committee on Energy and Commerce ordered it favorably reported with an amendment in the nature of a substitute on April 15, 2010. H. Rept. 111-493. The House of Representatives passed H.R. 5026 by voice vote on June 9, 2010. At its business meeting on August 5, 2010, the Committee on Energy and Natural Resources ordered H.R. 5026 favorably reported with an amendment in the nature of a substitute. The committee amendment consisted of the text of section 301 of S. 1462, the American Clean Energy Leadership Act of 2009, which was considered by the Committee at a business meeting on May 19, 2009, and ordered reported as part of S. 1462 on June 17, 2009. The Committee held a hearing on a draft of the legislation on May 7, 2009. S. Hrg. 111-29. Committee Recommendation The Committee on Energy and Natural Resources, in open business session on August 5, 2010, by voice vote of a quorum present, recommends that the Senate pass H.R. 5026, if amended as described herein. Section-by-Section Analysis Section 1 amends Part II of the Federal Power Act (16 U.S.C. 824 et seq.) by adding a new section 224 to give the Secretary of Energy and the Federal Energy Regulatory Commission (the Commission) additional authority to protect critical electrical infrastructure against cyber security threats and vulnerabilities. Section 224(a) defines key terms in the new section. Paragraph (1) defines the term ``critical electric infrastructure'' to mean systems and assets (whether physical or virtual) used for the generation, transmission, or distribution of electric energy affecting interstate commerce (whether or not transmitted in interstate commerce) that are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. It is modeled on the definition of the term ``critical infrastructure'' in the Critical Infrastructures Protection Act of 2001, section 1016 of the USA PATRIOT Act (42 U.S.C. 5195c(e)). Paragraph (2) defines the term ``critical electric infrastructure information'' to mean critical information relating to critical electric infrastructure. Paragraph (3) defines the term ``critical infrastructure information'' by reference to the definition of the term in section 212 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 131). Paragraph (4) defines the term ``cyber security threat'' to mean the imminent danger of an act that disrupts, attempts to disrupt, or poses a significant risk of disrupting the operation of programmable electronic devices or communications networks essential to the reliable operation of critical electric infrastructure. Section 224(a) does not separately define or qualify the term ``act,'' which bears its ordinary dictionary definition of ``a thing done,'' and thus may include acts of God resulting from uncontrollable forces of nature, such as a geomagnetic storm. Paragraph (5) defines the term ``cyber security vulnerability'' to mean a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes critical electric infrastructure to a cyber security threat. Paragraph (6) defines the term ``Secretary'' to mean the Secretary of Energy. Section 224(b)(1) directs the Commission to issue rules or orders as necessary to protect critical electric infrastructure from cyber security vulnerabilities. Paragraph (2) permits the Commission to issue the rules or orders, without prior notice or hearing, if it determines that the rule or order must be issued immediately to protect against a cyber security vulnerability. Paragraph (3) directs the Commission, to the extent practicable, to consult with officials at other Federal agencies, and with entities subject to the jurisdiction of the Commission. Paragraph (4) provides that rules or orders issued under subsection (b) shall expire on the effective date of a standard developed and approved pursuant to section 215 of the Federal Power Act to address the vulnerability. Section 224(c) authorizes the Secretary of Energy to require, if immediate action is necessary to protect against a cyber security threat, entities subject to the jurisdiction of the Commission to take actions to protect against the threat. Paragraph (2) encourages the Secretary to consult and coordinate with appropriate officials in Canada and Mexico. Paragraph (3) requires the Secretary, to the extent practicable, to consult with officials at other Federal agencies, and with entities subject to the jurisdiction of the Commission under this section prior to exercising the authority under this subsection. Paragraph (4) requires the Commission to establish a mechanism that permits recovery of prudently incurred costs required to comply with orders of the Secretary under this subsection. Section 224(d) provides that orders or rules issued without prior notice or hearing under section 224 shall remain in effect for not more than 90 days unless the Commission gives interested persons an opportunity to submit written data, views or arguments and affirms, amends or repeals the rule or order. Section 224(e) provides that any entity that owns, controls, or operates critical electric infrastructure shall be subject to the jurisdiction of the Commission for purposes of carrying out section 224, or applying enforcement authorities of the Federal Power Act with respect to section 224, but subsection (e) does not subject an electric utility or other entity to the jurisdiction of the Commission for any other purpose. Except as provided in subsection (f), the States of Alaska and Hawaii are exempted from provisions of section 224. Section 224(f) provides for a plan to protect the electric power supply of the national defense facilities in the States of Alaska and Hawaii, and in the Territory of Guam. Section 224(g)(1) provides that section 214 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 133) shall apply to information submitted to the Commission or the Secretary either voluntarily or involuntarily under this section to the same extent as that section applies to information voluntarily submitted to the Department of Homeland Security under that Act (6 U.S.C. 131 et seq.). Paragraph (2) directs the Secretary and the Commission to issue regulations prohibiting disclosure of information that would be detrimental to the security of critical electric infrastructure. Paragraph (3) directs the Secretary and the Commission to establish procedures on the release of critical infrastructure information to entities subject to this section, to the extent necessary to enable the entities to implement rules or orders of the Commission or Secretary. The procedures shall limit dissemination of information, ensure security and confidentiality of information, protect constitutional and statutory rights, and provide data integrity through timely removal and destruction of obsolete or erroneous names and information. Cost and Budgetary Considerations The following estimate of costs of this measure has been provided by the Congressional Budget Office: H.R. 5026--An act to amend the Federal Power Act to protect the bulk- power system and electric infrastructure critical to the defense of the United States against cybersecurity and other threats and vulnerabilities H.R. 5026 would amend existing law regarding the regulation of facilities that transmit electric power. Under existing law, most of the standards governing the reliability of the electric power system are issued by the Electric Reliability Organization (ERO), subject to approval and enforcement by the Federal Energy Regulatory Commission (FERC). This act would direct FERC to issue standards regarding the security of computer networks used to facilitate electric power transmission (known as cybersecurity), which would remain in effect until the ERO adopts regulations for such matters. The bill also would direct the Department of Defense (DoD) to conduct a study of