Subcommittee will not come to order. The chairman will now yield five minutes to my great friend. From california. Five minutes. Thank you for getting me the five minutes. I think the witnesses for coming this morning. The incredibly important issue when it came out and make good policy on. We are meeting today to discuss the state of Cyber Security and the continuing threats facing Americas Energy infrastructure. We continue to see increasing threats to the grade originally both the home and abroad. Im glad to see the doe and others taking steps to address the growing dangers followed by nefarious actions. Our energy grid serves as the backbone of our economy. Touching every aspect of our life. A reliable grid is also crucial to our National Security. We can improve the security and reliability of our missions electric grid. We must work on a bipartisan basis and integrates with Industry Leaders as we are doing here. Fortunately the modernization and integration of our Energy Infrastructure is already underway. What was once a oneway Delivery System is involved in a Dynamic Network for information and energy both was. Technological advancements. There also born from the need to secure the energy grid against potential and physical Cyber Threats. Technology allowing for the rerouting of power and Quick Response in the event of an attack is being deployed across the great. The cooperation is essential to protecting americans and our nations infrastructure. Given todays cyber environment, it is more important than ever that congress pursue policies that continue to foster these exciting developments and support our great infrastructure. This is the issue i am very passionate about. It is a threat to our physical and National Security. Make it imperative we invest in grid modernization. That is what i am proud to go to the bipartisan caucus. With my good friend from across the all. Is from ohio. Together we are focused on providing a forum for discussing solutions to the many challenges facing the grid and to educate members of congress and Staff Members about the importance of the electric grid with relation to the common. Advanced technologies. Being utilized to enhance grid capabilities. This work has informed our introduction of 2 bills. Both of which awarded the marked up. Their aim is to bolster americas electric infrastructure by encouraging coordination between the department of energy and the electric utility. My bill which i introduced enhancing Grid Security to Publicprivate Partnership act would create a program to enhance the physical and Cyber Security of the electric utilities are assessing security vulnerabilities and increasing Cyber Security training and collecting data. It also required the cost estimate calculator which is used to calculate the return on investment. To be updated at least every two macginnis to ensure accurate calculations. He introduced along with me, the critical cyber since at makes important headway in protecting our critical grid infrastructure. The cyber since i would grid a program to identify cyber secure products for the book. Testing and verification programs. The power system supports american industry and provides all the benefits of reliable electric power to the american people. Is essential we make the system as secure as possible. Cyber attacks pose a serious threat to the electric grid. This bill will go a long way to strengthening that system. I also want to take a moment to mention my support. The emergency leadership act. This would establish new doe assistants. Jurisdiction over all energy and security functions related to Energy Supply infrastructure and Cyber Security. I want to mention my support for one more bill on this topic. A pipeline facilities Cyber Security preparedness act. Sponsored by the Ranking Member. This would require the secretary of energy to establish a program. Is the bills i have mentioned so our committee is positioned to examine the issues as we were to put america on a path to better securing our utility systems. On your back to the chairman. I want to thank you gentlemen. Determined was with an informal on one of my dear friends. My flight was canceled. They agreed to sit in the chair for me. Last night. I am here now. I want to thank them personally for agreeing to sit in the chair for me. As you can see i am here. I also appreciate the confidence you have shown in me. The chair now recognizes the Ranking Member of the subcommittee for five minutes. Im sorry to hear about your friend. I am grateful you do not get on that plane. I do not think that plane would have had a lot. Todays hearing continuing the subcommittees oversight of Cyber Security throughout the electric grid. The parties that all of us have had. On this is the first hearing specifically, the subcommittee has been raising questions about persistent and emerging threats to the electrical grid. And incoherence of federal officials over the course of this session. Building on the work we have done the last couple of congress is. It is unquestionable that ensuring the reliable supply is vital to our nations security. Our health and welfare. That enables telecommunications to transport and delivery of energy. Powers the infrastructure that delivers our drinking water. The provides the goods and services of our modern society. Powers our household. Everything else. Lets face it. The u. S. Has the worlds most competent electric grid. While we have a well developed system to ensure the lights stay on, were confronting the challenges every day. Adopted to a changing generation makes. Were also responding to new threats. The integration into the system of new Digital Technologies that are essential for keeping up with our Nations Energy needs costly add vulnerabilities. Other vulnerabilities are being added. By electric generating units. Combine that with the rapid expansion of Cyber Capabilities by more of americas adversaries and safeguarding transmission infrastructure. Many of the federal oversight and structures in place today would ensure the system can mitigate and respond and can be traced to this committees legislative work. We authorized it in 05. In 2015, this committee including the fast act. To strengthen the Energy Sector specific authorities to facilitate sharing of the threat information between owners and the federal government. Is the federal agency with the leading expertise in our electricity grid and the Cyber Security threat, it is imperative we are in them with the tools and authorities to protect our electricity system from the transmission lines to the very generating stations and the populace. We develop legislation to follow these functions overseeing Cyber Security and to improve information sharing Emergency Planning and other technical activities in this jurisdiction. That legislative work is continuing. Fortunately, the department has used its own authorities to implement enhanced leadership over Cyber Security and to improve interagency coordination. Against that backdrop, todays hearing provides a great opportunity to update the subcommittee on what these agencies are doing to advanced Cyber Security practices. Protections and response planning. Looking forward to hearing from the secretary. When she testified in september of last year, she had been on the job for only a couple of weeks. Though she brought long federal experience to the table as soon as she sat down. I look forward to discussing the current work. How well it is exercising its coordinating role. To learn what challenges she sees and how she plans to address those challenges. Will also be grateful to hear from todays regulators of the electric grid. Particularly interested in learning what measures they are working on. The risk of massive blackouts can be hard to think about. The Cyber Security realities of today requires that we face these risk headon. That we be sure our agencies have the tools in the toolbox and the information that they need to address the risk in what theyre prepared for the consequences of successful attacks. Thank you mr. Chairman for this hearing. The chair now recognizes the chairman of the four committee for five minutes. Thank you chairman. We had to get an update from federal agencies about how they are addressing Cyber Threats to our electricity grid. When your enemies are developing new techniques to compromise and attack our great. Involving important that the electric industry remain vigilant. Our committee has been conducting robust oversight on this topic. Todays hearing is a public forum to discuss how the federal government is addressing Cyber Security challenges. The Committee Also continues to receive closeddoor briefings on the issue. Our witnesses all take Cyber Security to the grid very seriously. Of the secretary made the right decision in creating the position as assistant secretary for Emergency Response to focus specifically on this pressing issue. The family reported that legislation introduced by the german that would enshrine the statute to its appropriately division. I look forward to bringing this bill and three other bipartisan Cyber Security builds up to the fork in medicine. We must be active and vigilant when it comes to Cyber Security. Time is of the essence. , we had the first cyber events that disrupted greg operations. Playfully there seemed to be very little effect on the transmission grid. We must stay ahead of anyone who is a cyber threat. I appreciate the work. To continue enhancing Critical Infrastructure protection standards like the final rule in october. This implements the reliability standards that respond to the supply chain risk and require entities to develop and implement security controls for industrial control systems. And services. These are the types of important looking actions we need to proactively protect against. Why this is not specifically about pipeline Cyber Security, i would be remiss not to mention how important it is to our grid system. Would never want to find yourself in a different situation. Remain concerned about the lack of resources and expertise that the Security Administration populace security program. I look forward to hearing from deeley about ways they can help address these safety gaps. The continue to devote resources or attention to these matters, we must your other option to keep our pipes secure. Think our witnesses for being here as we discussed what is critical. The chair now recognizes the Ranking Member of the four committee. Good morning mr. Chairman. Glad to have the witnesses here. It is an essential part of everything we do. As we have learned in previous briefings, todays highly interconnected digital world. The threat is ever present and growing. One of our responsibilities is to review and abide policies that concern the Reliable Delivery of energy. This is part of the kit committees jurisdiction. No matter which party is the majority. This mornings hearing continues its important work. Focuses on the status of efforts to address Cyber Security threats. We hear testimony from our witnesses today. Your key players in keeping the lights on. Each of your organizations as a rule in technical systems. Oversight of implementation. Practices and all of that as it relates to the power system. Look for to hearing updates from the witnesses. Special coordination and sharon. We know that has always been a issue. We examine some of the work theyre doing to carry out its broad energy Cyber Security responsibilities over the Energy Sector. This includes providing the Technical Assistance to Energy Sectors help identify vulnerabilities. Have seen some of his work first hand. Especially in the northwest. I went out to idaho falls for the Idaho National laboratory. Terrific people doing amazing work on behalf of the country. That