This is a house Energy Sub Committee hearing. Its about 2 15. Subcommittee will now come to order. I want to thank all the members and the witnesses for appearing before the subcommittee this morning. The chairman will now yield five minutes to my great friend, mr. Mcnerney from california for five minutes. Good morning, mr. Chairman, i thank you for yielding me the five minutes and i thank the witnesses for coming this morning. Its an incredibly important issue that we needed to care a lot about and make good policy on. Were meeting today to discuss the state of Cyber Security in the grid and the continuing threats facing Americas Energy truer. We continue to see increasing threats to the grid originating both at home and abroad. Im glad to see the doe and ferc and others taking steps to address the growing dangers posed by nefarious actors. Our energy grid serves as the backbone of our economy Touching Every aspect of our lives and a reliable grid is also crucial to our National Security and for a clean energy future. For lawmakers to encourage and enable innovative advancements that we can improve the security and reliability of our nations electric grid, we must work on a bipartisan basis and actively engage with Industry Leaders as we are doing today here. Fortunately the modernization and innovation of our Energy Infrastructure is already under way. What was once a oneway Delivery System has evolved into a Dynamic Network where information and energy flows both ways. Technological advancements are both are also born from the need to secure the energy grid against potential physical and Cyber Threats. For example, technology allowing for the rerouting of power and Quick Response in the event of attack is being deployed across the grid. The Cooperation Among federal, state and local governments is essential to protecting americans and our nations infrastructure. Given todays cyber environment its more important than ever that congress pursue policies that continue to foster these exciting developments and support our grid infrastructure. This is an issue that i am very passionate about and vulnerable components any vulnerable component is a threat to our physical and National Security, making it imperative that we invest in grid modernization and security. Thats why im proud to cochair the bipartisan grid innovation caucus with my good friend from across the aisle, representative bob latta from ohio. Together were focused on providing a forum for discussing solutions for the many challenges facing the grid and to educate members of congress and staff about the importance of the electric grid with relation to the economy, Energy Security, advanced technologies being utilized to enhance grid capabilities. This work has informed our introduction of two bills on the topic, both of which have already been marked up and advanced by this subcommittee. Their aim is to bolster americas electric infrastructure by encouraging coordination between the department of energy and the electric utilities. My bill, which i introduced along with mr. Latta, hr359, the enhancing Grid Security through Public PrivatePartnership Act would create a program to enhance the physical and Cyber Security of the electric utilities through assessing security vulnerabilities and increasing Cyber Security training and collect data. It would also require the interrupt cost estimate calculator, which is used to calculate the return on investment on utility investments to be updated at least every two years to ensure accurate calculations. Mr. Lattas bill which he introduced along with me, had. R360, the critical cyber sense act makes important headway in protecting our critical electoral grid infrastructure. It would create a program to identify cyber secure products for the bulk power grid through testing and verification program. The bulk power system supports american industry and provides all the benefits of reliable electric power to the american people. It is essential that we make this system as secure as possible as Cyber Attacks do pose a serious threat to the electric grid. Any vulnerable component in our grid is a threat to our security and this bill will go a long way to strengthening that system. I thank mr. Latta for his partnership and looking forward to working with him. I also want to take a moment to mention my support for hr362, the Energy Emergency leadership act sponsored by chairman rush and mr. Walberg. This bill would establish new doe assistant secretary position with jurisdiction over all energy, emergency and security functions related to Energy Supply, infrastructure and Cyber Security. Finally i want to mention my support for one more bill on this topic, hr370, the pipeline and l g facility Cyber Security preparedness act sponsored by Ranking Member upton and mr. Lope zach. This bill would require the secretary of energy to establish a program relating to the physical security and Cyber Security for pipelines and liquefied natural gas facilities. As the bills i had mentioned show, our committee is uniquely positioned to examine the issues before us today as we work to put america on a path to better securing our electric and utility system. Now i yield back to the chairman. I want to thank the gentleman and on a point of personal privilege, the chair was originally scheduled to be at home in chicago this morning for the funeral of one of my dear friends, ms. Jada russell, a trusted friend and colleague and supporter and due to inclement weather last night my flight was canceled so i couldnt go. Mr. Mcnerney graciously agreed to sit in the chair for me last night when i wasnt going to be here this morning, but im here now and so i want to thank mr. Mcnerney personally to be willing to sit in the chair with me in my absence, but as you can see im here. Thank you. I appreciate the sentiment and i also appreciate the confidence that youve shown in me, mr. Chairman. Thank you very much. The chair now recognizes mr. Upton, the Ranking Member of the subcommittee, for five minutes for the purposes of an opening statement. Thank you, mr. Chairman, im sorry to hear about your friend and im grateful that you didnt get on that plane because i drove home through that storm last night and i dont think that plane would have had a lot of yeah. Smart. Todays hearing continues the subcommittees ongoing oversight of Cyber Security threats to the electric grid, a priority that all of us have had. While this is the first hearing specifically on the topic this year, the subcommittee has been raising questions about persistent and emergent threats to the electrical grid in closed briefings and in hearings with federal officials and others over the course of this session. Building on the work that weve done over the last couple of congresses. It is unquestionable that ensuring the reliable supply of electricity is vital to our nations security, economy, our health and welfare. Electricity enables telecommunications, financial transactions, the transport and delivery of energy and agriculture, it powers the infrastructure that delivers our drinking water, it enables business and industry to make and provide the goods and services of our modern society, it powers our hospitals, our households and everything else. But lets face it, the u. S. Has the worlds most complex electric grid and while we have a welldeveloped system of grid operators to ensure that the lights stay on, were confronting new challenges every day and adapt to go a changing generation mix, new technologies and consumer preferences. Were also responding to new threats and working to strenghten the cybersecurity of the nations grid. The integration into the system of new Digital Technologies that are essential for keeping up with our Nations Energy needs constantly add vulnerabilities. Other vulnerabilities are being added with increasing dependence on Pipeline Infrastructure by will electric generating units, combine that with a rapid expansion of Cyber Capabilities by more of americas adversaries and safe guarding Transmission Infrastructure remains particularly urgent. Many of the federal oversight and regulatory structures in place today that ensure that the system can mitigate and respond to cyber, can you traced to this committees legislative work. In 05 we authorized ferc, the commission the north american reliability cooperation nerc to enforce reliability standards and coordinate activities among industry and the feds to confront Cyber Threats. In 2015 in committee wrote provisions including the fast act to strengthen does Energy Sector specific authorities and to facilitate sharing of the threat information between private sector asset owners and the federal government. As a federal agency with expertise on our nations electricity grid and the cybersecurity threats against it is imperative that we arm doe with the tools and authorities to protect our electricity system from the transmission lines to the very generating stations and their pipelines. Most recently we developed legislation to elevate does functions oversees Cyber Security and to improve information sharing, Emergency Planning and other technical activities in this jurisdiction. That legislative work is continuing, but unfortunately or but fortunately the department has used its own authorities to implement, enhanced leadership over Cyber Security and to improve interagency coordination. Against that backdrop todays hearing provides a great opportunity to update the subcommittee on what these agencies are doing to advance cybersecurity practices, protections and response planning. Looking forward to hearing from assistant secretary karen evans who heads the doe office of cybersecurity, Energy Security and Emergency Response. She testified in september last year, she had been on the job for just a couple of weeks. Though she brought long federal experience to the table as soon as she sat down. So i look forward to discussing does current work, how its exercising its coordinating role over a Cyber Security threat and to learn what challenges she sees Going Forward and how she plans to address those challenges. It will also be helpful to hear today from the regulators of the electric grid, andy dodge who heads fercs office of electric reliability and from job rob who heads nerc. Both these entities serve at the front lines of Regulatory Oversight of electric grid infrastructure protection, im particularly interested in learning what measures theyre working on to address threats to ensure best practices and to coordinate response to cyber incidents. The risk of massive blackouts can be hard to think about, but the Cyber Security realities of today require that we face these risks headon, that we be sure that our agencies and appropriate groups have the tools in the toolbox and the information that they need to address the risks and what theyre prepared for the consequences of successful attacks. Thank you, mr. Chairman, for this hearing. I yield back. The gentleman yields back. The chairman now recognizes the chairman of the full committee mr. Malone for five minutes for the purposes of an opening statement. Thank you, chairman rush. Today were here to get an update from federal agencies about how they are addressing Cyber Threats to our electricity grid. We know our entries are rapidly developing new techniques to compromise and attack our grid so its vitally important that the federal government and the electricity or the electric industry remain vigilant in enduring the grid is secure. Our committee has been conducting robust oversight on this important topic in a bipartisan fashion for years. Todays hearing is a public forum to discuss how the federal government is addressing Cyber Security challenges but the Committee Also is continues to receive closeddoor briefings on the issue to understand more classified matters. Our witness and their respective agencies all take Cyber Security of the grid very seriously and i believe secretary perry made the right decision in creating the position of assistant secretary for Cyber Security, Energy Security and Emergency Response to focus specifically on these pressing issues. Last month the subcommittee favorably reported out legislation introduced by chairman rush and mr. Wahlberg that would enshrine and statue this position at doe. I look forward to bringing this bill and other Cyber Security bills up. We must be active and vigilant when it comes to Cyber Security because time is of the essence. In march we had the first reported malicious cyber event that disrupted Grid Operations of a western utility. Thankfully there seemed to be very little effect on the transmission grid and no customers lost power, but we must stay ahead of anyone who is a cyber threat. And i appreciate the work of ferc and nerc to continue enhancing Critical Infrastructure protection standards like the rule last october to bolster supply chain risk management. This rule implement new reliability standards that respond to supply