Ways to improve cyberSecurity Issues for the Energy Sector. Witnesses stressed the importance of protecting the Us Energy Grid and what the government can do now to help prepare for potential attacks, held by the Senate Energy committee, this is almost two hours. Good morning, the committee will come to order. We are here this morning to examine federal and industry efforts to improve the cybersecurity of the Energy Sector including efforts to improve collaboration on Cyber Security and Critical Infrastructure protection initiatives. It has been more than a year since we last held a hearing on cybersecurity for the Energy Sector but it is fair to say this is always a timely topic. A critical priority we cant lose sight of even as we grapple with covid19, which becomes the source of our next national crisis. There have been a few noteworthy developments since our last year. Earlier this year the president issued an executive order focused on securing our system from the cyber and physical threats posed by hostile nationstate actors. This is an effort that will be led by the department of energy. The federal Energy Regulatory commission has published a paper detailing potential structure for providing incentives to make cybersecurity investments following up on a Technical Conference examining the same issue in 2019. I am pleased to be able to welcome our witnesses from d o e and look forward to hearing the latest from the them. I also welcome those representing industry which will plan equally significant role in how these initiatives unfold. The threat of Cyber Attacks by foreign adversaries and other sophisticated entities is real and growing. As i mentioned on the senate floor when we confirmed mark menzies Cyber Attacks are only growing more sophisticated. According to the latest worldwide threat assessment from the office of the director of National Intelligence china, russia and other foreign adversaries are using Cyber Operations to target our military and our Critical Infrastructure. Those adversaries already have the capability to launch cyberattacks against electric and gas infrastructure. The covid19 pandemic has created a unique opportunity for cybercriminals to attack our networks including Critical Energy infrastructure. The department of justice recently issued a press release announcing the excitement of two individuals backed by the Chinese Ministry of data security. Doj noted these two individuals not only targeted portions of our Energy Sector, including does handprint site but also entities conducting research on a coronavirus vaccine. We cannot allow hostile foreign nations to disrupt our way of life. Energy is the lifeline for all Critical Infrastructure sectors and protecting our Critical Infrastructure is the first step in ensuring its continuity. Unfortunately we have already seen the real world ramifications of cybertax on Energy Infrastructure. This is most vividly seen in russias attacks on ukraine. In december of 2015 Russian Hackers cut power to nearly a quarter Million People in ukraine in an attempt to disrupt and intimidate. In december of 2017 Russian Hackers infiltrated the Industrial Control System of a Saudi Arabian petrochemical plant and disabled the plants safety systems. Will recently, in advance russian government backpacking group is alleged to have probed the us energy entitys network according to a release doe issued in january. We all know the stakes. A successful hack would shut down power, impacting hospitals, banks, gas pumps, military installations and cell phone service. The consequences would be widespread and devastating and only more so if we are in the midst of a Global Pandemic. The federal industry focused on Cyber Security is a major reason why the United States is not experienced an attack like ukraines. Protection of critical assets is a shared responsibility demanding federal, state and private sector partners Work Together to improve cyber defenses and coordinate responses to Cyber Attacks. The fast act of 2015 contains provisions offered by our committee to codify the department of energy and sectors specific agency for the Energy Sector and to provide the secretary with the authority to address grid related emergencies. We also sought to facilitate greater information sharing by protecting Sensitive Information from disclosure. Our American Energy innovation act also has numerous sections to enhance government industry partnerships and establish programs to enhance the cyber utilities. Most recently introduced a new bill, the energy Infrastructure Protection act to update provisions in the federal power act and restrict federal disclosures of certain Sensitive Energy information. I know there are a few who may disagree with that approach but the alternative, disclosing and displaying our vulnerabilities for our enemies will hardly make us any safer. Im pleased to welcome the testing was panel of witnesses who are frontlines protecting Energy Infrastructure and cyberthreat so i thank you for being witness this morning and now turn to my colleague, Ranking Member senator manchin. Thank you to our witnesses for making yourself available to join us in the effort to improve the cybersecurity of the sector. As a Ranking Member of the Cyber Security committee i am focused on the security of our Energy Infrastructure. The importance of our discussion against the backdrop of Global Pandemic is not lost on any of us in this room. The covid19 crisis has made our nation and the world acutely aware of consequences of being underprepared for catastrophic event and forced the Energy Industry to adapt to new challenges and vulnerabilities with more employees working remotely. There are lessons to be learned from this moment in history about the need to invest in protections to avoid, mitigate and respond to events the challenge our resilience. You all know well the first to Critical Infrastructure are serious. In recent months federal officials have warned the rising cyber to be security threats from china and russia has shown new interest in targeting us targets. Last month the National Security agency and the cybersecurity and infrastructure Security Agency issued an alert urging Critical Infrastructure operators to take immediate action to secure their Operation Technology estimates. Legacy grid systems not designed to defend themselves against modern cyberattacks it as they grow more and more connected to the internet are electric systems grow more and more vulnerable. On top of that idea recently issued a report that show the Energy Sector suffers particularly high cost from statesponsored cyberthreats. Compared to the Previous Year the cost of Cyber Breaches are up 14 with increased number of effects targeting power grid infrastructure and the magnitude of the damage caused. Theres a lot of work being done across the sector to address Cyber Security challenges. I would like to highlight the good work of senator king recently cochaired the Cyberspace Solarium Commission. This commissioner shall report identifying a number of recommendations to reduce the probability impact of cyberattacks of Critical Infrastructure which he presented to the Senate Armed Services committee yesterday and it was quite enlightening. The report is broad in scope many commissions recommendations affect the electric industry and i look forward to hearing about the impact today. A few months ago the president issued an executive order directing the department of energy to identify foreignmade grid components that pose an unacceptable Security Risk to the us power grid. While i support this action i was concerned about equipment that was not adequately consulted. We sent a letter to the doe about these concerns and are eager to utilize invaluable knowledge and experience of manufacturers as they implement this executive order. Having dealt with industry representatives today look forward to hearing how these engagements are going. There are certain opportunities for commerce to facilitate action in this space as well and im proud American Energy innovation act include several pieces of legislation that support investments and programs that are of vital importance to securing and protecting vital Energy Infrastructure. The bill would strengthen Publicprivate Partnerships like those i know our witnesses will discuss today. And included in the protect act which would establish incentives for electric utilities to invest in advanced Cyber Security technologies. Im still committed to passing this comprehensive Bipartisan Energy package so these programs can be put into action, i look forward to hearing from our agency and industry witnesses today, and what work needs to be done. Thank you, madam chairman. Thank you senator manchin. He mentioned senator king on the cyber space solarium commission. Senator king is a member of the disaster program. You mentioned he had an opportunity before the Senate Armed Services so it is important to acknowledge the work, if you would like to make brief comments about that before we turn to our distinguished panel youre certainly welcome. Thank you, madam chair, and you outline delicately the danger so i dont need to spend a lot of time on that. Everyone here knows the level of risk that we have before us. Let me tell you about the solarium. It was created in the National Defense authorization act. It was a National CommissionWhose Mission was to establish a comprehensive strategy to defend this country in cyberspace. The structure of the commission was somewhat unique, 14 members, four sitting members of congress, myself, senator ben sass, congressman Mike Gallagher of wisconsin, republican wisconsin, a democratic member of the house, member of the Armed Services committee for rhode island. We had members from the executive and six members from the private sector, one of the most valuable members of the entire commission was tom fanning who is the ceo of the southern company, the secondlargest electrical utility in the country. We had over 30 meetings, 90 in all our meetings and talked about a whole range of cyberissues with our report boils down to 3 simple points. One is reorganization, reorganizing and organizing our government to be responsive to this problem and not operate in silence. Secondly is resilience, how to strengthen our resistance to cyberattacks and how to build up our defenses if you will and the third is response. How do we develop a deterrent doctrine so that our adversaries have to feel that they will pay a price for attacking this country even if it is below the level of threshold of the use of force. Energy of course is a major target. One of the challenging parts of this problem which you and Ranking Member manchin mentioned is this has to be a partnership between the federal government and the private sector. 