provide the tools and the testbeds and other capabilities that have been proven very helpful for all types of industries and systems we rely upon. We master how to play the sharing tools. The Cyber Security risk information sharing program. They have proven especially helpful in identifying systematic Cyber Attacks across the Energy Sector. Will be interesting to hear today how this approach is being expended more broadly. Especially as it relates to supply chain risk. The supervisory control and data acquisition. Embedded in the great. When i was more connected devices and smart grid technologies are added to the grid, the vulnerabilities will continue to grow. Information sharing is central to the defenses. This is especially important as they become more interconnected. Donations pipeline systems such a critical part of the electricity fuel supply system. And its potential harm supplied electricity. We had to think about pipelines as part of our Larger Energy system. Or simple mode of transportation. While they fall under regulatory regimes, the doe must remain overpopulated to ensure the delivery of electricity to consumers. That is why this committee has been pushing the truck to find Emergency Response role and strengthen the Department Capabilities to monitor the Cyber Threats. Is also important. Members on this panel have had the benefit of briefings for the past few years to understand Emergency Response exercises in the electric sector. Will also be useful today. We understand the risk to our Critical Infrastructure. Business and Technical Assistance. Deployment of Innovative Technologies and best practices to get empty threats is even more urgent. We must be sure our protection standards are up to date. Flexible to meet the rest. We must make sure we are providing our federal agency the tools needed to set the industry more effective. We have more responsibility. Here is like this will help us do our job better. Thank you for having this oversight hearing. Thank you to you testimony and guidance of county. You will improve our work. The chair would now like to welcome one of our expert witnesses. The assistant secretary. Cyber security. Energy security. Emergency response. The federal energy commission. Mr. Jim rall. The president. The north American Electric reliability corporation. I want to thank all of the witnesses again for being here with us today. We look forward to the testimony. I have to give you a tutorial before we begin. I would like to explain the system. In front of me as a series of lights. The light will initially be green at the start of your opening statement. The light within 10 yellow when you have one minute remaining. Please began to wrap up your testimony. The lot will return bright red when your time expires. With that said, the assistant secretary evans, now recognized for five minutes. Good morning chairman rush and members of the committee. Thank you for the opportunity to discuss the continuing threats facing our national Energy Infrastructure. It is one of the Energy Secretary stop party. By the administration proposing and congress affirming the officer Cyber Security and Emergency Response, the secretary has clearly demonstrated his commitment to achieving the administrations goal of Energy Security and more broadly National Security. Our nations Energy Infrastructure has become a primary target. The statesponsored and non statesponsored. The frequency skill and sophistication continues to increase. They have the potential to disrupt Energy Services and damage highly specialized equipment and even threaten human health and safety. The release of the president S National Cyber strategy in september 2018 reflects the administrations commitment to protecting america from Cyber Threats. The department of energy plays an active role in supporting the security of our nations Critical Infrastructure. Reflects a conservative response to the emergence of Cyber Security and resilience. Fostering partnerships with Public Sector stakeholders is of the up most importance to me. There prioritize Risk Reduction activities across several key areas. Aligned to the infrastructure reduction which is protecting the american people. The homeland and the american way of life. To prioritize actions to identify National Risks. In the Energy Sector, the core of the Critical Infrastructure partners is represented by the electricity coordinating council. The all it national gas subsector counsel. They represent the interest of their respective industries. It is where the interagency partners states and International Partners come together to discuss the important security and resilience issues for the Energy Sector. This ensures we are working together in a government response. It is critical for us to be proactive and cultivate a secure Energy Network of producers and distributors. And public partners. Acting together to strengthen our ability to identify and detect. The department is focusing cyber support efforts to strengthen the Energy Sector Cyber Security preparedness. And accelerate Game Changing research and development. They also maintains a close relationship. To ensure they have the relevant information to execute the missions. They also hold regular discussions with the three Energy Sector information sharing analysis systems. And enclosed the downstream national gas. The oil and natural gas. To share potential threats and to disseminate information. Establishing it is the result of the administrations commitment to prioritize the Energy Security. They are working on many fronts collaborating with industry and state and local governments to protect our missions Critical Infrastructure. From all hazards including this growing cyber. Our longtime approach will strengthen our missions National Security and positively impact our economy. I appreciate the opportunity to appear before this committee. I applaud your leadership in a look forward to working with you and the respective staff to address cyber and physical security challenges. I want to thank you madam secretary. Now want to recognize mr. Rob. For five minutes. Good morning chairman rush. Members of the subcommittee. Thank you for the opportunity to testify today. I am the director of electrical liability. I will often refer to that as the commission. Im here today as a special witness. My remarks do not necessarily represent the views of the commissioner in the individual commissioner. All provide a brief overview of the activities to help protect and improve the Cyber Security of the nations power system. It includes mandatory reliability standards. Audits of those standards and sharing of best practices. We work very closely with the north American Electric liability county. Other federal and state agencies to carry out this very important work. In section 215 of the federal power act, the are responsible for developing and proposing new or modified reliability standards to the commission. To oversee them. Or substandard. The original set of eight mandatory standards were the so called version 1 standard. There developed in 2006 and became totally enforceable in 2010. The six standards are continuously reviewed and updated to address new cyber skating threats and challenges as well as technological changes. We are currently in version 5 of the overall standard. There currently 11 active Cyber Security standards and one active security center. Over 200 distinct requirements. It is a requirement. To Cyber Security. In portland, the reliability standards are objectivebased. It is free to choose compliance. The standard requires each utility perform a Risk Assessment of its asset. Categorize this asset in the low medium and high impact electric grid. The other substandard then build upon the number 2 stated. The retard companies to develop Cyber Security plans and Trained Personnel adequately. Establish access parameters. Also tested and apply patches in a timely manner. Identified report Cyber Security influx and develop and implement recovery plans. Amongst other things. Recently, the commission enhanced the standards to address supply chain risk and also instant reporting. Although, their primary enforcement for the so standards, since 2016, the commission has been auditing the sample utilities each year with respect to the compliance for the version 5 of the substandard. As a result, the commission has issued 2 reports that describe the Lessons Learned from the audit as well as best practices. Publishing these Lessons Learned, we hope to help other Utility Companies improve their compliance and reliability standards as well as the Cyber Security. In addition to the mandatory reliability standards, they have adopted voluntary initiatives overseen by our office of Energy Security. They engage us with partners and energy and other federal agencies to develop and promote best practices for Critical Infrastructure security. These include voluntary architectural assessments. Classified briefings for state and energy officials. Security programs. In conclusion, protecting the electric system is critically important for securing our missions Critical Infrastructure. Basic in both standards or mandatory approach as well as a collaborative voluntary approach to ensuring reliability and secure operational grid. Im thankful for the opportunity. I appreciate the opportunity to be with you today. This is my first appearance in front of the committee. You have all noted in your opening comments how foundational electricity to modern society. All of us here on the panel. The department of energy. We all take our job of the fabric of the industry very seriously. We know the citizens of the United States and our members depend on the reliable supply of electricity for other daily life needs. There has been no successful cyber attack that has resulted in a loss of mold in the United States. I can assure you that we will never rest on our morals as if threats are real. As a result, the Electricity Sector has taken the threat extremely seriously. We find that executive leadership focus Cyber Security is one the top part is. Like our day in and day out job to reduce risk to liability, cyber risk originate from determined ministers who use multiple persistent techniques to attack our great. They employ a multipronged approach to support security of the power system. It includes mandatory and enforceable reliability standards. Information sharing and partnerships with our agency. As well as other Government Entities to confront rapid developing threats. Together we believe they form a Solid Foundation of best practices and strategies to confront this ever evolving threat. With respect to standards, our standards about a Common Foundation for security. There developed using subject matter expertise reviewed and approved by the board of trustees. Ultimately by the fre c. The required companies to establish plans and controls to protect the Critical Systems against cyber attack. Is a personnel are trained on hygiene. Our standards involved with increased understanding of threats. Recent updates to the substandards address supply train risk. Compliance with standards is routinely audited. Standards are just one important element. Because it evolves rapidly, in addition provided by the standards, they must maintain constant situational awareness. Prompt Emergency Response capabilities. That is were informational sharing comes in. Operated working in close collaboration with the department of energy, it is the central within the Electricity Sector. They communicate with over thousand organizations via a secure portal with secure information provided by government. We managed a terrific information sharing program. Uses Innovative Technology developed by the department of energy to monitor cyber activity