chain risks like Malicious Software by requiring responsible entities to develop and implement security controls for industrial control systems, hardware, software and services. These are the types of important forwardlooking actions we need to proactively protect our grid against attacks. While this hearing today is not specifically about pipeline Cyber Security, id be remiss not to mention how important that is to our grid system. We have a reliable Pipeline System but we never want to find ourselves in a different situation. So i remain concerned about the lack of resources and expertise at the transportation security administrations pipeline security program. I look forward to hearing from doe about possible ways this he could help address these safety gaps. As ive said before, if tsa continues to devote scant resources or attention to these matters we must look at other options to keep our pipes secure. Thank our witnesses for being here today as we discuss this critical security issue. With that, mr. Chairman, unless someone else wants to talk, i yield back. The gentleman yields back. The chairman now recognizes the Ranking Member of the full committee for the purposes of an opening statement. Good morning, mr. Chairman. Good morning. Delighted to have the witnesses here and have this hearing. By am i measure the reliable supply of electricity is an essential part of anything we do. In todays highly interconnected and Digital World the threat of Cyber Attacks, the reliability of electricity is ever present and its growing. One of our responsibilities on the energy and Commerce Committee is to review and where necessary revise laws and policies that concern the Reliable Delivery of energy. This is part of the committees black letter jurisdiction and its something that we all take very seriously no matter which party is in the majority. This mornings oversight hearing continues its important work and focuses on the status of efforts to address Cyber Security threats to the electricity grid. We will hear testimony from our witnesses today, you are key players in keeping the lights on. Department of energy, federal Energy Regulatory commission and the north American Electric reliability cooperation or nerc. Each of your organizations has a role in supporting effective information sharing, Technical Assistance, standard settings, oversight of standards, implementation, sound engineering practices, all of that as it relates to the bulk power system. I look forward to hearing updates from witnesses, especially on coordination and sharing among federal entities and industries. Thats always been an issue and continues to be. Our passed over sites the emergency Cyber Security responsibilities over the Energy Sector, includes providing, supporting, facilitating Technical Assistance to identify vulnerabilities and mitigate risk. I have seen some of the work firsthand in our National Labs, especially in the northwest, Pacific NorthwestNational Laboratory in washington state, out to idaho falls to the National Laboratory. Terrific people working in the labs, doing amazing work on behalf of the country. They provide the analytical tools that are proving helpful for all kinds of industries and systems we rely upon. Learned last year new sharing tools, whats called Cyber SecurityRisk Information Sharing Program or crisp, have proven helpful identifying systemic Cyber Attacks across the Energy Sector. I would be interested to hear from nerc and d. O. E. How this approach is being expanded broadly as relates to supply chain risk, Operational Technology systems, switches and supervisory control, embedded in the grid. We know as more connected devices and grid technologies are added to the grid, vulnerabilities continue to grow. Information sharing is central to strong cyber defense. This is important as Energy Systems are more interconnected. Republican leader fred upton noted repeatedly how because the nations Pipeline Systems, heard this from others, are an integral part of the system, harmed pipelines means harmed supply of electricity. We have to think about pipelines as part of the Larger Energy system rather than a piece of hardware or mode of transportation. While pipelines fall under separate regulatory regimes, department of energy must maintain visibility over pipelines to ensure delivery of electricity to consumers. Theyre all interconnected. Thats why the committee is pushing to codify the Emergency Response role and strengthen the departments capabilities to monitor for Cyber Threats and provide Technical Assistance to industries. Also important to enhance coordination of response should attacks succeed at a large scale. Members on the panel had the benefit of briefings in the past few years to understand Emergency Response exercises in the electric sector. An update on these exercises will be useful today. We look forward to that. And testimony this morning will underscore risk to Critical Infrastructure from nation states and other bad actors is increasing. This means Technical Assistance, information sharing, and deployment of Innovative Technologies and best practices to get ahead of threats is ever more urgent. We must be sure Critical Infrastructure protection standards are up to date, flexible to meet the risk, and make sure we are providing federal agencies tools needed to serve the industry and nation more effectively. We have a real responsibility here, and hearings like this help us do our job better. Mr. Chairman, thank you for having this oversight hearing and again to the witnesses, thank you for your testimony, guidance of counsel. You will improve our work. With that, i yield back the balance of my time. The gentleman yields back. The chair would like to welcome our expert witnesses for todays hearing. From my left, the honorable karen evans, shes the assistant secretary of the office of Cyber Security and Emergency Response, and u. S. Department of energy. Next to her, mr. Dodge. He is director of the office of electric reliability for the federal Energy Regulatory commission. Seated next to mr. Dodge is mr. Jim rob, president and chief executive officer of the north American Electric reliability corporation. And i want to again thank all of the witnesses for being here with us today. And we look forward to your testimony. But before we begin, i have to give you a tutorial. I would like to explain the system. In front of you is a series of lights. The light will initially be green at the start of your opening statement. The light will turn yellow when you have one minute remaining. Please begin to wrap up your testimony at the yellow light. The light will return bright, bright, bright red when your time expires. And with that said, assistant secretary evans, you are now recognized for five minutes. Thank you, sir. Good morning, chairman rush, Ranking Member upton, members of the committee. Thank you for the opportunity to discuss a continuing threat facing our national Energy Infrastructure. Focusing on Cyber Security, Energy Security, and resilience of the Nations Energy systems is one of the energy secretarys top priorities. By the administration proposing and congress affirming the office of Cyber Security, Energy Security and Emergency Response, the secretary has clearly demonstrated commitment to achieving the Administration Goal of Energy Security and more broadly National Security. Our nations Energy Infrastructure has become a primary target for hostile cyber actors, both state sponsored and nonstate sponsored. The frequency, scale and sophistication of Cyber Threats continue to increase. Cyber incidences have potential to disrupt energy services, damage highly specialized equipment, even threaten human health and safety. The release of the president S National Cyber strategy, ncs, in september 2018 reflects the commitment to protecting america from Cyber Threats. Department of energy plays an active role, supporting the security of our nations critical Energy Infrastructure and implementing the ncs. The efforts reflect a concerted response to emergence of energy, Cyber Security, and resilience as one of the nations most important security challenges. Fostering partnerships with public and private sector stakeholders is of the utmost importance to me as assistant secretary for ceser. Risk reaction difficulties in seven areas, including National Security and energy and power. D. O. E. Securities for the Energy Sector align or Critical Infrastructure section of pillar one, which is protecting the american people, the home land and the american way of life under the category to prioritize actions according to identified National Risks. In the Energy Sector, the core of the Critical Infrastructure partners is represented by the sub sector coordinating counsel, escc. Oil and natural gas council, and the Energy Government coordinating council, egcc. The escc and ongcc represent their represent i have industries. Egcc, led by d. O. E. And dhs is where interagency partners, states, International Partners come together to discuss the important security and resilience issues for the Energy Sector. This forum ensures we are working together in a whole of government response. It is critical for us to be proactive, cultivate a Security Energy network of producers, distributors, regulators, vendors, public partners. Acting together to strengthen our ability to identify, detect, protect, respond, and recover. The department is focusing cyber support efforts to strengthen the Energy SectorCyber Security preparedness, coordinate Incident Response and recovery, accelerate Game Changing research, development and deployment of Resilient EnergyDelivery Systems. D. O. E. Maintains a close relationship with ferc and nerc to be sure they have the relevant information to execute their missions. D. O. E. Holds regular discussions with the three Energy Sector information sharing and Analysis Centers which include the downstream natural gas, the oil and gas, and electricity, to share emerging, potential threats and to disseminate information. Establishing seizure is the result of the administrations commitment to prioritizing Energy Security and National Security. Ceser is collaborating to protect our nations critical Energy Infrastructure from all hazards, including this growing cyber threat. Our long term approach will strengthen our nations National Security and positively impact our economy. I appreciate the opportunity to appear before the committee to discuss Cyber Security in the Energy Sector and i applaud your leadership. I look forward to working with you and respective staff to continue to address cyber and physical security challenges. I want to thank you, madam secretary. Now i want to recognize mr. Dodge for five minutes for purposes of an opening statement. Thank you very much. Good morning, chairman rush, Ranking Member upton, members of the subcommittee. Thank you for the opportunity to testify today. My name is andy dodge, i am director of electrical liability at ferc. Through my testimony i will refer to that as the commission. I am here as Commission Staff witness, my remarks dont represent the views of the commission or any individual commissioner. Today i will provide a brief overview of the commissions authorities and activities to help protect and improve the Cyber Security of the nations power system. Our work includes mandatory reliability standards, audits of those standards, and sharing of best practices. We work closely with north American Electric liability council or nerc, regional entities, state and federal agents and entities that carry out this important work. As a result of the Energy Policy act, 2005, section 215 of the federal power act, nerc is responsible for developing and proposing new or modified reliability standards to the commission. The commission oversees nercs development, enforcement of Critical Infrastructure protection standards or cip standards. The original set of standards were the version one standards. They were actually developed in 2006 and became enforceable in 2010. Theyre continuously reviewed and updated to address new Cyber Security threats and challenges as well as technological changes. We are in version five of the overall standards currently. There are currently 11 active Cyber Security standards and one active physical security standard. In all, there are over 200 distinct requirements. The cip standards are requirements that constitute a defense in depth approach to Cyber Security based on an assessment of risk. Importantly, the cip reliability standards are objective based, responsible entities are free to choose compliance approaches best tailored to their individual systems. The foundational standard in cip requires each utility perform Risk Assessment of its assets, then to categorize the assets in the low, medium, high impact to the electric grid. The other cip standards require Utility Companies to develop Cyber Security plans, train personnel adequately, establish physical and