85 of the target space in cyberspace is in the private sector. A lot of that is in the Energy Sector and if theres one thing we learned from the pandemic it is that the unthinkable can happen. Significant cyberattack is not unthinkable. We know that it is being planned and we know it is happening today. I spoke to a utility executive who told me his system is attacked 3 million times a day. Now, today. This is not an abstract issue. This is something we have to address, the commission made a number of legislative recommendations, more than 2 dozen of which we hope will be included in the final National Defense act that is now headed to conference and i want to thank the committee and the chair in the Ranking Member for their cooperation on assisting us in getting those provisions into the National Defense act. There will be others we are discussing the next few months in this committee but i want to thank you for having this hearing. It is incredibly important. This is one of our prime issues and i look forward to the testimony of our witnesses and again thank you for your work on this and if we Work Together we can defend this country. Thank you for that brief summation, to those of you including senator sasse who were part of an important commission. Lets turn to our panel this morning. One of our witnesses that has joined us in person, thank you for that, Mister Alexander gates, Senior Advisor in the office of policy for Cyber Security, Energy Security and emergency response, we call it caesar, at the Us Department of energy. We welcome you to the committee, mister gates. With us virtually today are Mister Joseph mcclelland, the director of the office of Energy Infrastructure and security at the federal Energy Regulatory commission. We welcome you. Mister steve connor is president and ceo for Siemens Energy. We thank you for being part of this panel this morning, Mister Connor and Mister Thomas obrien, Senior Vice President and chief Information Officer at pjm interconnection. We appreciate that you have joined us as well and look forward to your input todays discussion. We will go in the order that i have introduced. We will begin in the Committee Room with mister gates. We ask you to keep your comments to 5 minutes, your full statement will be included as part of the record and we will have an opportunity for questions from those of us present and those of us online. Welcome, thank you for your leadership in the department of energy, please proceed. Thank you, maam. Members of the committee, thank you for the opportunity to appear before you to discuss the department of energys important work to protect the Energy Infrastructure from cyberthreats. Reliable, resilient and secure Energy Infrastructure is critical to us economic competitiveness, National Security and our way of life. As the organization responsible for safeguarding the Nations Nuclear stockpile and a member of the Intelligence Community, the department of energy is keenly aware of threats to our National Security. Today that includes cyberthreats to the Energy Sector. The 20192020 worldwide threat assessment, director of National Intelligence stated, quote, our adversaries and strategic competitors will increasingly use Cyber Capabilities to seek political, economic and military advantage over the United States and its allies and partners, china, russia, iran, north korea, increasingly use Cyber Operations to threaten minds and machines and expand in a number of ways to steal information, influence our citizens and disrupt Critical Infrastructure. Within the department, caesar and the office of electricity form a nucleus that provides products and services and improve the Energy Sectors Cyber Security and resilience, whether it is electricity, oil and natural gas or renewables, caesar endeavors to increase the infrastructure against all hazards through the following priorities. Emergency response and recovery, expanding cyber discovery activities, creating high fidelity situational awareness, providing more focused research and development, further solidifying our partnerships, increasing Workforce Development efforts. The office of electricity focused on longterm research and development to build a secure and resilient power grid. The office has four strategic priorities, building advanced modern capabilities, innovating in the field of megawatts storage, improving with Grid Operations and performance to advanced technology and securing defend critical electric infrastructure. Some key initiatives that come out of those priorities include the fibers of the risk information sharing program, a publicprivate data sharing and analytic platform that facilitates timely directional sharing of threat information among Energy Sectors. The north American Energy resilience model which is a modeling capability to analyze threats to the grid and other interdependent infrastructures provides operational situational awareness. The cybersecurity testing of the resilience of Industrial Control Systems tests critical components to identify and mitigate embedded cyber vulnerabilities, Industrial Control Systems within the Energy Sector. And of course executive order 13920, in response to the growing threat authorizing the secretary of energy working with other federal department and agencies. To protect the bulk power system. The Energy Sector is a complex endeavor requiring more authorities and in some respects extreme level of collaboration to achieve. As Sector Specific Agency, the department of energy requires in order to make progress. Utility owners, trade groups are all very effective partners in this fight. They form the fabric of Publicprivate Partnership that everyday serves to protect the nations Energy Infrastructure. Despite the progress made today cyberthreats to the center are real and outpacing collective solutions. Still more action is needed to make the Energy Sector more resilient in Cyber Security. Thank you for this opportunity to appear before your committee. I look forward to working with you to address the nations cyber and physical security challenges to the Energy Sector. Thank you very much for that testimony. We will now go online to Mister Mcclellan of the federal Energy Regulatory commission. Welcome. Thank you members of the committee. Thank you for the privilege to appear before you today to discuss the bulk power system in the United States. My name is Joe Mcclellan, director of the office of Energy Infrastructure security at the federal Energy Regulatory commission. I come before you as Commission Staff are and should note this does not necessarily represent the views of the commission or any individual commissioner. The Energy Policy act of 2005 specifically section 215 of the federal power act to approve and enforce mandatory reliability standards to the nations power system. Section 215 requires the commission to certify electric Liability Organization or er oh as responsible for review and approval, liability standards to protect and improve the reliability of the system. The commission certifies electric reLiability Organization, north American Electric reliability corporation, section 215 of the for power act provide Stakeholder Development of reliability standards for the system. This process works relatively well involving status to address traditional operations and planning related reliability that makes blackouts such as improper vegetation management, failures associated with operation of the equipment please the nature of National Security threats by adversaries attacking our nations electric grid significantly different from the reliability and vulnerabilities because regional blackouts and reliability failures that we faced in the past. The disruption of electric service quickly undermining the military and the economy as well as endanger the health and safety of millions of our citizens. To help mitigate these advanced, persistent and rapidly evolving threats the commission uses a 2pronged approach regarding reliability. With mandatory reliability standards to the foundation of practices, working collaboratively with the industry, states and other federal agencies for best practices. The foundation of the commission, there are additional measures that can and should be taken to improve cybersecurity posture in light of these threats. That is why the commission established in our office, partners with industry, states and other federal agents to promote best practices for Critical Infrastructure security with these organizations, helping to identify new and emerging threats and assist with mitigating action. It conducts voluntarily architectural assessments and competing networks doing everything from configuration of legacy equipment to application of stateoftheart systems. Another example is with the office of director National Intelligence in the department of energy specifically caesar to conduct a briefings and Exchange Information with state and industry officials at the current rate the industry is facing and what can be done to address them. More broadly, working with an of electricity information sharing and analysis to rapidly issue bulletins and alerts informing industry of specific vulnerabilities and best practices and as a final example assist with planning and execution of tabletop exercise that participates in joint security programs with other government agencies. Just last week, the National Guard units from participating utilities in New England States to conduct Cyber Attacks by Utility Network switch exercises such as this are critical to maintaining readiness and insuring our ability to respond to cybersecurity. Cyber security threats pose a serious risk