grid security in certain states and territories and establish procedures for responding to emergencies and protecting information related to cybersecurity. Enacting this legislation would affect direct spending by the federal power agencies that would be subject to the new regulations and standards; therefore, pay-as-you-go procedures apply. Based on information from the Tennessee Valley Authority and Bonneville Power Administration, CBO estimates that any effects of the legislation on net direct spending would be negligible because the new standards would be similar to those currently followed by federal agencies as a result of other statutory directives. The act also would affect spending at FERC and DoD, which is controlled by annual appropriation acts. Assuming appropriation of the necessary amounts, CBO estimates that DoD's analyses of grid security would cost about $1 million. Any increase in FERC's administrative costs would have no net budgetary impact because the agency recovers 100 percent of its costs through user fees. CBO estimates that enacting this bill would not affect revenues. H.R. 5026 would impose an intergovernmental and private- sector mandate as defined in the Unfunded Mandates Reform Act (UMRA). The act would authorize FERC to issue rules and standards to protect the electric power system from cyber threats. Public and private entities that generate, transmit, or distribute electricity could be affected by those rules or standards. The costs of the mandate could be significant but would depend on future regulations. Consequently, CBO cannot determine whether the costs of the mandate would exceed the annual threshold for private-sector mandates ($141 million in 2010, adjusted annually for inflation). Because public entities own and operate a small fraction of the nation's electric power infrastructure, CBO expects that the costs of the mandate would fall below the annual threshold established in UMRA for intergovernmental mandates ($70 million in 2010, adjusted annually for inflation). CBO has not reviewed provisions of the act that would provide FERC and the Secretary of Energy with expedited or emergency authority to protect the electric transmission grid from threats to those computer networks for intergovernmental or private-sector mandates. Section 4 of the Unfunded Mandates Reform Act excludes from the application of that act any legislative provisions that are necessary for national security. CBO has determined that those provisions fall within that exclusion. On May 19, 2010, CBO transmitted a cost estimate for H.R. 5026, the Grid Reliability and Infrastructure Defense Act, as ordered reported by the House Committee on Energy and Commerce on April 15, 2010. The Senate version of this legislation would authorize fewer programs and regulatory measures than the House bill, resulting in a smaller cost than CBO estimated for the House bill. The CBO staff contacts for this estimate are Kathleen Gramp (for federal costs), Ryan Miller (for the intergovernmental impact), and Amy Petz (for the private-sector impact). The estimate was approved by Theresa Gullo, Deputy Assistant Director for Budget Analysis. Regulatory Impact Statement In compliance with paragraph 11(b) of Rule XXVI of the Standing Rules of the Senate, the Committee makes the following evaluation of the regulatory impact which would be incurred in carrying out H.R. 5026, as proposed to be amended. H.R. 5026, as proposed to be amended, would authorize the Federal Energy Regulatory Commission to issue rules and orders necessary to protect critical electric infrastructure from cyber security vulnerabilities, and the Secretary of Energy to issue emergency orders to avert or mitigate cyber security threats. (A) Number of business regulated. H.R. 5026, as proposed to be amended, would apply to ``any entity that owns, controls, or operates critical electric infrastructure, which the bill defines, in pertinent part, to include ``systems and assets . . . used for the generation, transmission, or distribution of electric energy affecting interstate commerce that . . . are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety.'' The Committee believes that, if the Commission determines that a rule or order is necessary, it could affect a large part of the nation's 3,273 electric utilities (including 210 investor-owned utilities, 2,009 publicly-owned utilities, 883 consumer owned rural electric cooperatives, and nine Federal electric utilities) and possibly some of the nation's 1,738 nonutility power producers. (B) Economic impact. The economic impact of a rule or order could be significant, but would depend on the rule or order. The Committee notes that the Congressional Budget Office, in its report on S. 1462, stated that it expects the cost of any rule or order issued under section 301 of S. 1462 (which is identical to H.R. 5026, as proposed to be amended) to be below the thresholds established under the Unfunded Mandates Reform Act ($69 million in 2009). In any event, the Committee expects any economic burden occasioned by the requirements to be offset by the potential damage to the electric grid and the disruption to the national economy that will be avoided by such emergency measures. (C) Personal privacy. No personal information would be collected in administering the program. Therefore, there would be no impact on personal privacy. (D) Paperwork requirements. Although the Commission or the Secretary may require the submission of some critical electric infrastructure information, the Committee does not expect the amount of information collected to impose substantial additional paperwork or recordkeeping burdens, in either time or financial cost, on private industry or individuals. Congressionally Directed Spending H.R. 5026, as ordered reported, does not contain any congressionally directed spending items, limited tax benefits, or limited tariff benefits as defined in rule XLIV of the Standing Rules of the Senate. Executive Communications The testimony of the witnesses representing the Department of Energy and the Federal Energy Regulatory Commission at the Committee's May 7, 2009, hearing on draft cyber security legislation follows. Statement of Patricia Hoffman, Acting Assistant Secretary, Electricity Delivery and Energy Reliability, Department of Energy Mr. Chairman and members of the Committee, thank you for this opportunity to testify before you on the cyber security issues facing the electric industry and on emergency authorities to protect critical electric infrastructure. All of us here today share a common concern that vulnerabilities exist within the electric system and that the government and the private sector must do everything we can to address it. This is particularly true for smart grid systems, which by their very nature involve the use of information technologies in areas and applications on the electric system where they have not been used before. With the funding provided for smart grid activities in the American Recovery and Reinvestment Act of 2009, the Department will be expanding our partnership with industry to advance the smart grid while maintaining security of smart grid devices and systems. A smart grid uses information technology to improve the reliability, availability, and efficiency of the electric system. With smart grid, information technologies are being applied to electric grid applications including devices at the consumer level through the transmission level to make our electric system more responsive and more flexible. To be clear, the smart grid is both a means to enhancing grid security as well as a potential vulnerability. Enhanced grid functionality enables multiple devices to interact with one another via a communications network. These interactions make it