electronic access perimeters, and apply patches in a timely manner, identify, report Cyber Security incidents, and develop and implement recovery plans amongst other things. Recently, the commission further enhanced the cip to address supply chain risk and instant reporting. Although nerc and regional entities are primary authorities for cip standards, since 2016, they have sampled utilities with respect to compliance to version five of cip standards. They issued two reports that describe Lessons Learned from audits and best practices. By publishing Lessons Learned reports, we hope to help other Utility Companies to help with compliance of cip standards as well as Cyber Security. In addition to mandatory reliability standards, the commission has adopted voluntary initiatives overseen by the office of Energy Infrastructure security. They engage with partners in industry, states, other federal agencies to develop and promote best practices for Cyber Security. These include architecture assessments of interested entities, classified briefings for state and industry officials, and joint security programs other federal Government Agencies in industry. In conclusion, protecting the electric system from cyber and physical threats is important to securing the nations Critical Infrastructure. Theyre taking a standards or mandatory approach and collaborative voluntary approach to ensuring reliable and secure operation of the grid. I thank you for the opportunity to testify today and participate in this hearing and i very much look forward to answering your questions. Thank you. Want to thank the gentleman. The chair recognizes mr. Rob for five minutes. Thank you chairman rush and members of the subcommittee. This is my first appearance in front of the committee as nerc ceo since taking the job last year. You noted in opening comments how foundational electricity is to modern society and all of us here on the panel, nerc, ferc, department of energy, we all take our job of strengthening the reliability and security of the fabric of the industry seriously. We know the citizens of the United States and neighbors in canada and mexico demand on reliable electricity for daily life needs. To date, theres no successful cyber attack that resulted in loss of load in the United States. While were proud of that statistic, well never rest on our laurels as the consequences noted are significant. As a result, the Electricity Sector has taken the Cyber Security threat extremely seriously, put in place a robust system to protect Critical Infrastructure. We find that boards and executive leadership play strong support, focused on security as one of the top issues. Unlike the day in, day out job to reduce risk to reliability, cyber risks emanate from adversaries that use multiple techniques to attack the grid. It requires a multi pronged approach. The approach includes mandatory, enforceable reliability and security standards, information sharing, partnerships with Sector Specific Agency, department of energy, as well as other Government Entities, dhs, dod, to confront rapidly developing threats, and engagement with industry. Together they form a Solid Foundation of best practicing and strategies to confront this ever evolving threat. With respect to standards, our Critical Infrastructure protection standards provide Common Foundation for security. Our standards are developed using subject matter expertise from industry, reviewed and approved by the independent board of trustees, by the ferc. Cip standards require companies to establish plans, protocols and controls to protect Critical Systems against cyber attack, ensure personnel are adequately trained on cyber hygiene, report security incidences in a timely manner, effectively recover from events. Standards evolve with increased understanding of threats. Recent updates to the cips address supply chain risk, and improved cyber incidence reporting and cloud computing. Noncompliance is subject to penalties, at times significant, requires ceo execution and board level reporting. Standards are just one important element of a comprehensive strategy. Because security threat, must maintain constant situational awareness, real time communication. Thats where robust information sharing comes in. Thats a service we provide through the Electricity Sector information sharing and Analysis Center or ei sack. Operated by nerc, working in close collaboration with department of energy and electricity sub Sector Coordinating Council, it is the central hub for sharing of information in the Electricity Sector. It communicates with over a thousand electricity organizations, via secure portal, with critical information provided by industry and government. Through that, we manage a terrific Information Sharing Program called crisp. Crisp uses Innovative Technology developed by department of energy in National Labs to monitor cyber activity, and developed the capability to rapidly declassify insights from crisp within 24 hours to communicate in sights to industry. They cover 75 of u. S. Customers. It is shared beyond crisp members, all members can benefit. We also conduct biennial drill called grid x. It is the largest security exercise for the Electricity Sector. Conducted every other year in partnership with escc and government partners, it simulates a widespread coordinated cyber and physical attack, designed to overwhelm even the most prepared organizations. And exercise their ability to respond and recover. And we invest in education and outreach. We conducts webinars, and all points bulletin to indicate threats to industry. For the most serious threats, a nerc alert provides precise information and mitigation strategies to industry, in many cases reporting back on successful threat mitigation. Annual Grid Security conference has proven to be a terrific training and Outreach Engagement Program for nerc, government partners, key Industry Security officials, key vendors to engage and learn from each other. I thank the committee for being here. With that, we are concluding the Opening Statements from the witnesses. And we will now proceed to members questioning. Each member has five minutes to ask questions of our witnesses. I will start by recognizing myself for five minutes. Assistant secretary evans, it is great to see you this morning before our committee once again. And as you know, i have sponsored hr 362 which would codify your position within d. O. E. As a new assistant secretary position with jurisdiction over all Energy Emergency and security functions relating to Energy Supply infrastructure and Cyber Security. So we look forward to passing that bill up and out of the house, and hope the president will sign it subsequently to it passing in the senate. We want to be invited to the celebration when youre sworn in as assistant secretary. But i have a question for you now. Currently there appears to be some overlap, some tension among some federal agencies as regards to who is responsible for Cyber Security when it comes to protecting the Energy Sector. What makes d. O. E. In unique position to take on a leading role when it comes to technical expertise, knowledge, experience, and resources in protecting the energy specific sector. Why is d. O. E. Uniquely positioned to address all those issues . Well first, thank you, sir. And when it is signed, we will invite you down for the celebration. Everyone on the committee. We applaud your leadership and forward leaning into this important issue. Where d. O. E. Is uniquely positioned for this is the partnership that d. O. E. Has as the Sector Specific Agency out through the entire sector as well as state and local government. Whats even more unique about the department of energy is the national lab structure and leveraging capabilities that the national lab has. So when you hear maybe theres some tension, i dont know if theres tension, it is specific expertise of the Energy Sector. Thats why the administration has us as a Sector Specific Agency, under the pdd and National Cyber strategy as it goes forward. There is clarity we continue to work through as to the Incident Response and how that should work, but i think theres no disagreement in the executive branch that this is an important sector and that the public, private partnership is critical, and leveraging the National Labs capabilities and our understanding in the Energy Sector makes us that lead, why we are the Sector Specific Agency for the Energy Sector. Today we have not experienced large scale Cyber Attacks on our energy grid. That said, we know that russia and china and even iran are running up their capabilities to potentially attack our energy grid and cause disruptions to our economy. And i know that d. O. E. Takes these potential threats very, very seriously, but are there any areas where congress should provide more assistance in the form of authority, resources, or anything else that you might think of. I would like to hear from mr. Dodge and mr. Robb, whether theres anything more that we can do to help you all protect the grid from foreign attacks. Secretary evans . I appreciate the opportunity to answer that question. As i outlined in my testimony, it is clear from the worldwide threat assessment what the dni said about our adversaries capabilities and what they can do in the Energy Sector. When we look at it from a National Security perspective, what the department is doing, i think the key area really is the partnership and then the information sharing. And so as were implementing national strategy, were looking to clarify roles and responsibilities to specifically answer the question that you posed. Do we need more legislative authority, do we need as a government, what is that administrative package that needs to come up here so we can have that information sharing in a way that will facilitate and ease some of the issues that industry may feel that they have Going Forward. One area were also working out that were looking at is under the fast act, you have given the secretary authority once the president designates grid emergency, what exactly is involved in that, how we would then move private industry resources to deal with a national emergency. At that point industry has also expressed and is working with us how some additional Liability Protections may be needed. The time is expiring. Will you respond in writing to that question. Chairman now recognizes mr. Upton for five minutes. Thank you again for your testimony. I have a couple of questions. Im going to try to get through them all. I know that we had exercises on Grid Security that have been i think very helpful. Can you tell us what are some things you learned from that, number one, and also whether weve had exercises actually on pipelines, Cyber Attacks on pipelines in terms of an exercise. As specifically relates to pipelines, we have done a joint exercise with ferc in a classified setting to really exercise at that inter dependency, see what weaknesses we need to shore up. There are Lessons Learned. There are things we are applying, taking forward in the whole of government approach and i would yield over to ferc if they would like to speak more about the exercise that happened. Thank you. The only thing i would add about the exercise, it was actually a d. O. E. Led classified security briefing, and it was actually a joint Tabletop Drill between d. O. E. And ferc, and of all electric officials, rtos, isos, it was a rather extensive event. There were Lessons Learned as miss evans indicated, it was a classified briefing, and items from those were actively followed up on. Do you plan on doing any of that this year . Calendar 19 or 20 . Is there another date set or not . So let me hop in here. We will conduct the fifth grid x exercise this november, a multi sector exercise, highly focused on the electric system, will also involve communications and fuel supplies such as natural gas. You asked about and that exercise again is a continent wide overwhelming attack. It is designed to break everybodys system, to push them to the limit, so they understand where their vulnerabilities are in terms of response and recovery. One of the things were doing this year in the executive tabletop is to take a strong focus on a narrow region of the country and start to focus in on the operational coordination that would be required between gas pipelines, the communication sector, utilities sector, probably even the finance sector in what would be involved in restoring the system after such a catastrophic event. And followup question. Was tsa involved at all with the exercises . They have been invited to participate this year, and i believe they will be. Have they participated in the past or not . Tsa participates in all of the activities that we do from a government perspective. So we did they actually had a person there . Yes, sir, yes, sir. They have a representative there, two weeks ago also, we had the oil and natural gas sub Sector Coordinating Council meeting out in oklahoma