to the power system and its important infrastructures that serve our nation. These are persistent and fast evolving issues, the Commission Adopted a 2pronged approach to best address the important security matters. Thank you again for the opportunity to testify and i look forward to your questions. Thank you, appreciate it. Lets next go to Mister Connor from Siemens Energy. Welcome. Thank you, Ranking Member manchin and members of the country, thank you for the opportunity to testify today. Im steve connor, president of Siemens Energy, the us regional entity of Siemens Energy. We have more than 11,000 employees in the us supporting the countrys Grid Operations, 21 Perry Clement and Manufacturing Service and innovation sites. Our headquarters is located in orlando, florida. The United States is our companys largest Market Worldwide and Siemens Energy equipment provide secure Resilient Technologies that support one third of americas total daily energy needs. We have been working with our customers on solutions for the evolving demand of industry and society for 150 years. Weve been a partner to the United States government, Americas Energy producers and Energy Providers for decades. We have a deep understanding of the safest and most resilient Infrastructure Technologies and processes to secure one of our most essential national assets. Americas power grid. Industrial cybersecurity is at the core of our Siemens Energy business. Our products and solutions have Industrial Security functions that are built in by design and turned on by default. They support the secure operation of plants, systems, machines and networks of our customers. We use this experience and expertise to establish partnerships that advance cybersecurity efforts. I would like to share with you some example of those collaborations with the public and private sectors. In 2018 we created the charter of trust which is now a leading Global Initiative of companies and organizations focused on securing Critical Infrastructure. We are Founding Member of the energy Cyber Security alliance, partnership of energy companies, manufacturers and service providers. We have a dedicated team of seasoned Security Experts which call products 13 that manage the receipt investigation, internal coordination and public reporting of Security Issues related to the Siemens Product solutions and services. Any vulnerabilities discovered are shared with our governmental partners. Just last week, there was a new collaboration to develop an Industrial Cybersecurity Center of excellence. It will bring public and private sectors to develop innovative best practices that will serve as a model for deployment and other utilities. The industrial Cyber Security monitoring, research and Innovation Center will focus on detecting and defending Cyber Attacks on Critical Infrastructure owned and operated by the largest stateowned electric utility in the nation. Successful solutions have potential to be deployed and commercialized and other public and private organizations that operate Critical Infrastructure across the us. Supply chains are as important as Cyber Security by ensuring the security of our supply chain we enhance the reliabilities, security and resilience of americas Energy Infrastructure. This depends on close collaboration and involvement with customers, partners, suppliers and governments around the world to secure cooperation. Some examples of our supply Chain Security policies and best practices include a supply Chain Management standard that performs regular supplier audits to address technical, operational and Cyber Security risks, manage, track and control access to confidential data, Product Development and source code both physically and virtually. We dont share any overall Product Development information with suppliers and utilizing select qualified suppliers only which includes testing their hardware, software and security, only then including them in an approved component database. Lastly we perform civil, land governmental sanctioned background checks as necessary. As you can see, Siemens Energy takes its responsibilities to secure our countrys Critical Energy infrastructure by collaborating with the public and private sector very seriously. We are constantly looking for ways to engage the Public Sector including supporting vendor driven forms that would improve industry involvement and promote wider discussion on the vulnerabilities of supply chain risks. Thank you for inviting me to testify and i along with 11,000 plus us employees of Siemens Energy look forward to continued collaboration necessary to keep the lights on in the us Energy Infrastructure. Thank you, appreciate your time before the committee this morning and lets go to Mister Obrien at pjm interconnections. Ranking member manchin and Committee Members, thank you for the opportunity to speak to you today on this chemical topic. Appreciate the opportunity and i appreciate the opening comments of the chairwoman and some of the things he covered, specifically around the Energy Information protection act which is very important to us in the industry. I would like to thank my fellow panelists for their insights and contribution. Ive worked with some of them in the past and really appreciate everything they do. My written testimony, a broad range of topics including the current approach to managing cybersecurity, partnership and collaboration, Cyber Security supply chain consideration, workforce and training, longterm considerations. In my brief remarks i will leave you with briefings for consideration and let the written testimony speak for itself. First this is highlighted by everybody, collaborating in partnership with the essential between and among government industry and or service providers. It is essential and no one can do it by themselves. I would like to share a couple examples, doe and dhs lead the charge on classified and unclassified briefings. This is critical to industry for managing priorities and Risk Management. The electric eye sack is a hub of information sharing and electric industry. They continue to use all their information sharing programs and industry relies on that and coordinate cyberrisk of a major sharing program which is only one aspect of intelligence for our adversaries. Dhs has a program for sharing threat indicators. I would like to echo what Joe Mcclellan said about Risk Management, best practices and appreciate their support. I would emphasize the importance of protecting critical information highlighted in the opening by chairwoman murkowski. Lets talk about the electric industry on the forefront of compliance by threat standards but they finally do it with industry engagement and regional entities lead the audit process which drives transparency and allows consistency. I also want to speak to one example of looking at a phase 3 security study of the moment, major pipelines bottling physical and cyber scenarios. And we want to thank them for that in the second take away i would like to leave with you is Risk Management must be informed by clear understanding and appreciation of the adversary. Is there likely to be an impact requiring adequate investment . On october 1st, 2020, the Cyber Security supply chain goes into effect, excellent starting point for in the referrals and associated threats and that will evolve. We are looking at the impact of the executive order which has potential sweeping implications for the procurement of Electrical Equipment and legacy equipment. Will have a significant operational planning and marketing impact. Consistent with feedback from bruce walker it would be a surgical approach. The final point i would like to leave you with his metrics and strategic importance indicators are important to security operations. You cant include what you dont measure and need to establish a key target to see how your progress is going, that will allow you to focus on transparency and continued improvement. I like to thank you for the opportunity to appear before this committee. I look forward to your questions and appreciate the opportunity to talk about collaboration and partnership between government, industry is essential and no one can do this alone. Risk management must be informed by clear understanding, appreciation of the adversary and finally metrics and kpis are necessary with the purity operations. Thank you for this opportunity. Thank you, Mister Obrien and thank each of the panelists that have appeared before us this morning. Mister gates, i want to start with you in terms of my question. I think everyone on the panel this morning has mentioned the need and necessity for collaboration and partnership. But we all know it is one thing to say i will collaborate with you but you got to trust one another and sometimes when we are operating in a world of Cyber Security you are not sure who to trust. Has several have mentioned in executive order in the bulk power system is going to require enhanced information sharing between the government and the Energy Sector including utilities, vendors and manufacturers. If you can speak within doe, we can improve the protection of Sensitive Data it receives from the industry and also how can doe improve its trust of the private sector when sharing sensitive government information. Often times what we will hear is the industry is required to give the information, they dont feel they have been fully read into the situation and so again collaboration, partnership, key and important but also built on trust. Can you speak to both sides of that please . Thank you. I will address the protection of the Sensitive Information from industry, that is always a challenge, certainly as it relates to collecting data from the executive order and will allow us to implement the executive order. It went out in july and august, protecting that information is central to the program. When you look at information sharing, when you look at analysis and data gathering programs, the program you may have heard of, the cyber analytics techniques program. Those initiatives are central to understanding what is going on when sharing information in a way that is protected. The other part of that equation is the department and the government protecting Sensitive