easier and more cost effective, in principal, for a variety of clean energy alternatives to be integrated with electric system planning and operations, as well as for improvements in the speed and efficacy of grid operations to boost electric reliability and the overall security and resiliency of the grid. The communications network, and the potential for it to enhance grid operational efficiency and bring new clean energy into the system, is one of the distinguishing features of the smart grid compared to the existing system. For example, Wide Area Measurement Systems (WAMS) technology is based on obtaining high-resolution power system measurements (e.g., voltage) from sensors that are dispersed over wide areas of the grid. The data is synchronized with timing signals from Global Positioning System (GPS) satellites. The real-time information available from WAMS allows operators to detect and mitigate a disturbance before it can spread and enables greater utilization of the grid by operating it closer to its limits while maintaining reliability. When Hurricane Gustav came ashore in Louisiana in September 2008, an electrical island was formed in an area of Entergy's service territory. Entergy used the phasor measurement system to detect this island, and the phasor measurement units (PMU) in the island to balance generation and load for some 33 hours before surrounding power was restored. The Department understands that the smart grid will be more complex than today's grid, with exponentially more access points, both virtual and physical through smart grid devices and without proper controls in place these factors could result in increasing the electric sector's vulnerabilities. Department of Energy Activities: The mission of the Office of Electricity Delivery and Energy Reliability is to lead national efforts to modernize the electric grid, to enhance the security and reliability of the energy infrastructure, and to facilitate recovery from disruptions to the energy supply. To accomplish this mission, the Office focuses on long-term system requirements through our research investments in the electricity delivery system and near-term energy vulnerability assessments/disaster recovery. Our efforts to enhance the cyber security of the energy infrastructure have produced results in five areas. We have: --Identified cyber vulnerabilities in energy control systems and worked with vendors to develop hardened systems that mitigate the risks --Developed more secure communications methods between energy control systems and field devices --Developed tools and methods to help utilities assess their security posture --Developed a modeling and simulation capability to estimate the effects of cyber attacks on the power grid --Provided extensive cyber security training for energy owners and operators to help them prevent, detect, and mitigate cyber penetration. In 2005, the Department (in collaboration with the Department of Homeland Security and Natural Resources-Canada) worked directly with asset owners and operators in the oil, gas, and electricity sectors to develop the Roadmap to Secure Control Systems in the Energy Sector--a detailed, prioritized plan for cyber security improvements over the next 10 years, including best practices, new technology, and risk assessment. The Roadmap vision states that in 10 years, controls systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function. Industry representatives defined goals, milestones, and priorities to guide the industry toward this vision. As a result, the Department was one of the first research organizations to align its cyber security research activities with the Roadmap goals and vision. The Institute for Information Infrastructure Protection (I3P) is working to develop several technologies that address Roadmap goals including security metrics and trusted devices. The Trusted Cyber Infrastructure for the Power Grid (TCIP) (a collaboration of universities led by the University of Illinois at Champaign- Urbana working with energy sector asset-owners and operators and vendors with funding from NSF, DOE, and DHS) is also conducting extensive cyber security research that aligns with the Roadmap goals. In addition, there are over 50 other public and private organizations working on projects that directly address the challenges identified in the Roadmap. Efforts at the national labs are also producing results that industry can use today to enhance the security of their control systems. For example, Sandia National Laboratories developed the Advanced Network Toolkit for Assessments and Remote Mapping, or ANTFARM. This tool aids energy utility owners in mapping critical cyber assets and access points to allow easy visualization of their control system networks--a critical step in meeting the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards. Released in August 2008. The toolkit is open source and available online for free. Through the Department's National Supervisory Control and Data Acquisition (SCADA) Test Bed program, we have assessed 90% of the current market offering of SCADA and energy management systems (EMS) in the electric sector, and 80% of the current market offering in the oil and gas sector. Twenty test bed and on-site field assessments of control systems from vendors including ABB, Areva, GE, OSI, Siemens, Telvent, and others, have led them to develop 11 hardened control system designs with thirty-one of these systems now deployed in the marketplace. Vendors also have released several software patches to better secure legacy systems. The National SCADA Test Bed (NSTB) is a state-of-the-art national resource designed to aid government and industry in securing their control systems through vulnerability assessments, focused research and development (R&D) efforts, and outreach. Over the years the Department has expanded its investments in the NSTB and today it includes the resources and capabilities of five national laboratories (Idaho National Engineering Laboratory, Sandia National Laboratory, Pacific Northwest National Laboratory, Oak Ridge National Laboratory, and Argonne National Laboratory) as well as many cost-shared projects with the private sector. The national labs also educate end-users on cyber security best practices and implementing methods to better manage control systems risk. For example, the Idaho National Laboratory has released on an annual basis a ``Common Vulnerabilities'' report. Using results from assessments performed from 2003 to 2007, the November 2008 document represents a steadily growing understanding of control system security issues and methods for mitigating current and emerging vulnerabilities. This effort is expanding to new technologies, such as substation automation and Smart Grid, as the program seeks a continuing understanding of the systems being planned for and deployed in the energy sector critical infrastructure. The Department, through a work-for-others agreement with the Idaho National Laboratory, is also working with a major vendor of smart meters to conduct a cyber security assessment of their device. The primary motivation for this work was driven by the utilities--end-users of the product. The Department has also funded several research and development projects with the private sector. The Bandolier project, led by Digital Bond, is developing security audit files, which are incorporated into a utility's existing network scanners and used to audit the control system's security settings against an optimal security configuration. Given that large control systems can have over 1000 security settings, Bandolier can help a utility enhance its security posture while saving time and money at the same time. Audit files are now available for Siemens, Telvent, and ABB. Digital Bond has made its