city. Tsa actively participates. We work directly with the industry to actually go through the initiative and update that we have jointly announced with the oil and natural gas that happened last october. So tsa, transportation, d. O. E. , department of Homeland Security, were all there leveraging our resources to look at the pipeline security and how to make it more robust. So im looking at a statement, sorry i didnt print it out, saw it just a few minutes ago, it is reported i think in politico this morning that tsa administrator is talking they want to be more involved, they realize theyre in essence short staffed, and likelihood of operating under a continuing resolution, which means they wont be able to expand anything beyond what they had in fiscal year 19, and as we learned a few weeks ago, they only have i think four people out of 50,000 that work on pipelines. I just question the substantive role they might have, knowing that we have entrusted you all to Work Together with enactment of the fast act, and really appreciate the work you do. I look forward to supporting the legislation to make you someday a portrait hanging deal as an assistant secretary. With that, mr. Chairman, i yield back. The gentleman yields back. The chair now recognizes mr. Peters for five minutes. Thank you, mr. Chairman. Thanks to the witnesses for being here. Miss evans, first of all, i appreciate were in a nonclassified situation, youll obviously tell me if you can answer my questions. Do you know how many Cyber Attacks the electric grid sustains on a regular day, average day . Sustains on a regular day, average day . So doe continuously monitors across multiple things. So it depends on how we talk about a cyber attack, and so we are in constant communications, and we constantly monitor what is happening in the state of the sector as a whole. So beyond that, im happy to come back in a more appropriate setting to give you more details, if youd like. Well, you didnt tell me a number. Do you know the number yourself . Thats why i said it depends on how how do you define the attack . Yes. And how you want to quantity fie. Are you able to determine how much of the activity is coming from state actors . So, again, i would be happy to talk about that more, but yeah. The way that we are designing the systems im not asking you to tell me do you know whether its coming from state actors. Is that something you dont want to answer here . I would like to answer that in a more appropriate setting. Let me move onto something else. Maybe mr. Rob to follow up with a question that the chairman asked of miss evans about what needs to be done now from congress. Do you its my observation we rely heavily on the utilities private companies to deal with this. And when they came to speak to us last congress, they suggested that the thing that they needed most to modernize the grid, not just related to security, but to modernize it was Research Support from congress that they wanted to be sort of left to their own to be able to innovate, which i think is generally appropriate. How do you how comfortable do you feel that individual utilities are able to handle these attacks . Is there anything you think congress should be doing to back it up in terms of security . Im not sure i caught the entire question with the door closing. But the point i would make in response to the chairmans question is the Biggest Issue for us is were sort of threat actors or so forth is of less interest. What is of interest is the attack vectors. The most important thing for us is for government to be able to more rapidly declassify information to get it into actionable incites that we can get out to industry. Industry doesnt need to know the origins or sources. We need to know the whats. I think the whats and whos are tied up. I think that clogs the machinery up. That would be the most important thing that i would see government being able to do that would facilitate better information sharing and better awareness in industry. Rapid declassification, and or broader availability of security clearances. Realtime ability to share information on outgoing attack . Absolutely. Right. How should what should be the responsibility the legal liability for utilities fending off these attacks . Suppose something gets through because of the weakness of a particular utility . What incentives do we have to make sure theyre carrying their weight . Im probably not the best expert to talk about legal liability. What i would say in response to the question is that every ceo i know of, and this goes from the largest ious to the smallest public powers, take this threat seriously. So they right now i think they all do everything that makes sense for them in their situation to protect against these attacks. Its my observation that unless i appreciate that. I think thats probably something that every ceo wants to avoid, but unless theres a bottom line impact, sometimes it doesnt filter through the culture of the entire company. I like the way that we rely on private innovators to deal with these problems. I think often theyre better situated than the government. But on the other hand, we have to provide the incentives through the private industry to make sure that they do emphasize this as a business matter, and i guess my time has expired. Well have to continue that conversation later. Thank you again for being here. The chair now recognizes the Ranking Member for five minutes. Thank you. As you can see, mr. Chairman, its dangerous protecting the grid. Im just saying we all have to do our part. Mr. Rob, in addition to reports of russian and chinese cyber activities you referenced news reports in recent weeks that iran may threaten retaliation. And that could include Cyber Attacks on Critical Infrastructure. Can you briefly walk through how the owners of the balk power system prepare when they see Something Like this in the news . Are they ready for it . First, i believe that the utilities are on kind of constant alert, because they know that theyre a great attack target for foreign adversaries, and so i think the security establishment within the utility sector is topnotch. And i think always on alert. In the case of the situation surrounding iran, as soon as we were made aware of the situation, we had an all points bulletin we put together in concert with doe, with an appropriate level of declassification of incite that we head out with within three hours. In recent months, the u. S. And its allies have been addressing security concerns about Chinese Telecommunications technologies such as huawei. This raises questions about the use of similar questions in the power system. If you both could address this, which we intend to deploy out to the sector as a whole so that they can then start looking at their own suppliers and then on top of that, the last piece is that the department has announced an advanced Manufacturing Initiative which is looking at things in the long range for all the Innovative Technologies, all the Different Things that are happening so we can make sure were looking at that up front as we are then forevering these technologies. Will that give purchasers of technology in the systems . Will that give them can you give them an assurance that what theyre buying is certified safe . It is as well as saying that equipment over there may not be . The idea of our programs to be able to go for it, which actually married the same type of approach youre taken in the legislation is a voluntary participation. So leveraging the capabilities of the labs and looking at the test beds, it is publishing, and then us working and jointly with the National Institute of standards to do the widest distribution of that information so you could then become an informed consumer. What youll see is Industry Partners who are actively participating. For example, nist has a very active cyber center of excellence that the Energy Sector and the Industry Partners are actively participating. I want to know as a simple consumer here, i realize thats not whos buying this equipment in the power grid, but will there be a stamp of approval url approval that this equipment meets the standards. You can rest assured it is it has no back doors, no chips that are that is what we hope to be able to identify jointly through the advanced manufacturing institute. So do we have an outcome in mind . Not necessarily. But it will evolve through the advanced manufacturing. Some of this equipment is in different Telecommunications Systems today. Absolutely. And it gets expensive to take it out. You dont want to buy the next piece of equipment to replace it and then somebody says by the way, thats not good either. And so we want to avoid that. I only have thirtyseconds, but please take it. On the last point, we think a Supplier Certification Program is smart. The work the d. O. E. Is doing is terrific. Theres Industry Groups trying to come together to create a similar program. The initial question around the list of suspect companies, were first, we issued an all points bulletin in march in response to the Defense Authorization act prebigss rnd the suppliers. Alerted industry to that fact. We gave them some time to get their head around where some of the technologies might be deployed in their systems. Next week well be issuing what we call a level two alert which will require industry to inventory all the instances they still have of those devices, communicate back to us their mitigation strategies around them, and well have that information by the end of the summer. The chair now recognizes mr. Mcnerney for five minutes. From california. From the great state great nation of california. Again, i thank the witnesses. Mr. Rob you testified as of yet there have been no successful Cyber Attacks on the utility system. Thats a great achievement of your office. I appreciate that. Missi miss evans, are you aware of any Cyber Attacks on our utility grid to be used on future attacks . I would reference back to the unclassified version of the worldwide threat assessment. I think that the dni has been very specific about what our adversaries capabilities are. I specifically quoted in my testimony, and i also have it memorized. Its at the bottom of page five and the top of page six. He was very clear about what the capabilities and what our adversaries can do. Thank you. Mr. Rob, concerning information sharing as a security clearance of utility officials and on tackle to effective data sharing of Cyber Security information . I would say yes. Just the number of individuals who are waiting for a clearance that dont yet have them is a problem. How can we remedy that problem . I dont have the answer to that question, but its a problem that needs to be resolved. Okay. Lets collaborate on that a little bit. Miss evans, you know one area of a Foundation Problem is the Cyber SecurityWork Force Development. What is caesar and the dod doing to train workers against these kinds of threats . I appreciate the opportunity to highlight the work were doing there. We have the cyber strike at training, and the executive order that the administration has released recognizes the fact that we have to deal with Cyber Security work force issues in general, but specific about the Energy Sector. Were looking and leading the effort in conjunction with department of Homeland Security to see the gaps and how to train and make that more robust. And then the other area that we are really trying to innovate and lean forward on is the use of competitions to be able to use that applied learning. The labs are strategically placed in this area with all the different types of test beds they have so we can use the competitions for a learning experience, and then feed that result back into the training that we need to do for the sector as a whole. Ive met some of those folks at the National Labs. Its impressive what theyre doing, and the young people are impressive. Theyre doing work as well. Yes, sir. Again, assistant secretary evans, can you describe some of the unique threats facing small utilities today with regard to Cyber Attacks . I would say that one of the biggest things that we need to do which you hit on a little bit is making sure that dissemination of information and the sharing of that information hits at all levels. And that we are working with state and local governments and the associations to make sure that they have the tools that they need, and that they have the awareness and the education that all of them need to have so that you can properly be prepared and make sure that you are assessing the risk that is happening in your area. We are working with those state and local governments with the Energy Coordinators in the governors offices and in the states to also then drive down this information. And then also working across with other parts of the government that interact with state and local governments as well to make sure these tools have the hidest proliferation. Mr. Dutch, can you describe some of the