Information. We are designing systems and programs the department of energy protect secrets and Sensitive Information in a number of endeavors for science and research initiatives, National Labs to our Nuclear Stockpile and what this Protection Program and cybersecurity is another aspect of that. Is a relates to the sector trusting us. That is a tough one but if you just look at what happened in the last four five months and our response to the pandemic, the sharing that weve had with different councils, the use of shared information we think the trust in this sector is growing. That the government is figuring out how to take even classified information through a process sanitizing it in a way that can quickly be distributed through either sis a or ei sack but out to the sector in timely enough fashion that it makes a difference. We have until we solve the problem. It is a work in progress but the trust equation is improving in favor of the government and the sector. We recognize that it has to in order for this all to work. One more question, hopefully this one is relatively brief. Those of us on this committee have electric coops and municipal utilities that have benefited from the doe and initiatives that focus on improving the cyber and physical security posture, primarily served by Rural Electric costs and municipal utilities was congress agreed to report language that encouraged to continuing this initiative. Our energy bills also include language that encourage these types of Publicprivate Partnerships. We also establish a Grant Program to improve the cyber posture of smaller utilities. Can you give us any update on the status of this initiative loses any funding been released in this regard . I will get the exact details on the status of the program to you after the session but we are working very hard to make sure when it flows to the sector, even outside of that program for small utilities are soft, in some respects, and we take great pride in certain research in developing programs that will be valuable, providing those entities the same level protection as the larger utilities. Appreciate that. That is something we recognize there is a vulnerability. They may be small but once you work your way and you can do a lot of damage in recognizing the cost to small utilities is something we have been focused on. Let me turn to senator manchin. Mister mcclellan, as you are aware, senator murkowski and i introduced the protect act to establish incentives for electric utilities to invest in advanced Cyber Security technology, one paper exploring Cyber Security incentives for several options that could work to achieve the objectives laid out in our bill. What are the next steps for considering cybersecurity incentive options and can you share what the Public Comments of been . Thank you for the question and your work on the bill and your continued support on cybersecurity. As you are aware, it was a white paper that went out in june 18, 60 day Comment Period and there were incentives, one was to exceed the current obligation of Critical Infrastructure on strict reliability standards, the entity went from a low designation to a medium or high designation. The other is followed in this framework established by executive order in february of 2013 and its purpose was to create a set of best standards of Critical Infrastructure sectors so the industry collaborated with governments producing the framework in regards to what was produced in 2013, and 2018. White paper proposes either or both of those alternatives, we are waiting comment. I dont have the status of the current proceeding but would be happy to follow up with you. The next step to consider those comments and use that as a mechanism to better understand where industry is the most effective place for cyberincentives. A few minutes if i can. Mister connor, we talked about deterrence. How do we deter other nations from hitting us in our grid system which is vulnerable and harmful to our country. Retaliation, what should we do when we know these perpetrators are trying to do all the damage they can. What deterrence should we take against these perpetrators . Should we head back at their Critical Infrastructure or give them a warning . What is the recommendation . As was mentioned earlier, we cant have something that has no meaning but from our standpoint the technology that is out there, we have to continue to fight this. It is not a matter of nice to have our needs to have, this is needs to have interchanges daily. As far as deterrence, we dont look at that from Siemens Energys viewpoint but there is something we have to do to make it crucial for people who want to attack our grid system. We would like your input to try to make sure we are not out of sync with rules of engagement but weve used retaliation along with our Nuclear Response to let them know we would hit and hit hard. In order to stop this attack weve got to make sure they understand we will use whatever means we can to hit us and harm us and we would love to hear from you. If i could follow up, president ial policy directive 21 designated responsibility to varioUs Departments and agencies to serve sector specific agencies and support the private sector in managing the risks and respecting critical Energy Sectors. This recommendation was incorporated into the house and conference. I support these discussions and hope they get the Important Role doe plays in protecting the electric grid. Do you agree they provide the capability and expertise of a Sector Specific Agency . Is there additional clarification doe needs to fulfill its responsibility in this regard . How do you interact with sector specific agencies to assure their coordination but not duplication but coordination . Thank you. I think in many respects the department of energy is a unique ss a blues not only does the sector know us but we know the sector and in many respects we are part of the sector. We manage the pma, in some respects the operator. Those kinds of requirements are important to us, understanding what is going on, sharing information about our partners so that unique aspect of doe is important, gives us credibility in the sector and allows us to go at the cyber problem and other problems aggressively. You add our national lab complex with the talent and information, it is important to serve a strong ss a role. Thank you. We next go to senator cassidy who is online. Thank you, madam chair. Last we heard, one of the problems of information sharing is getting security clearance for partners in the private sector. Have you been able to better gain security clearances, better able to share this information . I do not have an answer specific solution. Clearing the thousands of owners in a way that allows us to share this information is an incredibly difficult challenge. We have taken the approach that is more historic in trying to make the information still useful but not sensitive so in a way that is useful to the sector but doesnt threaten sources and methods. It is a difficult challenge. It has been a difficult challenge clearing individuals who actually work in National Security. It is one that we need to tackle but i will give you an update offline on the status of that action. I appreciate that, the gentleman identified the issue a year ago and it does mean what was highlighted a year ago is the achilles heel and now we can address that, that would be great. Nobody can do it alone. With a number of tools we go out with our partners and customers with when we take a look at, for instance, that d. O. E. Talking with them we just had a meeting the end of june with the secretary and talked about what we can do on the order to help guide this along but again its a collaboration i think is good. We can always improve things and when you do continue to improve things. Im also very interested in counterfeit goods and the ability of counterfeit goods to basically serve as a sabotage instrument. You mentioned the Quality Control that you have no to prevent that from occurring. Can i ask does any of your supply chain go through china . I say that because we know the Peoples Liberation army has allegedly inserted chips into service that would allow information to go back, chips only found with forensic engineering. So again to what degree did your supply chain go through china . Very minimal supply chain out of china. We do have facilities in china and producer of that market. Thats on the larger part of Siemens Energy as a whole. What we go through as a genomic testimony we actually have preapproved vendor lists and these vendors have to go through rigorous testing. We take a look at all their products i heard your testimonies let me also ask, i have also become aware having network of vendors represents a security challenge for actually the parent company, if you will. That they can work their way up the information chain into a prime contractor. Since were concerned about the cybersecurity of our grid, the cybersecurity of siemens itself, im sure you have a number of Cyber Attacks as well. With this network of providers, vendors, how does siemens avoid Cyber Espionage on what youre doing and or cyber sabotage . We have Significant Group of both in the u. S. And globally that goes through and tests every day. We get attacked thousands of times a day. I think somebody mentioned earlier 300 million times a day. I dont think its that much but again ours is, we have approved vendor list we go through, and we have it to the extent we find something or from a complaint of standpoint somebody meet that requirement we kick them off. Its almost its a significant amount of business that they would lose people also do as i mentioned earlier we do background checks, even through governmental, even the government on who were going to utilize as vendors, et cetera, to make sure they meet all the requirements to avoid having any counterfeit parts in our systems. Thank you, madam chair. I yield the floor. Thank you, senator cassidy. Senator king. Thank you, madam chair. Theres one subject we havent touched on today that snugly within the jurisdiction of this committee but i just mention it in this context and that is the vulnerability of water systems. There was a recent