product available for a nominal subscriber fee on its website. The Hallmark project, led by Schweitzer Engineering Laboratories (SEL), is another DOE-supported research and development project. SEL is working to commercialize the Secure SCADA Communications Protocol originally developed by Pacific Northwest National Laboratory. The technology will enable utilities to secure critical data communications links between remote substations and control centers and is scheduled to be launched in the next few months. To track progress on implementation the Department designed a unique online collaborative tool--the interactive energy Roadmap (ieRoadmap)--which can be found online at www.controlsystemsroadmap.net. Public- and private-sector researchers self-populate the online database with project information and map their efforts to specific challenges and priorities identified in the Roadmap. The website has become a vital resource for news, information sharing, and collaboration. Looking ahead, the Department also participates in multi- agency information-sharing forums such as the Networking and Information Technology Research and Development (NITRD) program, which is the primary mechanism for government to coordinate unclassified networking and information technology research and development investments. Thirteen Federal agencies are formal members (including DOE) of the NITRD Program. Also in the long-term, the Department seeks to alter the very nature of cyber security. During the past two years, the Department's Office of Science has brought together a growing community of cyber security professionals and researchers from the laboratories, private industry, academia, and other government agencies to assess the state of cyber security in general and within the Department specifically. These experts concluded that the current approach to addressing cyber security problems is reactive and the Department should develop a long-term strategy that goes beyond stopping traditional threats to rendering both traditional and new threats harmless. In December 2008, the Department released the findings of this group in ``A Scientific Approach R&D Approach to Cyber Security,'' which outlines a set of opportunities to introduce anticipation and evasion capabilities to platforms and networks, data systems to actively contribute to their control and protection, and platform architectures that operate with integrity despite the presence of untrusted components. This approach could not only provide new, game-changing capabilities to the Department, but could also be directly applied to other agencies, industry, and society. smart grid The American Recovery and Reinvestment Act of 2009 appropriated $4.5 billion in funds for electricity delivery and energy reliability activities to modernize the electric grid, to include demand responsive equipment, enhance security and reliability of the energy infrastructure, energy storage, facilitate recovery from disruptions, and for implementation of programs authorized under Title XIII of the Energy Independence and Security Act of 2007 (Smart Grid). The Department is working to implement these new program activities in a responsible manner and the request for proposals for these activities will include requirements that each applicant thoroughly and systematically addresses all cyber security risks to the system. A key application of the smart grid is Advanced Metering Infrastructure (AMI). AMI requires two-way communication between the utility and the end-user. Over the last 10 months, DOE has partnered with the AMI Security (AMI-SEC) Task Force organized under the UCA International User's Group. The Task Force is comprised of utilities, security domain experts, standards body representatives and industry vendors. On March 10, 2009, the Task Force published the AMI System Security Requirements, which provides critical guidance for vendors and utilities to help design and procure secure and reliable AMI systems. Because of the success of this industry-government collaboration, the Department is working with the Task Force to expand the activity to develop a suite of security requirements for all critical Smart Grid applications. The National Institute of Standards and Technology (NIST) is responsible for developing the framework for interoperability standards development for the smart grid. The Federal Energy Regulatory Commission (FERC) has authority for issuing standards for rulemaking. The Department views the development of interoperability standards that include appropriate cyber security protections as one of the key milestones toward realizing the goal of widespread implementation of smart grid technologies, tools, and techniques. DOE-NIST-FERC coordination on these standards has been ongoing for more than a year through the Federal Smart Grid Task Force, an EISA-mandated group that meets monthly and involves agencies from across the Federal government, including EPA, USDA, DHS, and DOD. Recent progress on two key activities demonstrates the efficacy of the coordination effort: (1) Development of the Interoperability Standards Roadmap under the leadership of NIST, and (2) Development of a policy statement on interoperability standards under the leadership of FERC. These activities are critical for the Department in the selection of meritorious projects under the Smart Grid Investment Grants Program and the Smart Grid Regional Demonstration Program as the quality of the approaches for addressing interoperability and cyber security will be important evaluation criteria. With regard to protecting the electric grid from newly discovered vulnerabilities, the Department does not have a position on the Draft Joint Staff Cybersecurity Text. The Department does provide the following technical comment: All vulnerabilities must be thoroughly evaluated on a scientific basis to determine the impact and risk to the nation in the event the vulnerability were to be exploited. Any decision to act or issue an order by the government must be based on sound risk management principals and judgment considering the characteristics of the vulnerability, the capabilities of the threat, likelihood of attack, the consequences to the nation should the vulnerability be exploited, and the cost of mitigation. This concludes my statement, Mr. Chairman. Thank you for the opportunity to speak, and I look forward to answering any questions you and your colleagues may have. ---------- Testimony of Joseph McClelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission Mr. Chairman and Members of the Committee: Thank you for this opportunity to appear before you to discuss the cyber security of the electric grid. My name is Joseph McClelland. I am the Director of the Office of Electric Reliability (OER) of the Federal Energy Regulatory Commission (FERC or Commission). The Commission's role with respect to reliability is to help protect and improve the reliability of the Nation's bulk-power system through effective regulatory oversight as established in the Energy Policy Act of 2005. I am here today as a Commission staff witness and my remarks do not necessarily represent the views of the Commission or any individual Commissioner. My testimony summarizes the Commission's oversight of the reliability of the electric grid in the area of security, some of the Commission's actions to implement section 215 of the Federal Power Act, and some of the limitations in the Commission's authority. The Commission does not have sufficient authority to provide effective protection of the grid against cyber attacks or other security threats to reliability. As will be explained in more detail later, this is primarily due to three factors regarding the development of reliability standards under section 215; lack