work they are doing to assist small utilities in addressing their vulnerabilities . Sure. Through the analysis, they work with doe to constantly stay aware of the threats taking place. They also coordinate to find out if threats are taking place. Through doe, they conduct classified briefings with the smaller utilities, and theyre actively identifying and sharing best practices with the smaller utilities, in addition to that, theyre volunteering on a voluntary basis conducting architecture assessments with any of the entities interested in that service. So sounds like the availability of classification, security classifications is an issue, then . Im sorry . The availability of security classifications for these small utilities could be a problem . We work to try to overcome that as much as we can. We work with doe to get oneday readins for some of the personnel from Utility Companies to alert them of threats. All right, mr. Chairman. I yield back. Gentleman from california yields back and the chair recognizes the gentleman from the only state of the union that includes california as a great state. Thank you for conducting todays hearing. Informative. I want to thank our witnesses for being with us today. Its an important topic that we all worry about constantly on this committee. I want to follow up a little bit from my friend and colleague and cochair of the Great Innovation caucus. We talked about it earlier. We introduced legislation earlier this year on hr 359 which one being the enhancing Grid Security, and hr 360, the cyber sense act. On the cyber census, to go through it, because i know my friend from oregon was talking a little bit about it. We were looking at whats happening. A lot of Different Things that are happening from around the world. We have to be very careful about whats being put in our systems and what kind of devices. But the 360 is the cyber sense act. That program would promote cyber secure products for use of the balk power system. It also establishes testing. I know he brought up about that seal of approval, but we want to make sure that theres that testing of these products that would be going on in a reporting of the Cyber Security vulnerability. And also the secretary at doe would be required to keep related database for the products to assist electric utilities in the evaluation of the products. Both the bills have been reported favorably out of our sub committee. Hopefully well see them and be signing a law soon. If i could ask assistant secretary evans, do you think our legislation weve been working on not only the Grid Security but also the cyber sense is going to be helpful in making sure you can do your job . I appreciate the leadership that you that the committee is showing in this area. I do believe that the intent of what you have Going Forward about having vulnerability disclosures and the idea of constantly or having the ability to verify and validate products as they go out and ensuring the supply chain risk is minimized is important regardless of whether the legislation gets passed or not. And so our offices is working and leveraging that capability and using the National Labs and we are moving forward. Then the legislation im assuming youll be successful. When the legislation is passed, it will enhance that and allow for us to move on a more robust manner. Thank you very much. In the aftermath of the 2015 ukraine cyber attack, the investigation found that the perpetrators didnt rely on any exploits or Software Vulnerabilities to disrupt the grid. Rather, they gained access to the system over time learning how to moo ma nooufer it and patch it against itself. Patching continues to represent the majority of our Cyber Security efforts. And to the panel, what steps can be taken to prevent potential attackers from learning to use a system against itself. So i would like to change the dynamic, and that is what we are attempting to do through our research and development in the suds program we have. Because a lot of what were looking at is after the fact. Patching and maintaining systems. A lot of the things were looking at and investing through our portfolio is being able to detect and protect. Its changing the dynamic in a way of using technology so that you cannot necessarily do it after the fact but prevent it up front. So looking at more active dynamic types of things such as Software Defined networks. Looking at quantum key description. How can you use those types of technologies evolving right now to ensure the validity of the data or look at the transactions between the Operation Technology as well as the Information Technology systems. We are investing pretty heavily in that, leveraging what is happening in the labs and we currently have a lab call that is out looking for some of ways of how we can accelerate that deployment. Thank you. Mr. Dodge and mr. Rob, about 35 seconds. We recently changed the Cyber Security reporting requirements. It was only required if they had an event related to a Cyber Security that impacted the reliability of balk power system. Now they have to report possible attempts to compromise the cyber assets and impact the cyber assets as well as the balk power system. And that information sharing is associated is a huge benefit. I defer to jim. Ill be quick. I would underscore secretary evans discussion. I think from our perspective, one of the most valuable capabilities to advance would be the ability to monitor whats going on with Operational Technology systems in the same we can enterprise systems right now. Mr. Chairman, my time expired. I yield back. The gentleman yields back. The chair recognizes the gentleman from virginia for five minutes. My questions have been asked. I yield back. Thank you to the gentleman for yielding back. Now the chair recognizes the chairman from rochester. Thank you and thank you to the panel for discussing the security of our nations critical Energy Infrastructure. As was stating by everyone, this is of utmost importance, and we thank you for your work. I just want to pick up on some of the questioning that was asked before from a work force perspective. I served in our state of delaware as a head of state personnel for a while and secretary of labor, and one of the big challenges is always recruitment, retention, compensation, training, sometimes the first budget that gets cut is training. Im curious if you could just talk to us about some of the both challenges that you see in terms of recruitment and retention of individuals in this Cyber Security space, and then and particularly from a nonprofit in a Public Sector perspective when youre competing with the private sector, and then the other question that i had was around innovation. Are there innovative things that are being done to recruit folks to work in your organizations . Ill start with that, and if we could start with miss evans. I appreciate the question, and especially coming from delaware, because the state of delaware based on my previous experience is very innovative and the approach theyre taking. In my work as the u. S. Surgery, we looked at this and the blending of nonprofit Public Sector, the education system, and how you do that, and how to identify that, and then make it and that commitment of bringing them in is clearly demonstrated in the way the state of delaware has tackled this issue. There are incentives. There are things we need to do. What gets people excited and you have to look outside the more traditional places, some of the people that are best in this field do not come out of stem. And that is clearly demonstrated when you put together teams in the competitions to see all the skill sets that are needed. Thank you. Thank you for the question. Were actively monitoring our Staffing Levels and needs, and weve actually undertook several programs in the last couple years. Im not going to get the precise names of the programs. Basically theres a program where we reach out to colleges and bring people in as theyre a freshman and sophomore and spend a summer or part of the year working for us. Were actively working to improve our oncampus relationships with different universities and then we actively go out and do on campus recruiting as a tlofollowup. Theres a Tuition Reimbursement program. That after the students graduate that come work for us for a period of time, theres Tuition Reimbursement where you can forgive the previous student debt. Thank you. I dont have any great incites into the Work Force Development challenge that we have in the sector other than to underscore its real as we all know. I would see from a nerk perspective, weve been able to attract and retain top flight Cyber Security individuals. We do them because theyre committed to our mission. A number of people in this sector are very committed to the security and the value associated with electricity and so on and so forth. We appeal to that part of individuals. Weve had pretty good success with that. Its a challenge. Yeah. Thank you, and miss evans, thank you for bricking up the nontraditional. One of the challenges as well is an aging work force. Even when you look at Work Force Planning and who will be retiring, making sure that were staffed up. My other question was more related not so much to the cyber but to our kind of natural disasters and things like that. And whether or not with the Severe Weather incidences that were seeing, how are you preparing whether its whether you call it Climate Change or Severe Weather, whatever you want to call it, these things are real as well. Could you talk about preparation for those . We also have the Emergency Response capability in our group. What we are looking at is our staffing of how to do that. The staffing in the way that our plans are set up mirror the way the fema regions are set up. But we also then use a lot of the modelling that is available within the National Labs so we can do predictive types of things. What is key to the success in this Emergency Response is our partnership with private industry. We have to have that dialogue with them. Its their resources we need, and that we work with in order to be able to share that information and be able to respond. Thank you so much, and i yield back. Thank you for yielding back. I now recognize mr. Ocean for five minutes. I thank the chair and welcome to our three witnesses. As my colleagues all know, i love to brag about texas. Along that line, mr. Chairman, youre correct. One former part of metsco became a country before it became a state. But it wasnt california. It was the republic of texas. The existence from 1836 to 1845. Good bless tx god bless texas. We havent recovered yet. This is not a brag, but our grid is the biggest target in america for Cyber Attacks. We have a free market power system that covers 95 of our state. One by a group called ercott. They manage 46,000 miles of electric power lines. 650 separate generation units. Last summer their daily load was 72 megawatts for hourly. Thats a huge, huge amount of power. And as we know, if that goes down, that can be very, very bad. Along the Houston Ship Channel 52 miles long lies americas largest petrochemical complex valued at over 15 billion and growing quickly. And with the revolution, we have more and more oil coming into our region for refining. Those are being exported now. Nearly 7 Million People live within 30 miles of the port of houston and Houston Ship Channel. The bad actors know if they can take down our grid, have us lose control of some of these industrial processes, people will be harmed. And some people may even die. My question is for all three of you. We right now are working hard with the private sector, the government in houston to address these cyber issues. But we all know we have resources that are limited. We cant go crazy. We cant check on the prices. These things have to work. My question for all of you is how do we balance the proper way to achieve what we can best in Cyber Attacks while making sure we dont jack up prices. How can we balance these out . Whats the key . Miss evans, youre up first. The way to the way that were approaching this, and that were working with our partners at dhs is really doing risk modelling. And so it is really identifying what are those most critical assets that an industry has, and then in my case, what im trying to do is develop a set of tools so that the government as well as our Industry Partners can actually look at what is the best way, what is the highest risk, how do i protect that . What is the cost associated with reducing the risk in that particular asset . And so as we move forward with that, a lot of this is then how do you give them that information so that they can then use that in the marketplace Going Forward . Thats the same model governor perry had in texas that made our grid secure when he was our governor. Thank you. Mr. Dodge . Your thoughts . Thank you. Thank you for the question. From ferks perspective, we have a system actively doing things, conducted classified briefings, identifying interest practices, sharing the best practices. In addition to that, ferka undertook a security investments conference a couple months ago where we brought in people from federal and state public utility commissions and also officials. The goal of that tech conference was to actually identify best practices, share the best practices among protecting infrastructure thats not only ferks jurisdiction but others. Look at ferk or the state should take additional action. I was remiss to mention that was a joint deo ferk led tech conference. Were actively working with ferk on that. We received comments back from the public on that tech conference. And were process reviewing the comments and determining the next steps. Thank you. The man from Neil Armstrongs university, mr. Rob. Go purdue. 