on the company systems. Developed over the last several years the capability to rapidly declassify insights within 24 hours to communicate insights out to industry. We are working to further expand the program. We also conducted countywide security drill. It is the largest regrettably security exercise for the Electricity Sector. Conducted every other year, and our government partners, assimilates a widespread physical attack designed to overwhelm even the most prepared organizations. Finally, we have best significantly in education and outreach. Recently established on all points bulletin to rapidly communicate insights into threats to industry. We can also use an alert. Provides National Security information and mitigation strategies to industry. In addition we sponsor the premier annual Grid Security conference. It has proven to be a terrific training and outreach training program. Industry Security Officials and vendors to engage and learn from each other. I think the committee for inviting me here today. I look forward to your questions. We will not include the Opening Statements from the witnesses. We will now proceed to the members question. Each member will have five minutes to ask the question of our witness. We will start by recognizing myself for five minutes. Assistant secretary evans. As you know, 362. And personified your position as a new assistant secretary. We look forward to passing it out. We want to be invited to your celebration. I have a question for you. Some tension among the federal agencies. Who was responsible. When it comes to protecting the Energy Sector. When it comes. And resources. Protecting the energy specific sector. Why is it uniquely positioned to resist all those issues. First, thank you sir. We will invite you done for the celebration. We applaud your leadership. Into this important issue. Where it is uniquely positioned, the partnership that they have as a Sector Specific Agency out to the entire sector, as well as state and local government. What is even more unique about the department of energy is the national lab structure. When you hear that there is some tension, i do not know there is the actual tension. Is the expertise of the Energy Sector. That is why the administration has the agency. Under the. As well as within the National Cyber strategy as it goes forward. There is clarity that we continue to work through us to the Incident Response and how that should work. There is no disagreement in the executive branch that this is a important sector. The Publicprivate Partnership is critical. Leveraging the national lab capability in our understanding does make us that way. While we are the Sector Specific Agency for the Energy Sector. I want to move on. We know that they are roughing up the capability to detect the energy grid. Cause disruptions to our economy. Is very seriously. Are there any areas where congress should provide more assistance in the form of Additional Authority or resources or anything else that you may think of. I am also hearing to recognize them. Whether there is anything more that this congress can do to help you all protect the grade from foreign attacks. I appreciate the opportunity to answer that question. As i outlined in my testimony, it is clear from the worldwide threat assessment what they have said about our adversaries capability. When we are looking at it from a National Security perspective, i think the key area really is the partnership and the information sharing. As we are implementing the national strategy, where really looking to clarify roles and responsibilities to specifically answer the question you oppose. Do we need more legislative authority. Do we need. What is that administrative package that is to come up here so we can have that information sharing in a way that will facilitate and ease some of the issues the industry may feel that they have Going Forward. One area we are also working out and looking at is under the fast, you have given the secretary the authority was the president designates a great emergency. What exactly is involved in that. How we would then move industry resources to deal with the national emergency. At that point, industry has also expressed and working with us how some additional Liability Protections may be needed. Would you please respond in writing to that question. The channel recognize the Ranking Member for five minutes. Thank you again for your testimony. I have a couple of questions. I know we have had exercises on Grid Security. Has been very helpful. Can you tell us what are some of the things you have learned from that . Also, whether or not we have had exercises on pipelines in terms of Cyber Attacks. As it relates to problems, we have done a joint exercise. And classified setting to really exercise at the interdependency and see what weaknesses we need to shore up. There are Lessons Learned. There are things we are applying and taking forward in the government approach. I would you over if they would like to speak more about that exercise that has happened. The other thing i would like to add. Is actually a doe led classified security briefing. Is actually a joint tabletop drill. Natural gas industry officials. And also include all the ideals and as. Was a rather expensive. There was Lessons Learned as was indicated. It was a classified briefing. Yellow she those we actively following up on. You plan on doing any of that this year . 19 or 20. Is there a date that is sent . We will be conducting our fifth exercise this november. It will be a multisector exercise. Only focused on the electric system. Will also involve fuel suppliers such as natural gas. That exercise again is a continent wide overwhelming attack. That is really designed to break everybody system, pushing to the limit so they understand where the vulnerabilities are. One of the things were doing this year is to take a very strong focus on a narrow region of the country. Will start to focus on the operational coordination that will be required between gas pipelines. The utility sector. , even the Financial Sector in what would be involved in restoring the system. Is tsa involved at all . They have been invited to participate this year. At the participated in the past . We actually had a person there. They have a representative there. Two weeks ago. We just had it all and Natural Gas Council meeting on in oklahoma city. Actively participate. We work directly with the industrywith the industry to go through the initiative in the update we have jointly announced with the oil and natural gas that happened last october. So tsa, transportation, d. O. E. , department of Homeland Security, we are all leveraging our resources to look at pipeline security and how to make it more robust. So, i am looking at a statement and i am sorry i didnt print this out. I just saw it a few minutes ago, a report i think in politico this morning, that the tsa administrator is talking about they want to be more involved, but they realize they are in essence shortstaffed and the likelihood of operating under a continuing resolution means they wont be able to expand anything beyond what they had fiscal year 19. And as we learned two weeks ago, they only have i think for people out of the 50,000 that work on pipelines. So i just question the substantive role they might have, knowing we have entrusted you all to Work Together with the enactment of the fast act and really appreciate the work that you do and look forward to supporting the legislation. Some of the portrait hanging deal as assistant secretary. With that, i yield back. The chair now recognizes thank you, mister chairman. Thank you ms. Evans for being here. First of all, i appreciate we are a nonclassified situation, so tell me if you can answer my questions, but do you know how many Cyber Attacks the electric grid sustains on a regular day . Average day . So d. O. E. Continuously monitors across multiple things. So it depends on how we talk about a cyber attack. We are in constant communication and we constantly monitor what is happening in the state of the sector as a whole. Beyond that, i am happy to come back in a more appropriate setting to give you more details, if you would like. You didnt tell me a number. You know the number yourself . That is where i said it depends on how you do find the attack . Yes. Are you able to determine how much of that activity is coming from state actors . So again, i would be happy to talk about that more, but the way we are designing the system do you know it is coming from state actors . Is that something you dont want to answer here . I would like to answer that in a more appropriate setting. Let me move on then do something else. Maybe a followup with a question that the chairman asked of ms. Evans, about what needs to be done now from congress. It is my observation that we rely heavily on the utilities, private companies, to deal with this. And when they came to speak to us last congress, they suggested that the thing they needed most to modernize the grid, not just related to security, but to modernize it with Research Support from congress, that they wanted to be sort of left to their own to be able to innovate, which i think is generally appropriate. How comfortable do you feel that individual utilities are able to handle these attacks . And is there anything that you think, to follow on with mister rushs question, that congress should be doing to back that up, through the security . Im not sure i got the entire question with the door closing. The point i would make in response to chairman rushs question is that the Biggest Issue for us, we are sort of threat actors and so forth is less interest to us than the attack vectors and so forth. The most important thing for our perspective would be for government to be able to more rapidly declassify information to get into actionable insight we can get out to industry. Industry doesnt need to know the origin or the source, we just need to know what. I think unfortunately right now what and who are intricately tied up, so that kind of clogs the mission right now. That would be the most important thing that i would see government being able to do that would facilitate better information sureness and awareness in industry. Rapid declassification and or broader availability of security clearances. Realtime ability to share information. On attacks and that sort of thing . Absolutely. Right. How should, what should be the responsibility, the legal liability for utilities with these attacks . Suppose something gets there because of the weakness of a particular utility, what incentives do we have to make sure they are carrying their weight . I am probably not the best expert to talk about legal liability. What i would say in response to the question is that every ceo i know of from the largest to the smallest, take this threat enormously seriously. So they, right now, i think they all do everything that makes sense for them in their situation to protect against these attacks. It is just my observation. I appreciate that, i think it is something that every ceo wants to avoid, but unless there is a bottomline impact, sometimes it doesnt filter through the culture of the entire company. I like the way we rely on private innovators to field these problems. I think they are often better situated than the government, but on the other hand we have to provide incentives to private industry to make sure they do emphasize that, as a business matter. I guess my time is expired and we will have to continue that conversation later, but thank you for being here. Thank you to the gentleman. The chair recognizes the Ranking Member for five minutes. Thank you, mister chairman. As you can see mister chairman, it is dangerous protecting the grid. We all have to do our