of timeliness, lack of ability to protect security-sensitive information, and lack of ability to control the content of proposed cybersecurity standards. Therefore, legislation is needed and my testimony discusses the key elements that should be included in any new legislation in this area. background In the Energy Policy Act of 2005 (EPAct 2005), the Congress entrusted the Commission with a major new responsibility to oversee mandatory, enforceable reliability standards for the Nation's bulk power system (excluding Alaska and Hawaii). This authority is in section 215 of the Federal Power Act. Section 215 requires the Commission to select an Electric Reliability Organization (ERO) that is responsible for proposing, for Commission review and approval, reliability standards or modifications to existing reliability standards to help protect and improve the reliability of the Nation's bulk power system. The reliability standards apply to the users, owners and operators of the bulk power system and become mandatory only after Commission approval. The ERO also is authorized to impose, after notice and opportunity for a hearing, penalties for violations of the reliability standards, subject to Commission review and approval. The ERO may delegate certain responsibilities to ``Regional Entities,'' subject to Commission approval. The Commission may approve proposed reliability standards or modifications to previously approved standards if it finds them ``just, reasonable, not unduly discriminatory or preferential, and in the public interest.'' The Commission does not have authority to modify proposed standards. Rather, if the Commission disapproves a proposed standard or modification, section 215 requires the Commission to remand it to the ERO for further consideration. The Commission, upon its own motion or upon complaint, may direct the ERO to submit a proposed standard or modification on a specific matter. The Commission however, does not have the authority to modify or author a standard but must depend upon the ERO to do so. The Commission has implemented section 215 diligently. Within 180 days of enactment, the Commission adopted rules governing the reliability program. In mid-2006, it approved the North American Electric Reliability Corporation (NERC) as the ERO. In March 2007, the Commission approved the first set of national mandatory and enforceable reliability standards. In April 2007, it approved eight regional delegation agreements to provide for development of new or modified standards and enforcement of approved standards by Regional Entities. In exercising its new authority, the Commission has interacted extensively with NERC and the industry. The Commission also has coordinated with other federal agencies, such as the Department of Homeland Security, the Department of Energy, the Nuclear Regulatory Commission, and the Department of Defense. Also, the Commission has established regular communications and meetings with regulators from Canada and Mexico regarding reliability, since the North American bulk power system is an interconnected continental system subject to the varied regulatory regimes of three nations. cyber security standards approved under section 215 An important part of the Commission's responsibility to oversee the development of reliability standards involves cyber security. Section 215 defines ``reliability standard[s]'' as including requirements for the ``reliable operation'' of the bulk power system including ``cybersecurity protection.'' Section 215 defines reliable operation to mean operating the elements of the bulk power system within certain limits so instability, uncontrolled separation, or cascading failures will not occur ``as a result of a sudden disturbance, including a cybersecurity incident.'' Section 215 also defines a ``cybersecurity incident'' as a ``malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.'' In August 2006, NERC submitted eight proposed cyber security standards, known as the Critical Infrastructure Protection (CIP) standards, to the Commission for approval under section 215. Each of these standards contains layers of multiple requirements. Critical infrastructure, as defined by NERC for purposes of the CIP standards, includes facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the ``Bulk Electric System.'' NERC proposed an implementation plan under which certain requirements would be ``auditably compliant'' beginning by mid-2009, and full compliance with the CIP standards would not be mandatory until 2010. On January 18, 2008, after issuing both a staff preliminary assessment and notice of proposed rulemaking, the Commission issued a Final Rule approving the CIP Reliability Standards and concurrently directed NERC to develop significant modifications addressing specific concerns, such as the breadth of discretion left to utilities by the standards. For example, the standards state that utilities ``should interpret and apply the reliability standards] using reasonable business judgment.'' Similarly, the standards at times require certain steps ``where technically feasible,'' but this is defined as not requiring the utility ``to replace any equipment in order to achieve compliance.'' Also, the standards would allow a utility at times not to take certain action if the utility documents its ``acceptance of risk'' that might be placed on the bulk-power system. To address this, the Final Rule directed NERC, among other things: (1) to develop modifications to remove the ``reasonable business judgment'' language and the ``acceptance of risk'' exceptions; and, (2) to develop specific conditions that a responsible entity must satisfy to invoke the ``technical feasibility'' exception. NERC and the industry are working on proposed modifications to address these two issues. However, until such time as the standards are modified by the ERO through its stakeholder process, approved by the Commission, and implemented by industry, the discretion remains and critical facilities will be left unprotected. A good example of the discretion implicit in the existing cyber security standards involves the utility's ability to determine which of its facilities would be subject to them. In the Final Rule, the Commission addressed its concerns by requiring independent oversight of a utility's decisions by industry entities with a ``wide-area view,'' such as reliability coordinators or the Regional Entities, subject to the review of the Commission. This revision to the standards is subject to approval by the affected stakeholders in the standards development process and therefore has not yet been presented to the Commission. NERC recently conducted a survey on this issue which seems to validate the Commission's concern and original directives by demonstrating that a significant percentage of owners and operators do not believe they own or operate critical cyber assets. For example, NERC stated that only 29% of generation owners and generation operators reported at least one critical asset, though it is unclear from NERC's data what portion of the Nation's generation capacity that 29% represents, or what portion the designated critical assets represent. Thus, it is not clear, even today, what percentage of critical assets and their associated critical cyber assets has been identified. It is clear, however, that this issue is serious and represents a significant gap in cybersecurity protection. current process to address cyber or other national security threats to reliability As an initial matter, it is important to recognize how mandatory reliability standards are established under section 215. Under section 215, reliability standards are developed by the ERO through an open, inclusive, and public process. The Commission can direct NERC to develop a