50 years ago that man walked on the moon. I think one of the key things were doing as rk is taking a risk based focus. All the standards applicable to which entities and which standards we audit. I think theres a clear recognition that one size fits all doesnt work in this area. In terms of striking that balance between economics and risk reduction, you have to make sure youre focusing on the most important risk and not leaving yourself exposed on the other side. Thank you. I want to remind everybody the stars at night are big and bright. Imperative to ensuring that hospitals can treat patients, First Responders can do their jobs, and schools can educate our children. But all of this can be jeopardized if a foreign entity is successful with a cyber attack. We know our utilities are on the front line to ensuring our utilities are protected. While im pleased to see ferk taking steps to strengthen Cyber Security standards for our nations electric system, i have questions about how we can act in a more transparent way. So mr. Dodge, my first question is directed to you. Could you please explain what happens at ferk, when it becomes aware of a utility noncompliance with Cyber Security regulations. Theres a process. And its in terms of compliance. Ferk oversees the development, enforcement of the mandatory reliability standards. Network and its regional entities conduct periodic audits of the entities im asking when ferk becomes aware that a utility is noncompliant with security regulations. So that the process would take place, is either through an audit conducted by nerk or through a self report from a registered entity. The registered entity files a mitigation plan and mitigates the plan. Nerk submits the vice along with a recommendation penalty to ferk for review. Ferk staff reviews that and makes a decision whether to assess the penalty or not. And that ferk assessment, does ferk disclose to the public the utility thats in violation . So through the fast act that was passed a couple years ago, it gives us authority on the foya to identify ceii. Its critical Energy Infrastructure information. Critical Energy Infrastructure information could be engineering, design, print, vulnerability information about specific electric system assets. Ferk is a policy, looks at that information, and any of that information that could potentially be useful to someone who wants to impose harm on the electric system we do not divulge that information. So over the past 6 to 12 months, we received a number request, foyer request for cei related information, including the entities who have violated some of the sub standards. We review them in detail and determine which ones to release and which ones not to release. Were working through that. We have released the names of some entities where we did not believe it would be a threat to security of that entity. So how would you suggest that we keep our constituents informed of the level of risk to them from a cyber attack . If you not going to be transparent with the public, this is a balance for us. If our strents are at risk, we need to be able to inform them to the level of risk. The register entities are monitoring the compliance sub standards. As soon as they find a problem or through a selfreport, or through an investigation, a routine audit, conducted by nerk or a registered entities, they work to mitigate that concern. And address that concern. We do go through the process and cei process and review the individual request and make the Information Available as appropriate. So if theres a bad actor, you would tell my constituents or anyone else in this country in this congress, tell the public we have had repeated concerns about compliance with this bad actor . So we actually review the information thats publicly available, or the information thats filed with ferk. We look at the information and what level of detail, technical details, any information. Whether releasing h that information would identify any vulnerabilities or make available any information useful to someone who wants to impose mall intelligent or harm on the electric system. We do not release the names of the identities in that situation. Im just trying to raise the balance of protecting our constituents, but my time is up. I appreciate your response. Okay. Thank you. Thanks to the gentle lady. The chair recognizing my friend and the gentleman from West Virginia who has the best mustache of anyone in all of congress. Thank you, my friend. Mr. Chairman, id like to ask unanimous consent that this article with comments from mr. Rob about the grid be submitted for the record. Without objection, so ordered. Last congress as you well know our Committee Held a number of hearings on the grid in reliability and resiliency, but its not just the energy and Commerce Committee thats concerned about the grid and its reliability. We had a report that was produced by the National EnergyTechnology Laboratory that said that without the use of coal, the eastern United States would have suffered widespread blackouts during the 2018 bomb cycle. Think about that. Iso said the most significant challenge they face is fuel security. And the coal and Nuclear Power plants are needed to maintain reliability. And lastly, secretary perry said in 2017 that the resiliency of the electric grid is threatened by the premature retirements of these fuel secure traditional base load sources. Mr. Rob, if i could puturn to y, last week you made profound comments, i believe, regarding the grids in texas and new england specifically. Regarding texas. You said pardon my french. You said theres no way in hell they can keep the lights on, and yet, they do. Regarding new england, you said the grid operators constantly are finding ways to pull another rabbit out of the hat to keep the lights on. Any of us would look at that situation as engineers and say its got to break. Mr. Rob, should congress be more concerned with this situation . So im not sure i used exactly all the colorful language that was reported in the article. Its in the press. Whatever is in the press you know we believe it. I think the point around those and i threw a third market in there, california. I think all three of the markets are demonstrating the challenges associated with the transformation thats going on within the electric grid. In california its around the deployment of solar and natural gas balancing the resources. Texas has a contemporary problem of just the reserve margin which is one of the Planning Statistics we look at to assess whether or not theres enough resource to meet load, thats below levels that traditionally people would say are reliable. New england has a fuel security problem as noted there. I dont know that these are congressional issues as much as they are market issues, and state policies around Resource Development and deployment. And the point that i dont think got reported quite as clearly as i would have hoped is that what were seeing in these areas are market operators innovating and finding ways to make the system work in ways that arent consistent with traditional rules of thumb. Thank you. And i think the key is for us to modernize our thinking. Let me try to get a couple more questions in if i could go to my fellow colleague from West Virginia. Miss evans, and also mr. Dodge. In your experiences, are fuels secure, base load power plants critical to maintaining grid reliability . Both of you, please. So theres been a lot of work done in this area, and what you really to look on overall is its a yes or no, isnt it . So what you i ask the question again. Are fuels secure, coal and nuclear bois load power plants critical to maintaining imprid reliability. Id like to get back to you in writing with the answer to that question. You what . I would like to get back to you with an answer on that question. Okay. Miss evans . I believe that the secretary has and the administration has expressed its commitment to multiple sources as it relates to the reliability and our commitment as it goes forward in our budget request also reflects our commitment to new sources such as nuclear. If you need a more detailed answer, im happy to take that question for the record and get back to you as well. Thank you. I yield back my time. Thank you, mr. Chairman. Especially for letting us know that arizona is a great state. Since i came from illinois originally, its also a great state. Thank you. Thank you, mr. Chairman. Ranking member for holding todays important hearing on ways to as a government ensure our electric cal grid remains protects and our agencies are fully empowered to defend against Cyber Threats. My state of arizona is one of the most diverse states in the country when it comes to electric generations and sources. It is essential the reliability of the grid is never interrupted. If Cyber Attacks continue to increase across multiple sectors, its become clear the threats from information sharing collaboration and partnerships between Government Agencies in industry are necessary to achieve a full defensive cyber posture. Assistant secretary evans, in your testimony you highlighted the cyber analytics tools and techniques, programs, as one of the several doe initiatives to promote Cyber Security defense with the Energy Sector who owns the Critical Infrastructure assets. What is doe doing to support threat information sharing analysis and timely. I repeat timely return of intelligence back to Energy Sector entities and is the Energy Information flow reciproc reciprocal . I appreciate the opportunity to talk about that specific initiative. We refer to it as cat. And the key to that is the timeliness of getting the information back. So i would like to share one particular piece that is happening on that project. One of the things that is important is getting the contributions of the information from private sector. I think what youve heard today is that there is a lot of information sharing that happens. What we have to do then is be able to put it into a big pool which our National Labs have worked with us on that and keep enough information with it so that as they identify something across a big trend, that we can then take it back out of that pool and give actionable information either through the isack or directly to that entity. Thats what the platform is doing through the multiple pilots in the research and development. We talked about chris. Thats one of the contributions to that. And the whole key to that is to keep our portion of it declassified so it will end up being machine to machine in the long run by using the advances of technology. I have some other questions prepared. In general as ive listened today, ive heard the word whole of government mentioned. Ive heard best management in practices mentioned. The shortage of obviously potentially the work force thats going to be needed. And then i took a look at your budget, the department of energy, and found that i dont know how youre going to get that all accomplished with that budget. I dont know im not going to leave you here today secure to be able to tell my constituents that we are in a position to fully defend the electrical grid at this moment in time. I would like to make sure i can eventually be able to see a timeline on these projects that youve mentioned today. The cost estimate on how much its going to cost us within that time line, and within a more aggressive time line, because this is something that we continually is continually changing, as you know, but also continuing to be a threat to our country. I am concerned about the some of the more value tiering reporting structure that i heard about today. Especially as we get down and down into having less personnel available, and that are at a level of competency to be able to address those needs on an ongoing basis, and we have newer and newer Energy Sources coming online with much smaller budgets and getting into the grid than some of the other major competitors that are out there. So in general, i think this is this has been a good enlightening process today. As far as enlightening me, its been one that has left me with more questions than answers. Especially in the integration of how