part. Mister robb, in addition to reports of china and russia, resent reports indicate that iran threatens retaliation. That could include infrastructure. From your perspective, can you walk through how the power system prepares when they see Something Like this in the news . Are they prepared for it . First of all, i believe that the utilities are on kind of constant alert, because they know that they are a great attack target for foreign adversaries, so i think the security establishment within the utility sectors is top notch, always on alert. In the case of, you know, the situation surrounding iran, as soon as we were made aware of the situation, we had an all points bulletin we put together in concert with d. O. E. , with an appropriate level of declassification of insight that we had out within three hours. Right. Now in recent months, the u. S. And its allies have been addressing security concerns about Chinese Telecommunications technologies, such as huawei. This raises concerns about the use of similar equipment in the bulk power system. How are you all, if you can both address this, how are you addressing supplychain risks in the bulk power . As you know, the administration has received several guidance and executive orders with supplychain management. The department of Energy Program in particular already had a program underway, which was dealing with it, which is our cyber testing for resilience of industrial control systems. It is really looking at the Technology Associated with what is in the energy grid. That is really looking at that. What is the supplychain risk and how are you doing that . We also purchased a tool that we intend to deploy to the sector as a whole, so they can start looking at their own suppliers. Then on top of that, the last piece is that the department has announced an advanced manufacturing initiative, which is looking at things in the long range for all the Innovative Technologies, all the Different Things that are happening, so we can make sure that we are looking at that upfront, as we are then manufacturing these technologies. So will that give purchasers of technology in the systems, can you give them the assurance that what they are buying is certified safe . It is. As well as saying, that equipment over there may not be . The idea of our program to be able to go forward which actually mirrors the type of approach you have taken in the legislation is voluntary participation. So leveraging the capabilities of the labs and looking at the tests it is publishing and then is working jointly with the National Institute of standards to do the widest distribution of that information, so that you can then become an informed consumer. So what you will then see is Industry Partners who are actively participating. For example, there is a very active cyber center of excellence that the industry sector and partners are actively participating in. So what i want to know is, as a simple consumer here, i realize that is not his equipment in the power grid, but will there be like a stamp of approval, that this equipment meets the standards . You can rest assured, it has no backdoors. No chips that are that is what we hope to be able to identify jointly through the advanced manufacturing institute. So do we have an outcome in mind . Not necessarily, but it will involve the advanced manufacturing institute. Because i know some of this equipment is in different elephant Telecommunications Equipment and it is expensive to take it out. You dont want to replace it and then someone says, by the way, thats not good either. We want to avoid that. Mr. Robb i only have 30 seconds, please take it. Sure, on this last point we think a Supplier Certification Program is smart to do. The work d. O. E. Is doing in this area is terrific with groups trying to come together to create a similar program. Your original question around huawei and the list of suspect companies, we are issuing first of all, we issued an all points bulletin back in march in response to the Defense Authorization act, prohibitions around those suppliers. Alerted industry to that fact. We give them time to get their head around where some of the Technology May be deployed in their systems. Next week we will issue what we call a level ii nerc alert which will require industry to inventory all the instances they still have those devices, communicate back to us through integration strategies around them and we will have that information by the end of the summer. The chair now recognizes for five minutes. Mister mcnerney from the state of california. Thank you chairman. Mr. Robb, you testified that as of yet there have been no successful Cyber Attacks on ours system. That is a great achievement of your office, i appreciate that. Are you aware of any foreign governments embedding Cyber Weapons into our grid today to use and possible future attacks . If you can answer that question. I would reference back to the unclassified version of the worldwide threat assessment. I think that the dni has been very specific about what our adversaries capabilities are. I specifically quoted in my testimony, and i also have it memorized, at the bottom of page 5 in the top of page 6. He was very clear about what the capabilities are and what our adversaries can do. Thank you. Mr. Robb, concerning information sharing, is the security clearance of utility officials an obstacle to affect the data sharing and Cyber Security information . Yes. Just the sheer number of individuals who are waiting for clearance and dont yet have them is problematic. How could we remedy that problem . I dont have the answer to that question, but it is a problem that needs to be resolved. Lets collaborate on that a little bit then. Secretary evans, you note in your testimony that one area of truly foundational problems is the Cyber Security Workforce Development. What is ceser and the d. O. E. Doing to train workers against these kinds of threats . So i appreciate the opportunity to highlight the work we are doing there. We have the cyber strike training and the executive order that the administration has released recognizes the fact that we have to deal with Cyber Security workforce issues in general, but very specific about the Energy Sector. So we are looking and leading the effort in conjunction with the department of Homeland Security to see what those are and how to train and make that more robust. And then the other area that we are really trying to innovate and lean forward on is the use of competition to be able to use that applied learning. The labs are strategically placed in this area with all the different types of testbeds that they have, so we can use those competitions for a learning experience and then feed that result back into the training that we need to do for the sector as a whole. I met some of those folks at the National Labs. It is impressive what they are doing and the young people are impressively doing work. Sure. I guess, assistant secretary evans, can you describe some of the unique threats facing small utilities today with regard to Cyber Attacks . I would say one of the biggest things we need to do that you had on a little bit is making sure that dissemination of information and the sharing of that information hits at all levels and that we are working with state and local governments and the associations to make sure that they have the tools that they need and that they have the awareness and the education that all of them need to have, so you can properly prepare and make sure you are assessing the risk that is happening in your area. We are working with those state and local governments, with Energy Coordinators in the governors offices and in the states, to also then drive down this information and then also working across with other parts of the government that interact with state and local governments as well, to make sure these tools as well as the isacs have the widest proliferation. Can you describe some of the work that d. O. E. Ias is doing to assist utilities and their vulnerabilities . Sure, through ferc, we work with d. O. E. To stay aware of all the threats taking place. We also coordinate the isacs to find out threats are taking place, as well. The d. O. E. Then conduct classified briefings and they go out and share best practices with the small utilities. In addition to that they are actually volunteering on a voluntary basis, conducting infrastructure assessments with any of the utilities that are interested. It sounds like the availability of classification, security classification, is an issue then. Im sorry . The availability of security classification for the small utilities could be a problem. We work to try to overcome that as much as we can. Part of what we do is work with d. O. E. , who actually get one day regions, where personal from the Utility Companies alert them of threats. Okay mister chairman, i yield back. The gentleman from the great state of california yelled back in the chair now recognizes the gentleman from the only state in the union that eclipses california as a great state, from ohio, for five minutes. Thank you mister chairman. Think of for todays hearing, it is very important. I want to thank our witnesses for being with us today. It is an important topic that we all worry about on this committee. I want to follow up a bit with my friend and colleague and coach here. Talked earlier about we introduced legislation earlier this year on hr 359, enhancing Risk Security and 360, the cyber sense act. And again, to go through that, i know that my friend from oregon was talking a bit about it. What was happening. A lot of Different Things are happening from around the world that we have to be very careful about, what is being put into our systems and what kind of devices. But the 360 is the cyber sense act. Again that program would identify and promote cyber secure products for use in the bulk power system. It would also would establish testing. I know you brought up that field approval, but we want to make sure there is that testing of these products that would be going on and reporting of the Cyber Security vulnerability. And also the secretary at d. O. E. Would be required to keep related database for those products in evaluation of these products. In both of these bills have been reported favorably out of subcommittee. Hopefully we will see those signed into law soon, but if i could ask secretary evans, do you think legislation we have been working on, not only the Grid Security, but also cyber sense, is going to be helpful in making sure you can do your job . I appreciate the leadership that the committee is showing in this area. I do believe that the intent of what you have Going Forward about having vulnerability disclosures and the idea of constantly having the ability to verify and validate products as they go out and ensuring that the supply chain risk is minimized is important regardless of if the legislation gets passed or not. Our office is working and leveraging that capability using the National Labs and we are moving forward. When the legislation, assuming you will be successful, when the legislation is passed it will enhance that and allow us to move in a more robust manner. Thank you very much. In the aftermath of the 2015 ukraine cyber attack, the investigation found that perpetrators didnt rely on any exploits or Software Vulnerabilities to disrupt the grid. Rather they gained access to the system over time, learning how to maneuver it and use it against itself. In short, patching vulnerabilities wouldnt have prevented the attack but patching continues to represent the majority of our Cyber Security efforts. To the panel, which steps can be taken to improve the monitoring of Security Networks to prevent potential attackers from learning how to use