Ways to improve cyberSecurity Issues for the Energy Sector. Witnesses stressed the importance of protecting the Us Energy Grid and what the government can do now to help prepare for potential attacks, held by the Senate Energy committee, this is almost two hours. Good morning, the committee will come to order. We are here this morning to examine federal and industry efforts to improve the cybersecurity of the Energy Sector including efforts to improve collaboration on Cyber Security and Critical Infrastructure protection initiatives. It has been more than a year since we last held a hearing on cybersecurity for the Energy Sector but it is fair to say this is always a timely topic. A critical priority we cant lose sight of even as we grapple with covid19, which becomes the source of our next national crisis. There have been a few noteworthy developments since our last year. Earlier this year the president issued an executive order focused on securing our system from the cyber and physical threats posed by hostile nationstate actors. This is an effort that will be led by the department of energy. The federal Energy Regulatory commission has published a paper detailing potential structure for providing incentives to make cybersecurity investments following up on a Technical Conference examining the same issue in 2019. I am pleased to be able to welcome our witnesses from d o e and look forward to hearing the latest from the them. I also welcome those representing industry which will plan equally significant role in how these initiatives unfold. The threat of Cyber Attacks by foreign adversaries and other sophisticated entities is real and growing. As i mentioned on the senate floor when we confirmed mark menzies Cyber Attacks are only growing more sophisticated. According to the latest worldwide threat assessment from the office of the director of National Intelligence china, russia and other foreign adversaries are using Cyber Operations to target our military and our Critical Infrastructure. Those adversaries already have the capability to launch cyberattacks against electric and gas infrastructure. The covid19 pandemic has created a unique opportunity for cybercriminals to attack our networks including Critical Energy infrastructure. The department of justice recently issued a press release announcing the excitement of two individuals backed by the Chinese Ministry of data security. Doj noted these two individuals not only targeted portions of our Energy Sector, including does handprint site but also entities conducting research on a coronavirus vaccine. We cannot allow hostile foreign nations to disrupt our way of life. Energy is the lifeline for all Critical Infrastructure sectors and protecting our Critical Infrastructure is the first step in ensuring its continuity. Unfortunately we have already seen the real world ramifications of cybertax on Energy Infrastructure. This is most vividly seen in russias attacks on ukraine. In december of 2015 Russian Hackers cut power to nearly a quarter Million People in ukraine in an attempt to disrupt and intimidate. In december of 2017 Russian Hackers infiltrated the Industrial Control System of a Saudi Arabian petrochemical plant and disabled the plants safety systems. Will recently, in advance russian government backpacking group is alleged to have probed the us energy entitys network according to a release doe issued in january. We all know the stakes. A successful hack would shut down power, impacting hospitals, banks, gas pumps, military installations and cell phone service. The consequences would be widespread and devastating and only more so if we are in the midst of a Global Pandemic. The federal industry focused on Cyber Security is a major reason why the United States is not experienced an attack like ukraines. Protection of critical assets is a shared responsibility demanding federal, state and private sector partners Work Together to improve cyber defenses and coordinate responses to Cyber Attacks. The fast act of 2015 contains provisions offered by our committee to codify the department of energy and sectors specific agency for the Energy Sector and to provide the secretary with the authority to address grid related emergencies. We also sought to facilitate greater information sharing by protecting Sensitive Information from disclosure. Our American Energy innovation act also has numerous sections to enhance government industry partnerships and establish programs to enhance the cyber utilities. Most recently introduced a new bill, the energy Infrastructure Protection act to update provisions in the federal power act and restrict federal disclosures of certain Sensitive Energy information. I know there are a few who may disagree with that approach but the alternative, disclosing and displaying our vulnerabilities for our enemies will hardly make us any safer. Im pleased to welcome the testing was panel of witnesses who are frontlines protecting Energy Infrastructure and cyberthreat so i thank you for being witness this morning and now turn to my colleague, Ranking Member senator manchin. Thank you to our witnesses for making yourself available to join us in the effort to improve the cybersecurity of the sector. As a Ranking Member of the Cyber Security committee i am focused on the security of our Energy Infrastructure. The importance of our discussion against the backdrop of Global Pandemic is not lost on any of us in this room. The covid19 crisis has made our nation and the world acutely aware of consequences of being underprepared for catastrophic event and forced the Energy Industry to adapt to new challenges and vulnerabilities with more employees working remotely. There are lessons to be learned from this moment in history about the need to invest in protections to avoid, mitigate and respond to events the challenge our resilience. You all know well the first to Critical Infrastructure are serious. In recent months federal officials have warned the rising cyber to be security threats from china and russia has shown new interest in targeting us targets. Last month the National Security agency and the cybersecurity and infrastructure Security Agency issued an alert urging Critical Infrastructure operators to take immediate action to secure their Operation Technology estimates. Legacy grid systems not designed to defend themselves against modern cyberattacks it as they grow more and more connected to the internet are electric systems grow more and more vulnerable. On top of that idea recently issued a report that show the Energy Sector suffers particularly high cost from statesponsored cyberthreats. Compared to the Previous Year the cost of Cyber Breaches are up 14 with increased number of effects targeting power grid infrastructure and the magnitude of the damage caused. Theres a lot of work being done across the sector to address Cyber Security challenges. I would like to highlight the good work of senator king recently cochaired the Cyberspace Solarium Commission. This commissioner shall report identifying a number of recommendations to reduce the probability