that whole process is working in that timely fashion. So i want to thank you all for being here today, and i yield. Ladies and gentlemen, the chair recognizes mr. Griffin from virginia, the great state of virginia for five minutes. Thank you. Assistant secretary evans, you and i spoke last year discussing pipelines and some of the concerns that my constituents have, and i was going to ask you some questions on updating me on what you all were doing related to pipeline, Cyber Security, and coordination. You answered those questions earlier when Ranking Member upton was asking questions. I appreciated the answers. Im going to skip the questions i would have asked because i dont believe in asking the same question over again just so it gets on my video clip. If anybody back home is watching this, i encourage them to look at your answers and mr. Dodges answers to Ranking Member upton in regard to the coordination youre doing, and it sounds like although it was classified, it sounds like you all are headed in the right e direction. Are you doing the same kind of coordination on physical threats to the pipelines as well . The short answer is yes, sir, and that then is also then demonstrated through the exercises and that information is also shared through the esec meetings we have when the government partners are there and talking about the physical threats that happen to the pipelines with the voluntary reports and the fbi is there, and that has been highlighted from our Industry Partners to the fbi. All right. Mr. Dodge, did you want to add anything in regard to the physical threats . We talked about the cyber. I would only add that in terms of the pipeline, they work with doe to conduct a security briefing threats. In addition, theyre actively involved with the om g sec as well. Because there are continuing concerns, i think the questions just asked are also important in some of the questions well continue to look at at this committee, and if you need our help passing legislation or something, we want to make sure that we have as much safety as we can. I appreciate that. Assistant secretary evans, tsa has developed voluntary guidelines according to reports, they have only a hand full of people working on Cyber Security for pipelines. Do the tsa staffing and resource constraints concern you . And this is a lob in hopes that maybe i think maybe doe ought to take the lead. So as you know through the oil and natural gas sec as well as the government, we, the government coordinating council, we work jointly with department of Homeland Security and tsa, and so our resources, we use to leverage the tsa resources because we recognize as a government that we need to address this vulnerability. And i appreciate that, but am i correct, and i may not be, but am i correct that doe is actually putting more capacity and his more folks working on this than tsa . I would not presume to answer a tsa staffing issue, sir, at this time. Because i know that thats an internal discussion to dhs, and its more appropriate for that question to go to dhs at this time. Maybe you can encourage them to talk to us about this as well. I appreciate it. Would you describe the Energy Government coordinating council and does role in that counsel . Were the cochair of the government coordinating counsel with department of Homeland Security. We help craft the agenda. Going forward we work with dhs and our government partners. A good example of that work, we just recently did a top secret sci briefing for the interstate Natural Gas Association of america. So keeping with the pipeline theme. So we could really share with them and coordinate through the Intelligence Community what risks they are facing and that was to the executive board of that association. And i dont even remember who it was. They didnt reveal any secrets but they felt that was a useful somebody reported they felt that was a useful a good use of their time and a useful meeting. In this space should doe have the lead role to ensure the safe flow of energy across the u. S. . I believe sir right now we do have that role as it gets to the sector specific responsibilities that we have that are outlined both in the fast act and the president ial directives. Well, and as ive revealed my prejudices in this regard, i do think that doe is probably where i think doe should probably be in the leadership role in coordinating repairedness and Cyber Security efforts on all aspects of our pap lines pipelines. You cant talk about staffing, but would you disagree with me on that . I believe we have unique expertise, and as the Sector Specific Agency, we use it across the sector. I appreciate it very much. Thank you mr. Chairman. I yield back. The gentleman yields back. The chair now recognizes tgentl lady from washington. Thank you, mr. Chairman. I appreciate the witnesses being here today to share your perspective on this important topic. Assistant secretary evans, i understand that one of the most exciting projects is looking at how software define networking, sdn Technology Developed by engineering laboratories in washington in partnership with the Pacific NorthwestNational Laboratory next door in the tricities can be used to help secure the Energy Infrastructure at critical National Security facilities. Can you share more about this project with the committee and tell us how it is going . So that is a promising project that we are funding, and we this particular project is its called suds. Everything has an ak kro anymore. Its the Strategic Engagement between the department of defense and department of energy. It includes the Veterans Administration as well as the coast guard, and what it is really looking at is a different way to manage the network and network trafficking, and so thats the idea behind Software Defined networks. Its divorcing it from static types of architecture to make it more dynamic so you can then address on an ongoing basis, the threats, and doing analytics, and then adjusting your configurations as it goes forward. Right now there is a successful implementation happening in virginia, and pnll is continuing to work to roll this out with our partners. I believe the next place is nevada. As that information comes in, were using that to invest in other efforts across the National Labs so we can add that into the overall solution brought up earlier. It is crucial that information about vulnerabilities such as Cyber Attacks is shared between Government Entities and electric grid asset owners. I believe the creation of caesar was an important step, and i applaud the departments commitment to engaging the Public PrivateCritical Infrastructure community. But theres more work to be done, especially regarding engagement with Critical Infrastructure equipment manufacturers. Again, to assistant secretary evans, what steps has your office taken to include not just asset owners but also vendors such as the designers and manufacturers of Critical Infrastructure equipment like sel in my district . Well, the initial piece several of this is done through our research and Development Programs we have that we fund where we are requesting that manufacturers and folks that produce hardware that are in the grid participate. There were 11 projects that were recently funded that are looking at firmware down to the level of how these things are done, and then being able to say okay, thats a more secure product. Weve demonstrated that, and now were going to go ahead and implement that and show that information. Those are some of the shortterm things. The longerterm things are like our side tricks program, looking at bigger types of manufacturing activities. And being able to share that information out. And the longer term play that we have is the advanced manufacturing institute. Thats really going to look at how can we improve this in the long run on an ongoing basis to address that manufacturing up front and be able to share that information and then be able to take advantage of the innovation that we have. Thank you. Theres a growing concern about the presence of certain foreign manufactured components in various aspects of our 21st century infrastructure. Whether in communications, telecommunications or electric grid. For the panel, what potential risk does the growing dependence on foreign manufactured components in our Energy Supply chain and how do we mitigate such potential risks while recognizing that it would be impossible to completely phase out all foreignmade equipment . Approximately two years ago we directed nerk to address a standard. They filed it and we approved it. Addresses somes a pelkts of supply chain risk. We asked them to do additional work in this area and to look at the supply chain risk with physical Access Control systems as well as look at the potential supply chain risk for low risk or low impact Cyber Security asse assets. They conducted a report on that, and theyre in the process of information on that. So andy is right. Where this is an ongoing exploration of a very complicated topic. Our next step is well be issuing later in august what we call a 1600 data request, which will go out to all the utilities in the nerc registry and collect more information on what suppliers and equipment is out there. Well have a better sense of the extent of condition, which will form what the next steps might be in order to mitigate whatever other steps might be out there. I look forward to seeing more of that. Thank you and i yield back my time. The gentlewoman yields back. The chair now recognizes grant, cosponsor of hr362. Mr. Waller of michigan great state of michigan. Upper michigan, not lower. Lower michigan. Thank you mr. Chairman. Having been born and raised a part of my life in your district as well. I appreciate serving with you and also drawing attention to the fact that we were successful in getting 3 million amendment for cesar past the house. And thats the first step. Secretary evans and the rest of the panel thank you for being here. As im sure you know, chairman rush and i, as he just mentioned, have hr362, the Energy Emergency leadership act which would codify the functions assigned to your office as permanent assistant secretary. Can you briefly address for us today how you think such an authorization could improve cesars ability to carry out its Important Mission in the long term . I think it first, i appreciate the leadership that youre showing with that and the commitment to the office and the administration. What it will do is ensure the ongoing establishment of the office. Itll ensure continuity as it goes forward. That has already been done with the line item in the budget, that helps. So this would be the conclusion to solidify what this assistant secretary position is intended to do to realize what you had envisioned with the fast act of 2015 as well. Appreciate that. Secretary evans. Due to the fast evolving nature of Cyber Security risks, security cannot be achieved through standards alone, it depends on constant awareness and information sharing between utilities and the government and coordination among the governments efforts. As you know, the fast act that you mentioned codified d. O. E. As specter specific agency for cybersecurity for the Energy Sector. This provision requires d. O. E. To coordinate with the department of Homeland Security and other relevant federal agencies. Can you provide an evaluation of how your office and d. O. E. Have coordinated with other agencies . We take our responsibility very seriously as the specter specific agency. And we lead those efforts in conjunction with the department of Homeland Security. The department of homeland overall has responsibility for all of the sectors. Were just one of those sectors. We view that critical to that effort. We work in multiple ways jointly with the whole of government. I know everybody is talking about the whole of government approach but that truly is the way we need to do this. We are one piece of the puzzle and it has to be looked at across the board both within the Intelligence Community as well as the department of defense, department of transportation, all of this is interconnected and we do lead that as the energy specific agency. And it does work well. And so, there is there are examples upon examples of where we can show its working well and its being mobilized right now as we are watching the hurricanes approach. So i do believe that us, as the lead, as the Sector Specific Agency, we are committed to doing that and our partnership with our fellow agencies, it does work well. The thank you. The fast act also amended the federal power act by introducing new tool of grid scale emergency declarations that can be provided by the president if the executive branch were to ask or order a utility to take or not take certain actions with regard to the intrusion or vulnerability. There are concerns that they may act contrary. Has caesar or the department considered the possibility and in such circumstances that are not grid scale