the system against itself . Mrs. Secretary, if you would like to start to answer that question. So i would like to change the dynamic, which is what we are attempting to do three research and development and the program we have. A lot of what we are looking at is afterthefact. So patching and maintaining systems. A lot of the things we are looking at and investing through our portfolio is being able to detect and predict, which is changing the dynamic in the way of using technology, so that you cannot necessarily do it afterthefact, but prevented upfront. So looking at more active, dynamic types of things such as Software Defined networks. Looking at quantum key distribution. How can you use those types of technologies that are evolving right now to ensure validity of the data or look at the interactions of the transactions that are happening between the Operational Technology as well as the Information Technology systems. We are investing pretty heavily and that, leveraging what happens in the labs. We currently have a lab call right now that is out that is looking at ways we can accelerate that deployment. Thank you. Mr. Dodge and mr. Robb, we have about 35 seconds. They recently changed the Cyber Security reporting requirements. Previously entities were only required if they had an event related to Cyber Security that impacted the reliability of the system. Now they will have to report events of possible intrusions or attempts that have compromised cyber assets and impact cyber assets, as well as the bulk power system. That information sharing will be a huge benefit. I will be very quick. I would underscore secretary evans discussion. From our perspective one of the most valuable capabilities to advance would be to monitor what is going on with Operational Technology systems, the same way we can with enterprise systems right now. Thank you very much. My time is expired and i yield back. The gentleman yields back. The chair now recognizes the gentleman from virginia for five minutes. Mister chairman, sadly my questions have been asked. I yield back. The chair thinks the gentleman for yielding back. Now the chair recognizes Mister Rochester for five minutes. Thank you, mister chairman, and thank you so much to the panel for discussing the nations critical Energy Infrastructure. As stated by everyone, this is of utmost importance and we thank you for your work. I just want to pick up on some of the question that was asked before from a workforce perspective. I served in our state of delaware as head of state personnel for a while and secretary of labor and one of the big challenges is always recruitment, retention, compensation, training. Sometimes the first budget gets cut his training. Im curious if you can just talk to us about some of both the challenges you see in terms of recruitment and retention of individuals in the Cyber Security space and then, particularly from a nonprofit in a Public Sector perspective when youre competing with the private sector, and then the other question that i had was around innovation. Are there innovative things that are being done to recruit folks to work in your organizations . I will start with that and we can start with ms. Evans. I appreciate the question, especially coming from delaware, because the state of delaware based on my previous experiences very innovative in the approach they are taking. In my work as u. S. Cyber challenge director we really looked at this and the blending of nonprofit Public Sector, the education system, and how you do that and how to identify that and then make it, and that commitment of bringing them in is clearly demonstrated in the way the state of delaware has tackled this issue. There are incentives. There are things we need to do, but what really gets people excited, and you have to look outside the more traditional places, some of the people that are best in this field do not come out of stem. That is demonstrated when you put together teams in the competitions to see all the skill sets that are needed. Thank you. Mr. Dodge. Thank you for the question. We actively monitor our Staffing Levels and needs and we have undertook several programs in the last couple years. I wont get the precise names of the programs. Basically there is an Internship Program where we reach out to colleges and bring people in as freshmen and sophomores in college and they come in and spend the summer or part of the year working for us. We are actively working to improve oncampus relationships with different universities and we actively go out and do on campus recruiting as a follow up. In addition to that, the federal government has a Tuition Reimbursement program that after the students graduate to work for ferc for a period of time, there is actually Tuition Reimbursement where they can forgive some of their student debt. Thank you. And mr. Robb . I dont have any great insights into the Workforce Development in the sector other than to underscore that it is real, as we all know. I would say from a nerc perspective what we have found is we have been able to attract and retain top flight cyber skilled individuals, but we do that not because we pay them top dollar, they do it because they are committed to our mission. A number of people in this sector are very committed to the security and the value associated with electricity and so on and so forth. So we appeal to individuals and have had success with that, but it is a challenge. Thank you. And ms. Evans, thank you for bringing up the nontraditional. One of the challenges we have is an aging workforce, so when you look at workforce planning and who will be retiring, making sure we are staffed up. My other question was related not so much to the cyber, but kind of to nastro natural disasters and things like that. And whether or not with the Severe Weather incidences we are seeing, how are you preparing, whether you call it climate change, Severe Weather, whatever you want to call it, these things are real, as well. Can you talk about preparation for those . We also have the Emergency Response capability in our group. We are looking at our staffing of how to do that. The staffing in the way our plans are set up near the way the fema regions are set up. We also then use a lot of the modeling that is available within the National Labs, so we can do predictive types of things. What is key in the success of this Emergency Response is our partnership with private industry. We continuously have to have that dialogue with them, because it is their resources that we need and that we work with in order to share that information and to be able to respond. Thank you so much, and i yield back. The chair thinks the gentle lady for yielding back. And now recognizes mister olson for five minutes. I think the chair and welcome to our three witnesses. As my colleagues all know, i love to brag about texas. Mister chairman, you are correct. One former part of mexico became a country before it became a state, but it wasnt california. It was the republic of texas. From 1836 to 1845. God bless texas. We havent recovered yet. And this is not a brag, but our grid is the biggest target in america for Cyber Attacks. We have a free market power system that covers 95 of our state, run by a group called ercot. They cover 46,000 miles of electric power lines. 650 separate generation units. Last summer there daily load was 72 megawatts hourly. That is a huge, huge amount of power. As we know, if that goes down, that could be very, very bad. Along the houston ship channel, 52 miles long, lies americas largest petrochemical complex valued at over 15 billion and growing quickly. With the share revolution, more and more oil coming into our region for refining, those are being exported now. Nearly 7 Million People live within 30 miles of the port of houston ship channel. The bad actors know, if they can take down our grid, have us lose control of some of these industrial processes, people will be harmed and some people may even die. My questions for all three of you, we right now are working hard with the private sector government in houston to address these cyber issues, but we all know we have resources that are limited. We cant go crazy. We cant jack up the prices. These things have to work. So my question for all of you is, how do we balance the proper way to achieve what we can best to prevent Cyber Attacks, while making sure we dont jack up prices to make us noncompetitive in the Global Market . How can we balance these out . What is the key . Ms. Evans, you are first. The way we are approaching this in the way we are working with our partners at dhs is really doing risk modeling. So it is really identifying what are the most critical assets that an industry has and then in my particular case what i am trying to do is develop a set of tools so that the government, as well as Industry Partners, can actually look at what is the best way, what is the highest risk, how can i predict that, what is the cost associated with the risk in that particular asset . So as we move forward with that, a lot of this has been how do you give them that information so they can then use that in the marketplace Going Forward. That is the same model governor perry had there in texas that made our grid secure when he was in texas. Thank you. Mr. Dodge, your thoughts sir. Thank you, thank you for the question. So from our perspective, we are doing things on an active basis. Providing briefings, determining best practices, sharing best practices. In addition to that, nerc undertook a conference in the spring, a couple months ago, where we brought in members of elect industry, natural gas industry, as well as federal and state public utility commissions and officials. The goal of that tech conference was to actually identify best practices, share those amongst protecting infrastructure not only for our jurisdiction, but other infrastructure. Look at Cost Recovery mechanisms to determine if they were adequate and whether or not ferc or state should take additional actions. And we are actively working with ferc on that. We received comments back from the public on that conference and we are process reviewing the steps. Thank you. The man from meals from Neil Armstrongs university, mr. Robb. Okay, go purdue. I think one of the key things we are doing is nerc is taking a riskbased look at all the things we do, in terms of which standards are applicable to which entities and which standards do we audit and so on and so forth. I think there is a clear recognition that onesizefits all doesnt work. Striking that balance, you have to make sure you are focusing on the most important risks and not leaving yourself exposed on the other side. Thank you mr. Chair. The chair recognizes the gentleman from texas, your time is up. And now recognizes the gentle lady from New Hampshire for five minutes. Thank you, mr. Chairman. I appreciate it and thank you to all the folks here today. This is a very important issue and i know people in New Hampshire are concerned about the critical importance to families and communities across the country and it doesnt typically get the attention it deserves, so i appreciate this hearing. Ensuring our grid can operate without disruption is imperative to ensuring hospitals can treat patients, First Responders can do their jobs and schools can educate our children. But all of this can be jeopardized if a Foreign Energy bad actor is successful with a cyber attack on our electric grid. We know our utilities are on the front line of ensuring our grid is protected, but not all utilities are adequately maintaining safeguards to combat a cyber attack. While i am pleased to see ferc taking recent steps to strengthen standards for our nations electric system , i still have questions about how we can act in a