alleged attack by iran on an israeli water system. It was defended against successfully but with Something Like 50,000 Water Companies, separate Water Companies in this country and thats a risk that the Congress Needs to address. Secondly, an issue that hasnt come up yet today is the gas Pipeline System. And in new england about 60 of our electricity comes from natural gas and all the natural gas comes to the Pipeline System. At least in our region and i suspect in other areas of the country the Pipeline System is part of the energy grid. You can protect the energy grid but if the gas cant get through for some reason, the lights are still going to go off. My concern is tsa has in 2005 was given the authority to regulate the Pipeline System. They were given the authority to issue regulations which they never have, and im reminded of lincolns famous letter to mclellan. If youre not going to use the army perhaps you could link it to me for a while. If tsa is not quite use its authority, perhaps we should give the authority to somebody who will use it. Because this is an enormously important part, relying in part on voluntary selfregulation. I just dont think thats adequate given the level of risk. I know that for a cousin interest in this. This is something a very much want to follow up on. A couple of more specific questions to our panelists. Mr. Obrien, do you read team your system . D do that to see if whether you have vulnerabilities . Do you have hackers for hired to test the security of your system . Thank you for the question, senator king. We do a couple things. One is we do continue his red teaming and we partner with an outside firm that is constantly probing our system and looking for issues. Secondly, we do what we call compromise assessments. We brought it at top Forensics Company to cohen comb through r network looking for issues. Finally we do interval audits, Penetration Testing and all that i guess we do, thank you. Thats reassuring and want to ask mr. Gaetz and mr. Mcclelland the same question. I was very disturbed a year or two ago when that a a hearing n the subject when asked the fellow from newark, the red team and the answer was i dont think so. Or something to that effect. Do you as the agencies that are looking after these, this incredibly important infrastructure, do you do Penetration Testing and red teaming on the networks that youre responsible for . Mr. Gaetz . Thank you for the question. In the context of the federal own assets, the p mays, there is red teaming and other kind of security measures that are taken to verify a certain aspect of the defenses of the system. What about the private systems that are part of your responsibility . In that respect and thats where the omg, sec and other forms are important where we can advise and consult and recommend defenses services such as red teaming, such as so the answer is no, you dont do this yourself. We dont do it ourselves and we are not designed to provide that service. Wasnt cesar ceser designedo protect the grid . Its designed to protect the grid, yes, sir, but is a protecting the grid determine whether it is safe . It is but using the authorities and the resources that of an allocated to do that mission which we believe we are operating in, we could do more, perhaps we should do more. I dont know if he gets to the level of contesting a red teaming. There are certain people or my staff who would love to take that on. But again right now in the role with responsibilities and authorities we have in the partnerships its an Advisory Service that we are providing. If you need additional authorities i hope you will take for the record a question to let us know what additional authorities you need. I dont see how you can carry out a mission of protecting the grid without testing the grids of vulnerability. Mr. Mcclellan, i didnt get a chance to follow up i want to, i want you to think that the same question. Finally, madam chair, i just hope that we could follow up this thing with a hearing on the national, natural asked by consistent because i think it is a crucial part of our Energy System and im very concerned that we dont have a level of standards, testing and examination on that system that we have on the grid. Thank you very much and appreciated. I yield i yield the floor. Thank you, senator king. And know that i certainly agree in terms of our Energy Infrastructure as it relates to our pipelines. I dont see senator gardner know is popping in between three hearings this morning so lets go to senator hydesmith. Thank you, chairman murkowski, faq panel for witnessing today because your witness and testament is very valuable to this committee. Your insight is important appreciate you guys taking the time and being with us today. My question is, its for all of you. It is well known that our nations Critical Infrastructure is under constant threat of attack from our adversaries as weve been discussing. Couple this with the aging and fragile nature of systems running Critical EnergyDelivery Systems and joy the potential recipe for disaster with our aging infrastructure. I know a lot of time and resources dedicate implementing the best practices and standards to secure these assets. However best practices and standards dont often stop increasingly sophisticated bad actors for long. In your judgment, how much more sure be investing in time, in resources recruiting private or Government Entities that specialize in protecting the Energy Sector and counteracting these threats . We will start with whoever wants to start first. Thank you for the question, senator hydesmith. Investment is always a tricky and difficult question, particularly from the government perspective when you have, you knew, so much private ownership of an entity. So finding the right balance is a challenge. I think i can say as you stated we are not investing enough but how much of that should be public or private investment is a fair question. As senator king mention regarding the contesting, there are other Security Services that can be provided to identify threats. I think what were doing in the department to create products like the norm, the north American Energy resilience model, dci, i think those are things that are helping but more can be done on the ground to help, to provide more analysis to identify threats more quickly and mitigate them. Whether the investment looks like i cant say that i know its not enough. The system is a large and expansive and yet such different kind of stakeholders. Stakeholders i can invest a lot on their own and then you have unlimited budget so its a cop could a problem that needs to be addressed but it will require more investment. Senator hydesmith, this is Thomas Obrien and i would add to what alexander gates discussed, is you brought up early good point that there is legacy systems and others over systems that are out there many to protect our systems. And i would go back to we talked about earlier around cybersecurity framework. We know how this could to adversaries are bit was to be able to protect assets. We need to deal to detect when a bad actor is give into our systems and we need to be able to recover and respond when that happens. That will require increased investment by everybody and i think it needs to scale based on the risks that you have. Just a short answer, i would be my feedback. Thank you. Thank you. If i might add one other perspective. [inaudible] in many cases these networks are large and complex and having tens of thousands of points. One of the recommendations we make, because it is a difficult the challenges come so sophisticated and it is so rapid as far as its movement, one of the recommendations we make is that the utilities consider hiring outside expertise, contractors that would assist in an emergency. If their systems were breached, if they were having difficulty in bring the outside contractors will probably help reconfigure and arrange those networks so they could be more resilient, better able to come back online. It wouldnt be a matter of trying to scramble to find a contract that could provide some assistance at the last minute. We need to focus this more towards the private sector to say we can provide incentives, were seeking comment about how this incentive and the Cost Recovery structure would best benefit the private sector but at the same time we are offering recommendations about the issue that you raised. Thank you very much. My second question yes, sender im sorry. I wish is going to respond. In my responses, companies of all sizes need the Technology Workforce and the resources to manage these attacks and Critical Infrastructure. Cyber attacks not going to be going away and we need to defend against them and make it a priority. [inaudible] [inaudible] [inaudible] we are working from a decent base with the crisp program, the briefings that we provide, and our collaboration with the ic. The ic is of course Intelligence Community is critical. It is better to engage the adversary outside of our networks instead of inside. That shouldnt be the first point of engagement and so the ics role in that is critical. Thats not just my buys because thats where i sort of grew up. But the collaboration is getting stronger. He needs to get better in needs to be seamless and it needs to be realtime. The solanum commission propose some things that kind of speak to that but i think more can happen, information sharing and you mentioned the trust issue earlier when youre talking about Intelligence CommunitySensitive Information and sharing it rapidly but those are oxymorons in some respects. We need to do more to figure how to get useful kind of Sensitive Information into the hands of Network Operators so they can make decisions and take action. Its a work in progress. I would gladly provide you a list of recommendations on how to improve that process. Thank you very much. Thank you century. Lets go to senator cortez masto. Thank you. Thank you so much for the important conversation. I think the chair and the Ranking Member. Lets talk about workforce. I know mr. Gates in your testimony you highlighted one of the priorities is to build superior workforce. And mr. Obrien in your testimony you also highlighted that the future success