reliability standard to address a particular reliability matter, including cyber security threats or vulnerabilities. However, the NERC process typically takes years to develop standards for the Commission's review. In Fact, the cyber security standards approved by FERC took the industry approximately three years to develop. NERC's procedures for developing standards allow extensive opportunity for industry comment, are open, and are generally based on the procedures of the American National Standards Institute. The NERC process is intended to develop consensus on both the need for the standard and on the substance of the proposed standard. Although inclusive, the process is relatively slow, cumbersome and unpredictable regarding its responsiveness to the Commission's directives. Key steps in the NERC process include: nomination of a proposed standard using a Standard Authorization Request (SAR); public posting of the SAR for comment; review of the comments by industry volunteers; drafting or redrafting of the standard by a team of industry volunteers; public posting of the draft standard; field testing of the draft standard, if appropriate; formal balloting of the draft standard, with approval requiring a quorum of votes by 75 percent of the ballot pool and affirmative votes by two-thirds of the weighted industry sector votes; re-balloting, if negative votes are supported by specific comments; approval by NERC's board of trustees; and an appeals mechanism to resolve any complaints about the standards process. NERC-approved standards are then submitted to the Commission for its review. This standards development process requires public disclosure regarding the reason for the proposed standard, the manner in which the standard will address the issues at-hand, and any subsequent comments and resulting modifications in the standards as the affected stakeholders review the material and provide comments. Generally, the procedures used by NERC are appropriate for developing and approving reliability standards. The process allows extensive opportunities for industry and public comment. The public nature of the reliability standards development process can be a strength of the process as it relates to most reliability standards. However, it can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The procedures used under section 21 for the development and approval of reliability standards do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action. If a significant vulnerability in the bulk power system is identified, procedures used so far for adoption of reliability standards take too long to implement effective corrective steps. FERC rules governing review and establishment of reliability standards allow the agency to direct the ERO to develop and propose reliability standards under an expedited schedule. For example, FERC could order the ERO to submit a reliability standard to address a reliability vulnerability within 60 days. Also, NERC's rules of procedure include a provision for approval of ``urgent action'' standards that can be completed within 60 days and which may be further expedited by a written finding by the NERC board of trustees that an extraordinary and immediate threat exists to bulk power system reliability or national security. However, it is not clear NERC could meet this schedule in practice. Moreover, faced with a cyber security or other national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years. That would not be feasible even under the urgent action process. In the meantime, the bulk power system would be left vulnerable to a known national security threat. Moreover, existing procedures, including the urgent action procedure, would widely publicize both the vulnerability and the proposed solutions, thus increasing the risk of hostile actions before the appropriate solutions are implemented. In addition, the proposed standard submitted to the Commission may not be sufficient to address the vulnerability or threat. As noted above, when a proposed reliability standard is submitted to FERC for its review, whether submitted under the urgent action provisions or the usual process, the agency cannot modify such standard and must either approve or remand it. Since the Commission may not modify a proposed reliability standard under section 215, it would have the choice of approving an inadequate standard and directing changes, which reinitiates a process that can take years, or rejecting the standard altogether. Under either approach, the bulk power system would remain vulnerable for a prolonged period. Finally, the open and inclusive process required for standards development is not consistent with the need to contain security-sensitive information. For instance, a SAR would normally detail the need for the standard as well as the proposed mitigation to address the issue. Subsequent drafts of the standard would consider how effectively it addresses the cyber security matters and what objections or revisions are proposed by the stakeholders resulting in a final version that would be filed with the Commission for review. Potential adversaries would have the ability to monitor these developments and alter their actions as necessary to preserve an effective attack vector. nerc's ``aurora'' advisory and subsequent actions Currently, the alternative to a mandatory reliability standard is for NERC to issue an advisory encouraging utilities and others to take voluntary action to guard against cyber or other vulnerabilities. That approach provides for quicker action, but any such advisory is not mandatory, and should be expected to produce inconsistent and potentially ineffective responses. That was the Commission's experience with the response to an advisory issued in 2007 by NERC regarding an identified cyber security threat referred to as the ``Aurora'' threat. While NERC can issue an alert, as it did in response to the Aurora vulnerability, compliance with these alerts is voluntary and subject to the interpretation of the individual utilities. Also, an alert can be general in nature and lack specificity. For example, as Commission staff has found with the Aurora alert, such alerts can cause uncertainty about the specific strategies needed to mitigate the identified vulnerabilities and the assets to which they apply. Reliance on voluntary measures to assure national security is fundamentally inconsistent with the conclusion Congress reached during enactment of EPAct 2005, that voluntary standards cannot assure reliability of the bulk power system. Damage from cyber attacks could be enormous. All of the electric system is potentially subject to cyber attack, including power plants, substations, transmission lines, and local distribution lines. A coordinated attack could affect the electrical grid to a greater extent than the August 2003 blackout and cause much more extensive damage. Cyber attacks can physically damage the generating facilities and other equipment such that restoration of power takes weeks or longer, instead of a few hours or days. The harm could extend not only to the economy and the health and welfare of our citizens, but even to the ability of our military forces to defend us, since many military installations rely on the bulk power system for their electricity. In fact, a recent Defense Science Board report concluded that ``critical missions at military installations are vulnerable to loss from commercial power outage and inadequate backup power supplies.''\1\ The cost of protecting against cyber attacks is difficult to estimate but, undoubtedly, is much less than the damages and disruptions that could be incurred if we do not protect against them.\2\ --------------------------------------------------------------------------- \1\Report of the Defense Science Board Task Force on DoD Energy Strategy ``More Fight--Less Fuel'', February 2008. \2\As an example, the U.S.