more transparent way. So, mr. Dodge, my first question is directed to you. Can you please explain what happens at ferc when it becomes aware of a utilities noncompliance with Cyber Security regulation . Sure. Thank you very much for the question. I appreciate the question. So, there is a process and the process that takes place is in terms of compliance. Ferc oversees the development, enforcement, the mandatory reliability standards, including the sip standards. Nerc and its entities conduct periodic audits i am asking when ferc becomes aware that utility is noncompliant with security regulations. The process that actually takes places either through an audit conducted by nerc or through a selfreport from a registered entity to nerc. Nerc coordinates that. They investigate the noncompliance. The entity follows a mitigation plan and mitigates the concern. Then nerc submits the actual violation along with a recommendation for penalty to ferc for review. Staff reviews that and makes a decision whether to assess the penalty or not. And that ferc assessment, does ferc disclose to the public utility in violation . So, through the fast act passed a couple years ago, it gives us authority to identify critical Energy Infrastructure information. It could be Engineering Design prints, vulnerability information about specific electric system assets. Ferc, as a policy, looks at that information and any of that information that could be useful to someone who wants to impose harm on the electric system, we do not divulge that information. So over the past 6 to 12 months, we received a number of requests for related information, including the entities who have violated some of the sip standards. We review them in excruciating detail and determine which to release and which not to release. We are still working through that end we have released the names of some entities where we did not believe it would actually be a threat to security of that entity. So how would you suggest that we keep our constituents informed of the level of risk to them from a cyber attack . If you are not willing to be transparent with the public, and ive heard your explanation why, this is a balance for us. If our constituents are at risk, we need to be able to inform them of the level of risk. So, whenever the Utility Companies they are actively monitoring the compliance to s. I. P. Standards. As soon as they find a problem through a selfreport or an investigation, routine audits from nerc or its registered entities, they actively work to mitigate and address that concern. We do go through, you know, through the foia process and cei process and we do make the Information Available as appropriate. So if there was a bad actor, you would tell my constituents or anyone else in the country or the congress, how the public, we have had repeated concerns about compliance with this bad actor . So we actually review the information thats publicly available or the information that is filed with ferc. We look at the information, the Technical Details of the information, whether releasing that information would identify any vulnerabilities or make available any information that was particularly useful to someone who wants to impose mal intent or harm on the electric system. We do not release the names of the entities in that situation. Im trying to raise the balance of protecting our constituents, but my time is up. I appreciate your response. Thank you. The chair recognizes my friend, the gentleman from west virginia, who has the best mustache in the whole congress. Mister mckinley for five minutes. Thank you, my friend. Mister chairman, id like to ask unanimous consent that this article from mr. Robb about the grid he submitted to the record. So ordered. Thank you. Mister chairman, id also like to expand on this theme of keeping the lights on, to include grid reliability. Last congress, you will note, our Committee Held a number of hearings on the grid and reliability and resiliency, but it is not just the energy and Commerce Committee that is concerned about the grid and its reliability. We had a report that was produced by the National Energy Technology Laboratory that said that without the use of coal, the eastern United States wouldve suffered widespread blackouts during the 2018 bomb cyclone. Think about that. Iso new england said in their report, said that the most significant challenge that they face is fuel security and the coal and Nuclear Power plants are needed to maintain reliability. And lastly, secretary perry said in 2017 that the resilience of the electric grid is threatened by the premature retirement these fuel secure, traditional, baseload sources. Mr. Robb, if i could turn to you. Last week you made these remarks. These profound comments, i believe, regarding the grid. In both texas and new england, specifically. Regarding texas, you said, pardon my french, you said there is no way they can keep the lights on, yet they do. Regarding new england, you said the grid operators constantly are finding ways to pull another rabbit out of the hat to keep the lights on. That any of us would look at that situation as engineers and say, its got to break. Mr. Robb, should congress be more concerned with this situation . Im not sure i used exactly all the colorful language that was reported. Its in the press, whatever is in the press, you know we believe. I think the point around those, i through a third market in there, california. I think all three of these markets are demonstrating the challenges associated with the transformation going on with the electric grid. California revolves around the deployment of solar and natural gas to balance those resources. Texas has kind of a contemporary problem, a reserve margin, which is one of the Planning Statistics we look at to determine if there is enough resource to meet load. That is below levels that people would traditionally say are reliable. New england has a fuel security problem. I dont know that these are congressional issues as much as they are market issues and state policies around Resource Development and appointment. The point that i dont think that reported quite as clearly as i wouldve hoped is that what we are seeing in these areas are market operators innovating and finding ways to make the system work in ways that are not consistent with traditional rules of thumb. I think the key is to modernize our thinking. Let me try again to get a couple questions in. If i can go to my colleague from west virginia, ms. Evans, and also, mr. Dodge. In your experiences, fuel security, or fuel secure coal and Nuclear Power plants, baseload power plants, critical to maintaining grid reliability . Both of you, please. There has been a lot of work done in this area. What you really have to look on overall day it is a yes or no, isnt it . Let me ask the question again. Our fuel secure coal and nuclear baseload power plants critical to maintaining grid reliability . I would like to respond to you in writing with the answer to that question. You what . I would like to get back to you with the answer to that question. Okay. Okay. Ms. Evans . I believe the secretary and the administration has expressed its commitment to multiple sources as it relates to the reliability and our commitment as it goes forward in our budget request also reflects our commitment to new sources, such as nuclear. If you need a more detailed answer, i am happy to take that question for the record and get back to you as well. Thank you, i yield back my time. The chair now recognizes mr. Ohalloran, from the great state of arizona. Thank you, mister chairman, especially for letting us know that arizona is a great state. Since i came from illinois originally, it is also a great state. Thank you. Thank you mister chairman and Ranking Member for holding todays hearing on ways the government can ensure our electrical grid assets remain protected and agencies and stakeholders are fully empowered to protect against threats. Our state of arizona is one of the most diverse in the country when it comes to electric generation sources. While more electric grids integrate Renewable Energy into the grids, it is essential that reliability of the grid is never interrupted. As Cyber Attacks continue to increase across multiple sectors, it has become clear that threats from information sharing, collaboration and partnerships between Government Agencies and industry are necessary to achieve a full defense of cyber posture. Assistant secretary evans, in your testimony you highlighted the cyber analytics tools and techniques, programs, as one of several d. O. E. Initiatives to promote Cyber Security defense of the Energy Sector that owns the assets. What is d. O. E. Doing to support threat information sharing, analysis, and timely and i will repeat, timely return of actionable intelligence back to Energy Sector entities and is the information flow reciprocal . I appreciate the opportunity to talk about that specific initiative. We refer to it as cat. The key is the timeliness of getting information back. I would like to share one piece of what is happening on that project. One thing that is important is getting the information from private sector. I think you heard today there is a lot of information sharing that happens, but what we have to do is be able to anonymize it, put it into a big pool, which our National Labs have worked with us on. Then keep enough information with it so if they identify something across a state trend, we can take it back out of that pool and give actionable information through the isacs or that entity. That is what that platform is doing to the multiple pilots we have in research and development. We talked about crisp, one of the contributions to that. And the key of that is to keep our portion declassified so it will end up being machine to machine in the long run, by using advances in technology. I have some other questions prepared, but in general as i have been listening today, i have heard the word whole of government mentioned. I have heard best management and practices mentioned. The shortage of, obviously potentially, the workforce that will be needed. Then i took a look at your budget at the department of energy and found that i dont know how you will get that all accomplished with that budget. I am not going to leave here secure to be able to tell my constituents that we are in a position to fully defend the electrical grid at this moment in time. I would like to make sure that i can eventually see a timeline on these projects that youve mentioned today. A cost estimate on how much it is going to cost us within that timeline and within a more aggressive timeline, because this is something that is continually changing, as you know. Also continuing to be a threat to our country. I am concerned about some of the more voluntary reporting structure that i heard about today. Especially as we get down into having less personnel available. The level of competency to be able to address those needs on an ongoing basis and we have newer and newer Energy Sources coming online, with much smaller budgets and getting into the grid, then some of the other major competitors out there. In general i think this is been a good and enlightening process today, but as far as enlightening me, it has been one that left me with more questions than answers, especially in the integration of how that whole process is working in a timely fashion. I want to thank you all for being here today and i yield. The chair thinks the gentleman and recognizes Mister Griffin of the great state of virginia for five minutes. Thank you, mister chairman. I appreciate it. Assistant secretary evans, you and i spoke last year discussing pipelines and some of the concerns my constituents have. I was going to ask some questions to