of electricity next generation including cybersecurity analyst. Lets start with both of you and mr. Gates we will start with you. Can you speak more about d. O. E. s efforts and methods to deliver on your goals the building superior workforce . And then mr. Obrien i would ask you to also talk about the importance of the need for building Cybersecurity Workforce across both public and private Energy Sector. So, mr. Gates. Thank you, senator. This is a challenge for the country. Most of the estimates are even at current rates were going to be short of not only i. T. Cybersecurity professionals but its even starker when we talk about Industrial Control Systems. We have started a number of initiatives from cyber force, for example, to help with training those who are inclined to enter the space as profession. We think theres more that can be done. So they were looking at models similar to the center of Academic Excellence at dhs in nsa. We think theres a carveout possible for those who are inclined to go into the fence of Industrial Control Systems. Using our national lab complex we actually started this year a collaboration with one of the military academies to do internships to give them a training. We think theres just more. This is something where its not just the department but the government and the private sector will need to invest to get the experience that the senior and junior engineers more training, those were in the business, and build on ramps for those coming out of college or in college to enter the business so we can build that not only Cybersecurity Workforce but one that is kind of geared towards the Energy Sector. Thank you. Mr. Obrien, your thoughts on what more we can be doing. Thank you for the question and i think you are highlighting a really good point that the supply and event on cybersecurity resources is somewhat problematic. From our perspective we are looking at growing talent from inside where we can and we established things like Rotational Development programs and really teaching people the business, teaching the different technologies so that they can fight the cybersecurity issue. The other thing we have done and it has yielded some pretty good results is with some great partnerships with academia. Weve had great partnerships with dod, d. O. E. And really engaging our workforce on that. Theyve done a nice job with the workshops and you have to commit to getting your people to those so they can learn. The other thing i referenced, testing was i think when you look at the Diversity Inclusion as an opportunity to unpack potential that something where doing at pjm. Thank you. Thank you. I cannot stress that enough. Weve had hearings for the Diversity Inclusion is key to increasing that workforce and it has not been tapped into so thank you for that. Mr. Gates, i want to highlight the fact just in june of this year the university of nevada reno where i graduated from, their cybersecurity center, and d. O. E. s nevada National Security site announced a partnership for Cybersecurity Research and collaboration. I cant thank you enough for that. Most important late i am excited because it gives the opportunity for number of graduate and undergraduate students engage and have handson research on Research Education and training career development. I think more needs to occur so i just applied you im taking advantage of that so thank you. I know my time is almost up. I will submit the rest of my question for the record. Thank you. Thank you, senator. Continuing on those questions regarding the workforce, mr. Obrien, i know that weve had conversations here this morning about supply Chain Security. You have spoken to this issue as well as has mr. Conner. But not only does pjm purchase from around the world, so we think about supply chain, you also hire employees, contractors and consultants that come from other places around the world. How can you be certain that you are not hiring an Insider Threat . How do you address that challenge . First and foremost its very difficult because a foreign adversary that has content may very well find ways to get in but the things we do, and were pretty good security background checks, and thats both for the contractors and for employees. The other thing we do is, obviously i wouldnt get into details but we have an Insider Threat program where we are looking at the activities of whats happened inside our walls. Those are things that are very important because if you put your head in the sand around the inside of it can be problematic but but i would just summarize it with good background checks, good interviewing, good references and making sure you have a solid cyber threat program. Thank you. Mr. Conner, you want to add anything to that . Yes. Thank you for the question. No, i think we make sure we do t the background checks you as well and we also come because this is relatively new, have actually been setting at programs with universities to try to run a curriculum to house do we get the training there. More homegrown. We dont like to bring in people from the outside to be doing some of this work for us. I think you could take a look at the programs we have put in along with universities for the training, its gone a long way for us. Appreciate that. Let me go to you, mr. Mcclelland, and this is with regards to how we protect Sensitive Data. On an annual basis ferc records are electric utilities to submit detailed data on their power Grid Operations. Form 715 requires utilities to submit maps as well as data and electronic format. We acknowledge that this update is Critical Energy infrastructure treatment as such. Such. The first question goes to your policy of releasing the data to the public on the basis of the publics right to know. I think we are all in favor of levels of transparency certainly. In general the public does have a right to know but when it comes to schematics of Critical Energy infrastructure information, it seems reasonable to me to be press a little more circumspect here. Should ferc consider changing its policy regarding the release of this Critical Energy infrastructure information to a need to know basis . Thank you, chairman. We appreciate the question. Ferc has to balance or must balance the right to know with the sensitivity of the information. The program that we conduct provides necessary but limited release of that information. In addition, all requesters are required to submit in writing their need for, to a test and demonstrate their need for this information. Ferc then verifies that request. It can do so with business references and online tools, and verification disregard the execution of a nondisclosure agreement. That nondisclosure agreement carries with it sanctions if that nondisclosure agreement is violated. Those sanctions can include loss of access to as those criminal prosecution. Today ferc is not aware of any individual that is violated, intensely violated that nondisclosure agreement. How does ferc audit how members of the public use that cei i information that they have received . Is there a followon . You mentioned the nondisclosure. They then receive information. What then happens next in terms of just ensuring that has been the level of compliance . Ferc doesnt actively monitor those that signed nondisclosure agreements and receive information but ferc however has invested, investigated allegations that nondisclosure agreements have been violent and follow that appropriately. So is it your view that perhaps ferc should look to strengthen the provisions of the nondisclosure agreements . To date, the nondisclosure agreement process has worked, as i said, we are not aware of any intentional violations of the nondisclosure agreement from those who have received ceii information. Let me ask, i know senator manchin asked about the white paper that ferc recently did. In the white papers there is an observation that the standards making process for the mandatory reliability standards, standard making process quote does not lend itself to addressing rapidly evolving cybersecurity threats, closed quote. Does congress or does ferc need to change the Development Process for these standards . Im glad you asked the question, chairman. Thats why ferc uses a dual approach. The reliability standards although they can become they are not required to be best practices. In the context of these advanced persistent addresses, specifically targeting our most Critical Infrastructure facilities with precision and with advanced tools and techniques. The commission has found it necessary to use a dual approach. If not to say the process isnt working because it is providing excellent foundational standards that really are a shining example across all the infrastructure types. Those are foundational practices. Weve heard this earlier from several senators. The commission has recognized the need to convey this Sensitive Information to our Utility Partners so that they can quickly react to it. In that context, i just want to highlight one small example. We do work very closely with the director of National Intelligence and security center. They convey [inaudible] the process could take a year or more to conduct, we can get, and we have come weve gotten a state officials, industry officials to quickly clear and then brought them in for a group class i briefings and working sessions make sure they understand the threats before then. We identify the best practices and they go out and take care of that. In the meantime ferc considers whether the appropriate to follow on with actions and activities pursuant to the reliability standards. Let me ask you one more question. On the white paper as well. Do you think that the white papers proposal of financial incentives for the industry will be helpful or will it just serve to increase rates . Youve got the potential for a tradeoff here between higher rates or better protection. And so is that the answer in terms of that protection, financial incentive . We hope so. We didnt solicit two separate mechanisms which industry can react we did propose, its back to incentive. The fundamental is just three questions that summarize this issue succinctly. The third question is do you know what best practices belong . Not all