impact of cyberattacks of Critical Infrastructure which he presented to the Senate Armed Services committee yesterday and it was quite enlightening. The report is broad in scope many commissions recommendations affect the electric industry and i look forward to hearing about the impact today. A few months ago the president issued an executive order directing the department of energy to identify foreignmade grid components that pose an unacceptable Security Risk to the us power grid. While i support this action i was concerned about equipment that was not adequately consulted. We sent a letter to the doe about these concerns and are eager to utilize invaluable knowledge and experience of manufacturers as they implement this executive order. Having dealt with industry representatives today look forward to hearing how these engagements are going. There are certain opportunities for commerce to facilitate action in this space as well and im proud American Energy innovation act include several pieces of legislation that support investments and programs that are of vital importance to securing and protecting vital Energy Infrastructure. The bill would strengthen Publicprivate Partnerships like those i know our witnesses will discuss today. And included in the protect act which would establish incentives for electric utilities to invest in advanced Cyber Security technologies. Im still committed to passing this comprehensive Bipartisan Energy package so these programs can be put into action, i look forward to hearing from our agency and industry witnesses today, and what work needs to be done. Thank you, madam chairman. Thank you senator manchin. He mentioned senator king on the cyber space solarium commission. Senator king is a member of the disaster program. You mentioned he had an opportunity before the Senate Armed Services so it is important to acknowledge the work, if you would like to make brief comments about that before we turn to our distinguished panel youre certainly welcome. Thank you, madam chair, and you outline delicately the danger so i dont need to spend a lot of time on that. Everyone here knows the level of risk that we have before us. Let me tell you about the solarium. It was created in the National Defense authorization act. It was a National CommissionWhose Mission was to establish a comprehensive strategy to defend this country in cyberspace. The structure of the commission was somewhat unique, 14 members, four sitting members of congress, myself, senator ben sass, congressman Mike Gallagher of wisconsin, republican wisconsin, a democratic member of the house, member of the Armed Services committee for rhode island. We had members from the executive and six members from the private sector, one of the most valuable members of the entire commission was tom fanning who is the ceo of the southern company, the secondlargest electrical utility in the country. We had over 30 meetings, 90 in all our meetings and talked about a whole range of cyberissues with our report boils down to 3 simple points. One is reorganization, reorganizing and organizing our government to be responsive to this problem and not operate in silence. Secondly is resilience, how to strengthen our resistance to cyberattacks and how to build up our defenses if you will and the third is response. How do we develop a deterrent doctrine so that our adversaries have to feel that they will pay a price for attacking this country even if it is below the level of threshold of the use of force. Energy of course is a major target. One of the challenging parts of this problem which you and Ranking Member manchin mentioned is this has to be a partnership between the federal government and the private sector. 85 of the target space in cyberspace is in the private sector. A lot of that is in the Energy Sector and if theres one thing we learned from the pandemic it is that the unthinkable can happen. Significant cyberattack is not unthinkable. We know that it is being planned and we know it is happening today. I spoke to a utility executive who told me his system is attacked 3 million times a day. Now, today. This is not an abstract issue. This is something we have to address, the commission made a number of legislative recommendations, more than 2 dozen of which we hope will be included in the final National Defense act that is now headed to conference and i want to thank the committee and the chair in the Ranking Member for their cooperation on assisting us in getting those provisions into the National Defense act. There will be others we are discussing the next few months in this committee but i want to thank you for having this hearing. It is incredibly important. This is one of our prime issues and i look forward to the testimony of our witnesses and again thank you for your work on this and if we Work Together we can defend this country. Thank you for that brief summation, to those of you including senator sasse who were part of an important commission. Lets turn to our panel this morning. One of our witnesses that has joined us in person, thank you for that, Mister Alexander gates, Senior Advisor in the office of policy for Cyber Security, Energy Security and emergency response, we call it caesar, at the Us Department of energy. We welcome you to the committee, mister gates. With us virtually today are Mister Joseph mcclelland, the director of the office of Energy Infrastructure and security at the federal Energy Regulatory commission. We welcome you. Mister steve connor is president and ceo for Siemens Energy. We thank you for being part of this panel this morning, Mister Connor and Mister Thomas obrien, Senior Vice President and chief Information Officer at pjm interconnection. We appreciate that you have joined us as well and look forward to your input todays discussion. We will go in the order that i have introduced. We will begin in the Committee Room with mister gates. We ask you to keep your comments to 5 minutes, your full statement will be included as part of the record and we will have an opportunity for questions from those of us present and those of us online. Welcome, thank you for your leadership in the department of energy, please proceed. Thank you, maam. Members of the committee, thank you for the opportunity to appear before you to discuss the department of energys important work to protect the Energy Infrastructure from cyberthreats. Reliable, resilient and secure Energy Infrastructure is critical to us economic competitiveness, National Security and our way of life. As the organization responsible for safeguarding the Nations Nuclear stockpile and a member of the Intelligence Community, the department of energy is keenly aware of threats to our National Security. Today that includes cyberthreats to the Energy Sector. The 20192020 worldwide threat assessment, director of National Intelligence stated, quote, our adversaries and strategic competitors will increasingly use Cyber Capabilities to seek political, economic and military advantage over the United States and its allies and partners, china, russia, iran, north korea, increas