update me on what youre doing with pipeline Cyber Security and coordination. You answered those questions earlier when Ranking Member upton was asking questions and i appreciated those answers. I will skip those questions that i would have asked, because i dont believe in asking the same question over again just so it gets on my video clip, but if anyone back home is watching this, i encourage you to flip back a little bit and look at your answers, both your and mr. Dodges answers to Ranking Member upton in regard to the coordination you are doing. Although it was classified, it sounds like youre headed in the right direction. Do you have anything to add . Are you doing the same coordination to physical threats on the pipeline as well . The short answer is yes sir. That is also demonstrated through the exercises and that information is also shared through the meetings that we have when government partners are there and talking about the physical threats that happen to the pipeline. The fbi is there and that has been highlighted from our Energy Partners to the fbi. All right, mr. Robb, did you want to add anything to the physical threats, because we already talked about the cyber . The only thing i would add is in terms of the pipeline activity, oai is involved with that. They work with d. O. E. To conduct security threats. They are involved as well. Because there are continuing concerns, the questions that mr. Ohalloran just answered, we will look as a committee. If you need our help with legislation or something, we want to make sure we have the most safety we can and we appreciate that. When it comes to pipeline guidelines, tsa is taking the lead on guidelines for the industry to follow. According to reports they have only a handful of people working on Cyber Security guidelines for pipelines. Do the staffing and resource constraints concern you . This is a lob, in that i hope and think maybe d. O. E. Ought to take the lead. As you know with oil and natural gas, s. E. C. , as well as the Government Coordinating Council, we work jointly with department of Homeland Security and tsa. So our resources we use to leverage the tsa resources, because we recognize as a government that we need to address this vulnerability. I appreciate that, but am i correct, and i may not be, but am i correct that d. O. E. Is putting more capacity and has more folks working on this than toc tsa . I would not presume to answer a tsa staffing issue, because i know that is an internal discussion to dhs and it is more important for that to go to dhs at this time. Maybe you can encourage them to talk to us about this as well. I appreciate it. Would you describe the Energy Government coordinating council and d. O. E. s role in that counsel . We are the cochair of the Government Coordinating Council with the department of Homeland Security. We help craft the agenda Going Forward. We work with dhs hand in hand and our government partners. A good example of that work, we just recently did a topsecret fbi briefing for the interstate Natural Gas Association of america. So, keeping with the pipeline theme, so we could really share with them and coordinate through the Intelligence Community what risks they are facing. That was to the executive board of that association. I dont even remember now who it was. They didnt reveal any secrets, but someone reported to me that they felt like that was useful a good use of their time and a useful meeting. In this space, should d. O. E. Have the lead role to ensure the safe and reliable flow of energy across the u. S. . I believe right now we do have that role, as it relates to the sector specific responsibilities that we have that are outlined in the fast act and president ial directives. As i revealed my prejudices in this regard, i do think that d. O. E. I think d. O. E. Should be in the leadership role in coordinating preparedness and Cyber Security efforts in all aspects around pipelines and you already indicated you cant talk about staffing, but do you disagree with me on that . I believe we have unique expertise and as a sector specific industry we use that expertise with our partners in private energy. I appreciate it very much. Thank you mister chairman, i yield back. The gentleman yields back. The chair now recognizes the gentle lady from washington for five minutes. Thank you. Thank you, mister chairman. I appreciate the witnesses being here today to share your perspective on this important topic. Assistant secretary evans, i understand one of the most exciting projects is looking at how Software Defined networking, sdn, Technology Developed in pullman, washington, in partnership with the Pacific Northwest national laboratory, nextdoor in the tricities, can be used to help secure the Energy Infrastructure critical National Security facilities. Can you share more about this project with the committee and tell us how it is going . So that is a promising project we are funding and this particular project, everything has an acronym, it is the Strategic Engagement between the department of defense and the department of energy, but it also includes the veterans administration, as well as the coast guard. What it is really looking at is a different way to manage the network and network trafficking, so that is the idea behind Software Defined networks. It is diverging from static types of architecture, to make it more dynamic so you can address, on an ongoing basis, the threats. Doing analytics and adjusting your configuration as it goes forward. Right now there is a successful implementation happening in virginia. And they are continuing to work to roll this out with our partners in multiple places. I believe the next place is going to be nevada. As that information comes in, we are using that to invest in other efforts across National Labs so we can add that into the overall solution that was brought up earlier. It is crucial that information about vulnerabilities such as Cyber Attacks is shared between Government Entities and electric grid asset owners. I believe the creation of ceser was an important step and i applaud the departments commitment to engaging the Public Private Critical Infrastructure community, but there is more work to be done. Especially with Critical Infrastructure equipment manufacturers. Again, to assistant secretary evans, what steps has your office taken to include not just asset owners, but also vendors, such as designers and manufacturers of critical equipment in my district . On the initial peace, this is done through our research and Development Programs that we have where we find that we are requesting that manufacturers and folks that produce hardware that are in the grid participate, so there were 11 projects that were recently funded that are actually looking then being able to say, okay, thats a more secure product. Weve demonstrated that, now were going to implement that and share that information out. Those are some of the shortterm things were doing. The longer term things are looking at bigger types of Manufacturing Activities and being able to share that information out. And the longer term play we have is the advanced manufacturing institute. Thats going to look at how can we improve this in the long run on an ongoing basis to address that manufacturing upfront and be able to share that information and take advantage of the innovation that we have. Thank you. Theres a growing concern about the presence of certain foreign manufactured components in various aspects of our 21st century infrastructure whether Communications Telecommunications or electric grid. For the panel what, potential risk does the growing dependence on foreign manufactured parts supply chain while recognizing it would be impossible to phase out all foreign made equipment. Approximately two years ago, we developed nerc to develop a standard for the supply chain risk. Nerc filed the standard with us and we approved it. It helps address some aspects of supply chain risk. We also directed nerc to go back and do additional work in the area and look at the supply chain rick associated with electronic asset control systems as well as physical control systems as well as look at the potential supply chain risk for low impact cybersecurity assets. Theyve conducted a report on that. And theyre in the process of following up on that. I defer to jim to add Additional Information on that. So andy is right. Where this is an ongoing exploration of a very complicated topic. Our next step is well be issuing later in august what we call a 1600 data request, which will go out to all the utilities in the nerc registry and collect a lot more information on what suppliers, what equipment is actually out there. Well have a better extent of condition which will inform what the next steps might be in order to mitigate the other steps out there. I look forward to seeing more of that. Thank you i yield back my time. Gentle lady yields back. The chair now recognizes the brilliant cosponsor of hr362, mr. Walberg of michigan for five minutes. Great state of michigan. Upper michigan, not lower michigan. Lower michigan. Thank you mr. Chairman. Having been born and raised a part of my life in your district as well. I appreciate serving with you and also drawing attention to the fact that we were successful in getting 3 million amendment for cesar past the house. And thats the first step. Secretary evans and the rest of the panel, thank you for being here. As im sure you know, chairman rush and i, as he just mentioned, have hr362, the Energy Emergency leadership act which would codify the functions assigned to your office as permanent, assistant secretary. Can you briefly address for us today how you think such an authorization could improve cesars ability to carry out its Important Mission in the long term . I think it first, i appreciate the leadership that youre showing with that and the commitment to the office and the commitment to the administration. What it will do is ensure the ongoing establishment of the office. Itll ensure continuity as it goes forward. That has already been done with the line item in the budget, that helps. So this would be the conclusion to solidify what this assistant secretary position is intended to do to realize what you had envisioned with the fast act of 2015 as well. Appreciate that. Secretary evans. Due to the fast evolving nature of Cyber Security risks, security cannot be achieved through standards alone, it reliability and security depend on constant awareness and information sharing between utilities and the government and coordination among the governments efforts. As you know, the fast act that you mentioned codified d. O. E. As the specter specific agency for Cyber Security for the Energy Sector. This provision requires d. O. E. To coordinate with the department of Homeland Security and other relevant federal agencies. Can you provide an evaluation of how your office and d. O. E. Have coordinated with other agencies . We take our responsibility very seriously as the Sector Specific Agency and we lead those efforts in conjunction with the department of Homeland Security. The department of Homeland Security overall has responsibility for all the sectors. Were just one of those sectors. We view are critical to that effort. We work in multiple ways jointly with the whole of government. I know everybody is talking about the whole of government approach but that truly is the way we need to do this. We are one piece of the puzzle and it has to be looked at across the board both within the Intelligence Community as well as the department of defense, department of transportation, all of this is interconnected and we do lead that as the energy specific agency. And it does work well. And so, there is there are examples upon examples of where we