facilities are created equally. Some facilities are extremely strategic in nature and you can bet thats where our adversaries will be targeting. We hope and believe that the white paper that we develop, the application of those incentives, can be used to target those critical facilities to deny the adversary access, even the future exploit those facilities. That would also be cost effective. Instead requiring everyone to establish a best practice and follow the best practice as a mandatory requirement we can strategically select those facilities and then apply these best practices to them. We are hopeful we can great comments back on that white paper. Were very hopeful. Im sure youll get comments. I i appreciate that, mr. Mcclelland. Im going to give my colleagues and opportunity for a second round but senator risch has just joined us. Senator, if youd like to ask a question before we turn to senator manchin. Thank you, madam chair. Cybersecurity is really important and obviously this committee has overlapping jurisdiction with a number of other committees, with everybody i guess, thats right. In idaho we are particularly sensitive to all this because the laboratory. The National Laboratory is a windows is the birthplace of Nuclear Energy in america and its been the flagship for Nuclear Energy in america and in the world. Now the flag is going up for cyber because at the inl they have some unique capabilities that really call out for them to be the flagship lab, also for cybersecurity. This is the result of their decades of experience and control systems. Obviously since it was the birthplace of nuclear power, control systems like a very, very Important Role as they went forward building the 52 different experimental or some pics but little, some actual Nuclear Reactors that were built at the laboratory. Those control systems were critical though they have got great expertise in that regard plus some participants that are important. The result of that is the inl is moving forward very rapidly in the cyber space. Ive got a question for mr. Gates i would like to ask and havent have them talk to us a little bit about the role that the inl and the other are playing in this regard. As we know earlier this year the Cyberspace Solarium Commission released dozens of recommendation to better secure the nation from Cyber Attacks. Very important because this is so critical in our infrastructure and everything else. The department of Energy National laboratories are playing a key role in this effort to move these recommendations forward. In idaho we have the initial averages it is the only National Laboratory explicitly mentioned in this report and that of course is because of its expertise that i i just descrid and also because of outsized role in growing role in cybersecurity. The question i have for you, mr. Gates, is as Congress Looks, as we all in Congress Look to implement many of the recommendations in this report, can you please talk a little bit about what you think the inl, the role the inl complained that regard and the role that any other labs might play in that regard inl certainly has a unique place and unique capabilities but id like to hear your observations in that regard. Thank you, senator risch. Inl, its in many respects particularly in the area of control systems, its a first ceser and the department, the sector relies on many labs. If you look at what were doing with norm, you know, there are eight National Labs that are collaborating on that project that will allow us to updateonly updatesituational awareness on the grid. Inl is one of them but inl has really taken a leadership role on some of our critical programs. We are going to be Testing Systems down to the component level to look for and eliminate vulnerabilities. That program, inl is best suited for it. It was designed with inl in mind and whats a quite allow us to do is push the adversary further out of the infrastructure using that and of the programs. Its going to allow us to execute the executive order and it is a key component to d. O. E. s ability to implement 13920. Of the programs. Just this year i mentioned earlier that we sent a few coast guard cadets to inl for Intern Program and we think thats a model for how to get training into the hands of those who will be helping us defend control systems, whether theyre controlling a Weapon System with the controlling part of Critical Infrastructure. That issue is one of many programs we rely on ins expertise even in classified settings. Theres work that is just uniquely suited for inl that many of other National Labs, its almost a superpower for the department of energy, our ability to rely on National Labs to help us solve problems and then get them into the sector. Thank you very much, and i appreciate your reference thereto the National Security matters and also the classified nature. Sometimes when im home and i dont im trying to cling to people what to do at the inl. I tell them about something static cant tell them about others, but even the ones that are classified are critically important. Thank you for your work, sincerely appreciate it. Thank you for holding this hearing, madam chairman. Appreciate it. Thank you, senator risch. I should know ive been out to inl, have seen cant talk about it. Senator manchin. Some of it. Thank you, madam chair. To mr. Gates and mr. Conner i mentioned earlier i am pleased to see the you be taking steps to ensure with safe and secure supply chains. However in moving forward i can find grid equipment that is at risk or equipment that could be part of a prequalified list its important the manufacture of electric equipment are utilized for the knowledge and expertise. I knew the executive order established a task force to engage with the Energy Industry, but manufacturers were not included in the process. Some mr. Gates, does you we consider how to establish a task force will look for the manufacturers come to the electric equipment to inform d. O. E. Get response back and i was d. O. E. Engaging with these stakeholders . Thank you for that question, senator manchin. Since the issuance of executive order, do you we has held over 90 calls, not only to the asset owners but that also includes manufacturers. So they are part of the equation. And even part of the program which is a key or that of executive order, we have already signed two companies. With engaging others directly and having the conversation. A lot of those discussions are in the context of the broader vulnerability identification and elimination aspect of were also talk about and limitation of executive order. Over 3000 individuals have engaged the Department Since the issuance of the executive order. Some the more manufacturers, a lot of utility owners, suppliers to wear comfortable though we have taken the letter to heart and we are making sure we are covering all our bases we are comfortable with our engagement strategy so far and we seek to do more that because we do want to be thorough. It requires a partnership. We cant go it alone so your letter was taken to heart. Thank you, sir. Mr. Bryant as the largest grid operator in country i appreciate pjm take cybersecurity seriously. This takes and you chose that make up the territory which includes my state of West Virginia very a lot in the bill to address i get hit of the cyber grid threats leaving Important Role for pjm to make sure the system is a made vulnerable by any one actor who doesnt live up to the stand your asking for. My question would be what are the biggest risks in the pjm territory youre concerned about applicant of the grid operators learned from what you been able to address with these threats . Thank you, senator. I think from my perspective really from an operating control aspect is the biggest risk to pjm is the significant compromise of our members. We rely on information and data that comes into pjm and women all types of realtime analysis to keep the lights running but if theres any case where the telecommunication system is down we cant get that data, that information, i think its real high risk. Mighty as to this. I all able to run scenarios that you can test to see if they are up to standard even if there reporting they are . Do you do kind of cyber tests, if you will to see if youre able to get into their system or basically show they are still some vulnerabilities . We dont do that. Thats something we dont feel is in our jurisdiction based on how we operate. We do collaborate with the nevis but no, we dont speed is let me ask mr. Gates. From d. O. E. , i mean if our systems tone whether West Virginia or any other pjm states or in other areas of our country, if theyre actually not hardening the system to protect against Cyber Attacks, how are you able to detect . You wait into something happens or do you all check to see if theyre doing it . We are not there is a reporting mechanism in place for the what is checking right now i can to if i i want to find it f you did what you told me did i would have one of my smart people try to act into the nc if i show a policy there. So we met in this types of test. I think that is fair that if you look at what some of the work theyre doing in the sector and the department and the advice from ferc and nerc to a mechanism to engage in but as far as overseeing the implantation of certain things in private utility, again, there are some limitations in the current again i would ask pjm howdy all plan to continue monitoring these evolving risks if you really cant check to see if theyve been hardened and cant be done . I think the thing we rely on relative to our members, that nerc complaints and theyre all help to a standard and help to an audit. We are counting on that. We do a lot of collaboration and best practice discussion but is not within our jurisdiction to read teen or try to hack into the system. I will have to check with nerc then. I will check with somebody see it somebody is checking anything. Thank you, madam chair. Thank all of you. Thank you, senator. Senator hoeven has joined us. Thank you, madam chairman. First question is to mr. Mcclellan. As consumer we benefit from ability to monitor especially during extreme weather events or vortex. We now see more centralized on the grid and so