-Canada Joint Task Force on the August 2003 Blackout concluded that the outage that affected over 50,000,000 citizens and was estimated to cost between $4 and $10 billion dollars in the United States. --------------------------------------------------------------------------- The need for vigilance may increase as new technologies are added to the bulk power system. For example, ``smart grid'' technology will provide significant benefits in the use of electricity. These include the promised ability to manage not only energy sources but also energy consumption. However, a smarter grid would permit two-way communication between the electric system and a much larger number of devices located outside of controlled utility environments, which will introduce many potential access points. To some degree, this is similar to the banking industry allowing its customers to bank on line, but only with appropriate security protections in place. Security features must be an integral consideration, as the Commission stated in a recent proposed policy statement on smart grid. As the ``smart grid'' effort moves forward, steps will need to be taken to ensure that cyber security protections are in place prior to its implementation. The challenge will be to focus not only on general approaches but, importantly, on the details of specific technologies and the risks they may present. key elements of needed legislation In my view, section 215 provides an adequate statutory foundation for the ERO to develop reliability standards for the bulk power system. However, the threat of cyber attacks or other intentional malicious acts against the electric grid is different. These are national security threats that may be posed by foreign nations or others intent on attacking the U.S. through its electric grid. The nature of the threat stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and protective relay maintenance practices. Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. The Commission's legal authority is inadequate for such action. This is true of both cyber and non- cyber threats that pose national security concerns. In the case of such threats to the electric system, the Commission does not have sufficient authority to timely protect the reliability of the system. Any new legislation should address several key concerns. First, legislation should allow the Commission to take action before a cyber or other national security incident has occurred to prevent a significant risk of disruption to the grid due to such an incident. In order to protect the grid, it is vital that the Commission be authorized to act before an attack. Second, any legislation should allow the Commission to maintain appropriate confidentiality of any security-sensitive information submitted or developed through the exercise of this authority. It should also allow the Commission to protect such information when the Commission issues orders under any new authority. Third, it is important that Congress be aware that if additional reliability authority is limited to the ``bulk power system,'' as defined in the FPA, it would exclude protection against attacks involving Alaska and Hawaii and possibly the territories, including any federal installations located therein. The current interpretation of ``bulk power system'' also would exclude some transmission and all local distribution facilities, including virtually all of the grid facilities in large cities such as New York., thus precluding possible Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas. Finally, legislation should address not only cyber security threats but also other national security threats to reliability. The Joint Staff draft bill is one approach that would largely rectify the inadequacies in existing federal authority to address cyber threats to the electric grid. It gives the Commission authority to issue rules or orders that are necessary to protect critical electric infrastructure from weaknesses or flaws in the design or operation of electric devices or networks that expose critical electric infrastructure to a cyber security threat. This authority to address cyber security vulnerabilities would apply to all systems or assets, whether physical or virtual, used for the generation, transmission, and distribution of electric energy that in the determination of the Commission are so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, or national public health or safety. Thus, it would allow the Commission to act to protect against potential damage to the grid, including the grid facilities in New York City, which I referenced earlier. As I have noted, a key concern with respect to any cyber security legislation is that the Commission must be allowed to maintain appropriate confidentiality of any security-sensitive information submitted or developed through the exercise of its authority. This applies to information submitted to the Commission and to orders issued by the Commission, which may contain security-sensitive information. While the draft bill addresses the protection of critical infrastructure information, it could be construed to provide protection only for information voluntarily submitted to the Commission or the Secretary. Not all information submitted to the Commission or the Secretary will be submitted voluntarily, but rather may be ordered to be submitted in an agency rule or order. Additionally, the Commission or the Secretary may need to include sensitive information in the orders they issue and this information similarly should be non-public. Therefore, I recommend that the language be amended to address these issues. I also recommend that the Joint Staff draft be amended to address not only cyber security threats but also other national security threats to reliability. Intentional physical malicious acts (targeting, for example, critical substations and generating stations) can cause equal or greater destruction than cyber attacks and the Federal government should have no less ability to act to protect against such potential damage. This additional authority would not displace other means of protecting the grid, such as action by federal, state and local law enforcement and the National Guard, but the Commission has unique expertise regarding the reliability of the grid, the consequences of threats to it and the measures necessary to safeguard it. If particular circumstances cause both FERC and other governmental authorities to require action by utilities, FERC will coordinate with other authorities as appropriate. Finally, Congress should be aware of the fact that if additional reliability authority is limited to the areas within the Commission's jurisdiction under section 215 of the FPA, it would exclude protection against reliability threats in Alaska and Hawaii and possibly the territories, including any federal installations located therein. conclusion The Commission's authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system. These types of threats pose an increasing risk to our Nation's electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now. Thank you again for the opportunity to testify today. I would he happy to answer any questions you may have. Changes in Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill H.R. 5026, as ordered reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): FEDERAL POWER ACT The Act of June 10, 1920, Chapter 285, As Amended Be it enacted by the Senate and the House of Representatives of the United States of America in Congress assembled, * * * * * * * PART II--REGULATION OF ELECTRIC UTILITY COMPANIES ENGAGED IN INTERSTATE COMMERCE * * * * * * * SEC. 223. JOINT BOARDS ON ECONOMIC DISPATCH. * * * * * * * (d) Report to the Congress.