emergencies are you aware of these concerns over this type of incentive structure creating ambiguity or strain . So that is one thing that we are working in partnership with our Industry Partners, as well as state and local governments. Should the president declare a grid emergency, looking at the Way Department of Homeland Security through the National RiskManagement Center identifying work, also through our office with the north american resiliency model you can see what kind of risks there would be based on the way the infrastructure is set up. We are working in conjunction with them to be able to highlight these issues through a policy process in the administration to make the determination should additional legislation or Liability Protections are needed, if and when that happens. Mr. Dodge, if i could, has ferc looked at this issue as well . Thank you. I yield back. The gentleman yields back. The chair now recognizes mr. Jocelyn for five minutes. Thank you, mr. Chairman. Thanks to our panel for being with us today. Miss evans, because doe is the Sector Specific Agency for Cyber Security for the Energy Sector, the work your office does is so very important and that importance will continue to increase as our dependency on technology grows. Last time you testified we discussed d. O. E. s role in the trisector working group, which as i understand it was organized to help us better identify and ideally safeguard some of the interdependencies of the critical functions of the groups, our electricity, Financial Sector and telecom industries. Last time we talked this was just beginning and discussions were under way on how best to direct that work. Can you please provide an update on how the conversations have been going and if this work is helping to better safe guard these Critical Industries . Im happy to provide the update. The work is continuing. There is an industry side of this, the Industry Group has identified and fed into the process that dhs released the National Critical functions that work of the trisector group, the government side and the industry side fed into what are those National Risk indicators. Based on that, now the groups are going down, both on the government side as well as the industry side, looking at those interdependencies, and then in essence it is a risk register and looking at those interdependencies between those three sectors and what can we do to mitigate the risk as we go forward. So the work is continuing. It is getting to a more granular level. But that is to be expected so that we can then inform how are we going to then deal with it as we go forward. Im an i. T. Guy in my profession before i came to serve here in congress. How can congress be helpful with this work moving forward . What i believe is going to happen, and this is what with were going to have to look at Going Forward is, as you see these interdependencies, especially as it relates to technology, weve covered some of the issues Going Forward, there probably will be help, there will be things that well need to discuss with you that could say maybe the Legal Framework in order to share the information needs to be more robust. That is a path were exploring. Were looking at it from the government side. I know the industry side is looking at it as well. Switching gears to the entire panel, looking at strengthening our workforce. I spent 26 1 2 years in the air force doing large scale i. T. Projects, many of them very secure programs. Lots of experience and skills among our military veterans getting out. What are you doing and ill give each panelist an opportunity to comment on this, what are you doing to incorporate individuals such as veterans in your hiring initiatives. Miss evans, do you want to go first . As you said, sir, they have a series of skills that are readily transferrable. We do do were doing targeted recruiting as were Going Forward. We do partner with dod. There are a series of programs that are out there that some of them have already been mentioned today. That allow for that transference to go back and forth. And so, there are programs that the nonprofit sectors are also looking at so that military personnel know how their skills translate into civilian sector as well. I think a lot of times what ive seen in my experience is they dont necessarily know that it translates into this particular job. Its been that way since 1999 when i retired. The information the amount of information going to our veterans and letting them know where their services might be useful has not gotten better. I hear you. Mr. Dodge . Sure. Thank you for the question. We received a similar question earlier today, and we responded to that. Im not an expert in the federal government, Human Resource policies. I can tell you that we have recently hired several recent veterans into our organization. Mr. Robb, quickly . Kind of a similar answer as andy. I would say this transcends cyber. We found military veterans to be a great fit for our mission in a number of areas. I would guess i wont give you a number, but a material part of our workforce are exmilitary. Mr. Chairman i yield back. The gentleman yields back. The chair now recognizes the gentleman from texas for five minutes. Thank you, chairman rush, appreciate you holding this hearing and the witnesses that have taken the time to come before the subcommittee. Its clear that electrify indication of our world has brought many benefits, but we also face the risk of foreign actors that would like to disrupt that. They understand that its a benefit and know how disruptive that it would be if they could cause any sort of havoc in that. Advancements in best practices would be useful in helping that risk and we should continue to partner to ensure our defenses are strong. My question today, and anybody on the panel can answer it, i think that it was referenced in testimony from ms. Evans in particular that the assessment released earlier this year by the office of National Intelligence details the capability of russia and china to cause massive disruptions to our Energy Systems. I was wondering if you could expand more on what a disruption to a Distribution Network or gas pipeline would mean for those citizens and Companies Impacted . Can anybody touch on that . Could you repeat the last portion of your question . Yes. Just expanding on a little more on what a disruption to an electrical Distribution Network or natural gas pipeline would mean for citizens and those companies that would be impacted by that disruption. Sure. Thanks for the question. We have not had a disruption up to this point, i want to point that out and make that very clear. Weve actually improved the Cyber Security reporting standards to actually report attempts as well as actual events. So from an actual Customer Perspective it could be an interruption whether its an electric Distribution System or natural gas system and it could be a disruption for some period of time. The period of time could vary quite a bit and theyll really have additional insight to your question other than that. Anyone else have any thoughts . I would just make the observation that one of the key tenants of the nerc and ferc reliability regime is that if an incident occurs it quickly gets contained so it doesnt cascade beyond kind of a local boundary to allow the various parties that would be required to do restoration are working on a small problem rather than a large one. The one thing i would say, the highest likelihood in that area is an electrical disruption would be contained to a fairly specific area and in the cascade. The other point i would make, probably a better comment from the gas industry, a disruption of the natural gas system is complicated from a safety perspective because of the nature of the fuel. Right. Exactly. Secretary evans, you talked in your testimony about d. O. E. s role on the National Security council and mentioned the unclassified threat briefings that d. O. E. Provide to partners that go with the classified threat briefings to members of the cleared sector. Can you talk about the importance of working with industry to head off threats and the importance of the doe interactions with information sharing and Analysis Centers . Im happy to discuss that. We do try to get the information declassified to the greatest extent possible so that it can be distributed through the information sharing and Analysis Centers that you mentioned. We hold regular meetings with those folks who manage that, the technical teams that manage it, they come. Those are handled at classified levels so they can understand the context around the threat. But we also then work across with the Energy Sector and the associations and through the sector the Sector Coordinating Councils to do both classified and unclassified briefings. So that they can the more you can say in a classified environment is great but you want to be able to give them information thats actionable so they can go back and talk to their entire company and what kind of actions they can take and what kind of risks theyre posing. So we work at multiple levels to make sure we get the best information in the hands of those who can turn it into actionable information for their constituents. Thank you very much, i yield back. The gentleman yields back and that concludes the witness question. I want to thank all the witnesses for your participation in todays hearing. Pursuant to committee rules, they have ten Business Days to submit additional questions for the record to be answered by the witnesses who have appeared. And ill ask each witness to respond properly to any such questions that you may receive. The chair now requests unanimous consent to enter into the record the following documents. A letter from the western governors association. A letter from protect our power. And a letter from the rstreet institute. Without objection so ordered. And the subcommittee now stands adjourned. Here is a look at our primetime schedule on the cspan networks. At 8 00 p. M. Eastern on cspan, the house modernization of Congress Committee holds a hearing on developing future political leaders. At 7 30 eastern on cspan2, former defense secretary jim matz about his book call sign chaos. And at 8 00 p. M. On cspan3, American History tv, with programs commemorating the 400th anniversary of the first africans arriving in virginia. Watch cspans campaign 2020 coverage of the democratic president ial candidates at the convention. Our live coverage is saturday at 9 00 a. M. Eastern on cspan, online at cspan. Org or listen with the free cspan radio app. Old glory coming our way. A better place right here in sheraton, wyoming. You see the culture is mostly it is westernbased. We got more horses than people in wyoming. Firmly convinced of that. The cspan cities tour is traveling the country as we explore the american story. This weekend, we take you to sheridan, wyoming, located along the big horn mountains, the city of about 17,000 is known for its cowboy culture and open ranges. With the help of our spectrum cable partners, this saturday at noon on book tv, a look at sheridan and the state through its local authors. No state in the union, 100,000 square miles, 75,000 people, a single driver economy, no ocean, no major city. We are utterly singular when it comes to state narratives. On sunday at 2 00 p. M. , well explore the history of sheridan and the surrounding area on American History tv. The landscape is our artifact. So when people come in, you really see them start to absorb how crucial the artifact that we preserve in wyoming, our landscape, how that has shaped westward expansion. Watch cspans cities tour of sheridan, wyoming, this saturday at noon eastern on cspan2s book tv and this sunday at 2 00 p. M. Eastern on cspan3s American History tv. This weekend on American History tv, saturday at 8 00 p. M. Eastern on lectures in history, the California Gold rush and the environment. At 10 00 on reel america, the 1977 film on italian newspaper journalist marino demenici. Sunday, scholars on the history of u. S. Policy towards iran and Irans Nuclear program. And at 6 00, historian dan albert talks about his book are we there yet the american automobile, past, present and driverless. Explore our nations past, on American History tv, every weekend on cspan3. Up next, a discussion on diversity and free speech on college and university campuses. Among the speakers, berkeley law Professor John yoo, who served as the Deputy Assistant u. S. Attorney general during the george w. Bush administration, and author and political commentator steve hayward. The Pacific Research institute in San Francisco is the host of this forum. It is about an hour. Professor john yoo will be introduced in a second. I want to set the scene for our event today. Theyre going to be talking to us, the audience, about the administrative bloat in running universities, the deepening ideological skew of factle fac University Enrollment is already starting to decline because of