can show its working well and its being mobilized right now as we are watching the hurricanes approach. So i do believe that us, as the lead, as the Sector Specific Agency, we are committed to doing that and our partnership with our fellow agencies, it does work well. The thank you. The fast act also amended the federal power act by introducing new tool of grid scale emergency declarations that can be provided by the president if the executive branch were to ask or order a utility to take or not take certain actions with regard to the intrusion or vulnerability. There are concerns that they may act contrary to their first course of action. Has cesar or the department considered the possibility and in such circumstances that are not grid scales emergencies, are you aware of these concerns over this type of incentive structure creating ambiguity or strain . So that is one thing that we are working in partnership with our Industry Partners, as well as state and local governments. Should the president declare a grid emergency, looking at the way that department of Homeland Security through the National Risk Management Center is identifying risk, and then also the work that is going on through our office of electricity with the north american resiliency model, you can then start seeing what kind of risks there would be based on the way the infrastructure is set out. We are working in conjunction with them to be able to highlight these issues through a policy process in the administration to make the determination should additional legislation or Liability Protections are needed, if and when that happens. Mr. Dodge, if i could, has ferc looked at this issue as well . Thank you. I yield back. Gentlemen yields back. The chair now recognizes mr. Jocelyn for five minutes. Thank you, mr. Chairman. Thanks to our panel for being with us today. Ms. Evans because d. O. E. Is the Sector Specific Agency for Cyber Security for the Energy Sector, the work your office does is so very important and that importance will continue to increase as our dependency on technology grows. Last time you testified we discussed d. O. E. s role in the trisector working group, which as i understand it was organized to help us better identify and ideally safeguard some of the interdependencies of the critical functions of each sector of that group, that is our electric ultimates, our Financial Sector and telecom industries. Last time we talked this was just beginning and discussions were under way on how best to direct that work. Can you please provide an update op how these conversations have been going and if this work is helping these Critical Industries . Im happy to provide an update. The work is continuing. There is an industry side of this, the Industry Group has identified and fed into the process that dhs when this he released the National Critical functions, that work of the group, both the government side and the industry side knead what are those National Risk indicators. Based on that, now the groups are going down, both on the government side as well as the industry side looking at those enter dependences and then in essence, its a risk register. And then looking at those interdependencies between those three sectors and what can we do to mitigate the risk as we go forward. The work is continuing its getting to a more granular level but that is to be expected to so we can infor how are we going to deal with it as we go forward. Im an i. T. Guy in my profession before i came to serve here in congress. How can congress be helpful with this work moving forward . What i believe is going to happen, and this is what with were going to have to look at Going Forward is, as you see these interdependencies, especially as it relates to technology, weve covered some of the issues Going Forward, there probably will be help, there will be things that well need to discuss with you that could say maybe the Legal Framework in order to share the information needs to be more robust. That is a path were exploring. Were looking at it from the government side. I know the industry side is looking at that, as well. Ing. Gears a little bit to the entire panel, looking at strengthening our workforce, i spent 26 1 2 years in the air force doing large scale i. T. Projects, many of them very secure programs. Lots of experience and skills among our military veterans getting out. What are you doing and ill give each panelist an opportunity to comment on this, what are you doing to incorporate cleared individuals such as veterans in your hiring initiatives . Miss evans, you want to go first. As you said sir, they have a series of skills that are readily transferable. We are doing targeted recruiting as were Going Forward. We do partner with dod. There are a series of programs that are out there that some of them have already been mentioned today that allow for that transference to go back and forth. And so, there are programs that the nonprofit sectors are also looking at so that military personnel know how their skills translate into civilian sector as well. I think a lot of times what ive seen in my experience is they dont necessarily know that it translates into this particular job. Its been that way since 1999 when i retired. The information the amount of information going to our veterans and letting them know where their services might be useful has not gotten a lot better in almost 30 years. So i hear you. Mr. Dodge . Sure. Thank you for the question. We received a similar question earlier today, and we responded to that. Im not an expert in the federal government, Human Resource policies. I can tell you that we have recently hired several recent veterans into our organization. Mr. Rob, quickly . Kind of a similar answer as andy. I would say this transcends cyber. We found military veterans to be a great fit for our mission in a number of areas. I would guess and i wont give you a number but a material part of our workforce are exmilitary. Mr. Chairman i yield back. The chair now recognizes the gentleman from texas for five minutes. Thank you, chairman rush, appreciate you holding this hearing and the witnesses that have taken the time to come before the subcommittee to discuss ways we can improve the Cyber Security of our nations grid. Its clear that the electrification of our world has brought many benefits but we also face the risk of foreign actors that would like to disrupt that. They understand that its a benefit and know how disruptive that it would be if they could cause any sort of havoc in that. Advancements in Cyber Security best practices would be useful in helping that risk and we should continue to partner to ensure our defenses are strong. My question today, and anybody on the panel can answer it, i think that it was referenced in testimony from ms. Evans in particular that the assessment released earlier this year by the office of the director of National Intelligence details the capabilities of russia and china to cause massive disruptions to our energy systems. I was wondering if you could expand more on what a disruption to a Distribution Network or gas pipeline would mean for those citizens and Companies Impacted . Can anybody touch on that . Could you repeat the last portion of your question . Yes. Just expanding on a little more on what a disruption to an electrical Distribution Network or natural gas pipeline would mean for citizens and those companies that would be impacted by that disruption. Sure. Thanks for the question. We have not had a disruption up to this point, i want to point that out and make that very clear. Weve actually improved the Cyber Security reporting standards to actually report attempts as well as actual events. So from an actual Customer Perspective it could be an interruption whether its an electric Distribution System or natural gas system and it could be a disruption for some period of time. The period of time could vary quite a bit and theyll really have additional insight to your question other than that. Anyone else have any thoughts . I would just make the observation that one of the key tenants of the nerc and ferc reliability regime is that if an incident occurs it quickly gets contained so it doesnt cascade beyond kind of a local boundary to allow the various parties that would be required to do restoration are working on a smaller problem rather than a large one. So the one thing i would say is the highest likelihood in that area senior that an electrical disruption would be contained to a specific area and not cascade. The other point i would make, probably a better comment from the gas industry, a disruption of the natural gas system is really very, very complicated from a safety perspective because of the nature of the fuel. Right. Exactly. Secretary evans, you talked in your testimony about d. O. E. s role on the National Security council and mentioned the regular unclassified threat briefings that d. O. E. Provide to partners that go with the classified threat briefings to cleared members of the sector. Can you talk about the important of working with industry within sector and the importance of sharing and Analysis Centers . Im happy to discuss that. We do try to get the information declassified to the greatest extent possible so that it can be distributed through the information sharing and Analysis Centers that you mentioned. We hold regular meetings with those folks who manage that, the technical teams that manage that, they come. Those are handled at classified levels so they can understand the context around the threat. But we also then work across with the Energy Sector and the associations and through the Sector Coordinating Councils to do both classified and unclassified briefings so they can the more you can say in a classified environment is great but you want to be able to give them information thats actionable so they can go back and talk to their entire company and what kind of actions they can take and what kind of risks theyre posing. So we work at multiple levels to make sure we get the best information in the hands of those who can turn it into actionable information for their constituents. Thank you very much. Mr. Chairman, i yield back. The gentlemen yields back. And that concludes the witness questions. I certainly want to thank all the witnesses for your participation in todays hearing. Ill remind members pursuant to the new committee rules, they have ten Business Days to submit additional questions for the record to be answered by the witnesses who have appeared. And ill ask each witness to respond promptly to any such questions that you may receive. The chair now requests unanimous consent to enter into the record the following documents. A letter from the western governors association. A letter from protect our power. And a letter from the rstreet institute. Without objection so ordered. And the subcommittee now stands adjourned. In 1979, a Small Network with an unusual name rolled out a big idea. Let viewers make up their own minds. Cspan opened the doors to washington policy for all to sebringing you unfiltered content from congress and beyond. A lot has changed in 40 years but today that idea is more relevant than ever. On television and online, cspan is your unfiltered view of government so you can make up your own mind. This is the house judiciarys third hearing to review the conclusions of the mueller report. It came one day after the Committee Approves subpoenaed for 12 witnesses including white house Senior Adviser jared kushner. Former special Counsel Robert Mueller is set to of it testify before congress, wednesday, july 24th. This is two and a half hours. Judiciary committee will please come to order. That objection the chairs authorized to declare recesses the of the ctt
vimarsana.com © 2020. All Rights Reserved.