--Within 1 year after enactment of this section, the Commission shall issue a report and submit such report to the Congress regarding the recommendations of the joint boards under this section and the Commission may consolidate the recommendations of more than one such regional joint board, including any consensus recommendations for statutory or regulatory reform. SEC. 224. CRITICAL ELECTRIC INFRASTRUCTURE. (a) Definitions.--In this section: (1) Critical electric infrastructure.--The term `critical electric infrastructure' means systems and assets, whether physical or virtual, used for the generation, transmission, or distribution of electric energy affecting interstate commerce that, as determined by the Commission or the Secretary (as appropriate), are so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety. (2) Critical electric infrastructure information.-- The term `critical electric infrastructure information' means critical infrastructure information relating to critical electric infrastructure. (3) Critical infrastructure information.--The term `critical infrastructure information' has the meaning given the term in section 212 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 131). (4) Cyber security threat.--The term `cyber security threat' means the imminent danger of an act that disrupts, attempts to disrupt, or poses a significant risk of disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure. (5) Cyber security vulnerability.--The term `cyber security vulnerability' means a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes critical electric infrastructure to a cyber security threat. (6) Secretary.--The term `Secretary' means the Secretary of Energy. (b) Authority of Commission.-- (1) In general.--The Commission shall issue such rules or orders as are necessary to protect critical electric infrastructure from cyber security vulnerabilities. (2) Expedited procedures.--The Commission may issue a rule or order without prior notice or hearing if the Commission determines the rule or order must be issued immediately to protect critical electric infrastructure from a cyber security vulnerability. (3) Consultation.--Before issuing a rule or order under paragraph (2), to the extent practicable, taking into account the nature of the threat and urgency of need for action, the Commission shall consult with the entities described in subsection (e)(1) and with officials at other Federal agencies, as appropriate, regarding implementation of actions that will effectively address the identified cyber security vulnerabilities. (4) Termination of rules or orders.--A rule or order issued to address a cyber security vulnerability under this subsection shall expire on the effective date of a standard developed and approved pursuant to section 215 to address the cyber security vulnerability. (c) Emergency Authority of Secretary.-- (1) In general.--If the Secretary determines that immediate action is necessary to protect critical electric infrastructure from a cyber security threat, the Secretary may require, by order, with or without notice, persons subject to the jurisdiction of the Commission under this section to take such actions as the Secretary determines will best avert or mitigate the cyber security threat. (2) Coordination with Canada and Mexico.--In exercising the authority granted under this subsection, the Secretary is encouraged to consult and coordinate with the appropriate officials in Canada and Mexico responsible for the protection of cyber security of the interconnected North American electricity grid. (3) Consultation.--Before exercising the authority granted under this subsection, to the extent practicable, taking into account the nature of the threat and urgency of need for action, the Secretary shall consult with the entities described in subsection (e)(1) and with officials at other Federal agencies, as appropriate, regarding implementation of actions that will effectively address the identified cyber security threat. (4) Cost recovery.--The Commission shall establish a mechanism that permits public utilities to recover prudently incurred costs required to implement immediate actions ordered by the Secretary under this subsection. (d) Duration of Expedited or Emergency Rules or Orders.-- Any rule or order issued by the Commission without prior notice or hearing under subsection (b)(2) or any order issued by the Secretary under subsection (c) shall remain effective for not more than 90 days unless, during the 90 day-period, the Commission-- (1) gives interested persons an opportunity to submit written data, views, or arguments (with or without opportunity for oral presentation); and (2) affirms, amends, or repeals the rule or order. (e) Jurisdiction.-- (1) In general.--Notwithstanding section 201, this section shall apply to any entity that owns, controls, or operates critical electric infrastructure. (2) Covered entities.-- (A) In general.--An entity described in paragraph (1) shall be subject to the jurisdiction of the Commission for purposes of-- (i) carrying out this section; and (ii) applying the enforcement authorities of this Act with respect to this section. (B) Jurisdiction.--This subsection shall not make an electric utility or any other entity subject to the jurisdiction of the Commission for any other purpose. (3) Alaska and Hawaii excluded.--Except as provided in subsection (f), nothing in this section shall apply in the State of Alaska or Hawaii. (f) Defense facilities.--Not later than 1 year after the date of enactment of this section, the Secretary of Defense shall prepare, in consultation with the Secretary, the States of Alaska and Hawaii, the Territory of Guam, and the electric utilities that serve national defense facilities in those States and Territory, a comprehensive plan that identifies the emergency measures or actions that will be taken to protect the reliability of the electric power supply of the national defense facilities located in those States and Territory in the event of an imminent cybersecurity threat. (g) Protection of Critical Electric Infrastructure Information.-- (1) In general.--Section 214 of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 133) shall apply to critical electric infrastructure information submitted to the Commission or the Secretary under this section to the same extent as that section applies to critical infrastructure information voluntarily submitted to the Department of Homeland Security under that Act (6 U.S.C. 131 et seq.). (2) Rules prohibiting disclosure.--Notwithstanding section 552 of title 5, United States Code, the Secretary and the Commission shall prescribe regulations prohibiting disclosure of information obtained or developed in ensuring cyber security under this section if the Secretary or Commission, as appropriate, decides disclosing the information would be detrimental to the security of critical electric infrastructure. (3) Procedures for sharing information.-- (A) In general.--The Secretary and the Commission shall establish procedures on the release of critical infrastructure information to entities subject to this section, to the extent necessary to enable the entities to implement rules or orders of the Commission or the Secretary. (B) Requirements.--The procedures shall-- (i) limit the redissemination of information described in subparagraph (A) to ensure that the information is not used for an unauthorized purpose; (ii) ensure the security and confidentiality of the information; (iii) protect the constitutional and statutory rights of any individuals who are subjects of the information; and (iv) provide data integrity through the timely removal and destruction of obsolete or erroneous names and information. * * * * * * *