forth which fits opportunities but also wrist. Mr. Mcclelland, what steps have you taken to manage liability and cyberSecurity Risks with these new technologies . So as owners and operators of the power grid, these facilities may be subject, would likely be subject to liability standards but the reach of certain special and are infected with all our systems. Thats where the commissions jurisdiction is under section 215. If these the sows interconnect, theyre held to the minimum standard. In addition to cyber we do have a program, a Collaborative Program that is available to any entity. We will do an onsite assessment of their facilities, identify vulnerabilities and the system with mitigating action. Its the same level accountability that all generation resources under the commissions jurisdiction would have. Does Congress Need to provide ferc with additional approvals to make sure ferc is continuing to detect and improve the reliability of the power system . The commission now is using a liberal approach. Where establishing baseline standards for cybersecurity through the nerc process but this is open and deliberative and is not position reflects best practices. On the other side where collaborating very closely with Intelligence Community, that would be our friend alex gates to stay current on those threats and they were actively engaging with industry to push out this information so they can be aware of the threats. This bill would actually add to that authority, would add to r volunteer assistants work with industry of providing us with additional authorities. From mr. Conner, how do we continue to strengthen relationships between the public and private sector to make sure information is shared and also protected from inappropriate this question is for mr. Conner. Thank you for the question. I think as we mentioned earlier in my testimony if i just take a look at the partnership that we have done with michael, thats more on the public side. That was just last week and its to develop the new think tank with it. I also take a look at all the partnerships that we have in the private sector with some of our vendors and our supply Chain Management. As also testified earlier we make sure that despite all about that we actually detesting on hardware, Software Come security testing everything that we get out of our suppliers as well to cover that side. Its collaboration to we talked about it earlier. Nobody gets there by themselves but continue to collaborate and communicate across the board. And then for mr. Gates, do you believe the department of energy has sufficient visibility over the Nations EnergyDelivery System to properly address the threats and vulnerabilities . Thank you for the question. Im not sure anyone has the visibility to address all threats. If we had that visibility, whether it was the department, the private sector, we would be doing more to develop solutions and push the adversary further away from our infrastructure. But thats what investments and developing other tools and why information sharing through isac and other mechanisms are so bored but we do need better tools. We need better sensors and were investing in that. We need better analytics which were developing at the National Labs, pulling all that together to have better situational awareness, high fidelity is answered. We have they cheated yet but it is a a goal and it is a pressig goal for the department. Is there additional consistent can provide resources in your opinion [inaudible] theres always more room for additional support, targeted support and specific programs that allow us to develop some of the solutions, more rapidly is always effective. Making it easier for us to fund pilots to work with the National Labs, with the private sector. There are pretty interesting developments in private industry, tools that are useful for us. Even that requires integration and in testing. So clearly the whole sector including the department could use more support. But you dont have a specific in mind . I do have specifics in mind and i would gladly provide those to you offline. All right. Thank you very much. Thank you, madam chair. Thank you, senator hoeven. Gentlemen, we appreciate the discussion that weve had here this morning. I know senator manchin and i have no for the question. Senator king, the jew of anything for wanted to add . Yeah, just two things. First, senator manchin in your usual commonsense way you put your finger on something very important which we talked about earlier, which is red teaming or hackers for hire or Penetration Testing, what are you going call it. We need more of it. We need authority to do it. Mr. Gates agency perhaps at ferc, people can certify that they are secure but theres no way to really test that until you really try to penetrate the networks here i have asked mr. Gates to supply us with what he feels he needs in the way of additional authorities to make that happen. I want to associate myself with that question. What a question that hasnt come up today and and i dont know whether this should be mr. Mcclelland or two mr. Gates, but isnt distributed energy, that is, the generation at the home or in the neighborhood which is now available to us in part to the use of solar, isnt that part of a National Security solution to try to avoid the risk of the giant greeted with the giant generating plant, that if it goes online everybody goes down . Is anybody thinking about that . Mr. Gates, is that something you all have looked at . Senator king, it is somethg the department is concerned with, particularly when we look at some of the grid modernization initiatives. Baking security into that modernization, whether micro grids and so forth, is an important aspect of it. But there are those who also believe that if we dont bake in security that were distributing the problem. Those systems still are dependent on technologies that could be vulnerable, and just change the nature of an attack, make it but if you have solar array on your house that supplies your needs, you dont care if something happens to a generating plant 200 miles away. Thats my point. It seems to me there is a resurgence, redundant kind affect you. I realize integration into the grid and all those technical questions, but the whole history of our electrical system has been centralization. We are now at a place where Technology Allows us to decentralize and it seems that could be an important advantage in terms of securing electric supply the individuals and businesses. Mr. Mcclelland, have you guys look at that at ferc . Thank you, senator, for the question. In some ways, and at two mr. Gates point, in some ways the addition of new technologies, new systems of special supply chains in terms of can complicate security. However, to your point, theres a vast reduction of dependency associate with selfsufficient plant. So i think so long as the facility, speaking for myself, so long as the facility is secure, is abiding by a best practices to counter those adversarial attacks, it certainly makes it easy to protect the selfcontained fuel secured facility such as renewables versus one that depends on other types of infrastructure to produce generations. Thank you. Thank you, madam chair. I appreciate it. Nto. Really instructive hearing, again, and i appreciate the input that weve received not only from those within the department, the agencies, but also the private sector can i say one thing . Angus, are you still on . Angus, i know you asked directly of d. O. E. If they could check by doing basically hiring the real smart people we talk about is table to find out if we are on our team or not. Right. At how about with pjm . If they are the kerry, youre one of the largest in the country, there in my state, all of my state. Should they not i asked pjm the question and i think, i think the response was that they do testing and red teaming. Isnt that correct, mr. Obri . I thought thats what you said. Clarify. We do extensive red teaming on her own system. We do Penetration Testing on her own system. What we dont deal is red teaming Penetration Testing on our Member Companies system or data close to us. Thats a little nuanced to the question. You dont have jurisdiction for that is that why you are saying you dont do it . No. Angus, that gives a Something Else to work on. Again, i think ferc his role in that as well with the compliance. Thank you. Has your vulnerability. You can be secure here absolutely. I just want to thank angus, senator king and congressman gallagher for what theyve done the last two years. Truly amazing and it needs to be brought its pure commonsense and we had to do all that we can. Maybe this is something we could work with chairman schiff get some of these barriers broke down so we have to do so thorough checking and thorough testing. Thank you. I think we recognize that the threat from cyber whether its to our Energy Systems or any aspect of really our economy, there is vulnerability that we recognize and we again, were talking about collaboration, talking about partnership built on the trust, and so how we can help facilitate that is important. And when you cant trust you have got to test. Trust but verify come at a think this is some of the conversation that we had here today. There are some requests that Committee Members have made that if the mr. Gates, you acknowledge that you would be able to provide mims of the committee in response. We look forward to that, as well. Well. If of the members had for the questions for the record we would hope that you would be able to respond, but we appreciate the time you have given us and information that you provide us as we focus on this critically critically important aspect of protecting our Energy Sector. With that the committee stands adjourned. [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] acting Homeland Security secretary chadwell testifies on capitol hill. He will discuss his agencies response to unrest in portland and the deployment of dhs lawenforcement personnel to protest across the nation on racial injustice. Live coverage of homeland Security Committee begins at ten again eastern on cspan. Online at cspan. Org or listen live on the free cspan radio app. Binge watch booktv this summer