Committee will come to order. Today were holding a hearing to discuss a timely topic. Theres been numerous hearings on Cyber Security and how to stop the bad guys. Whats not been discussed in great detail is what the consequence will be from a massive cyber attack that brings down for example a large portion of the electrical grid for an amount of time. The purpose is to answer an important question. With respect to suber threats to the electrical power system, what consequences should the federal government tell states and local governments to prepare for . In other words, for how many people and for how long should states plan on being without power . The federal government does this now for every significant hazard that we face. Whether its a category five hurricane hitting miami or an 8. 0 earthquake in los angeles. The federal government has realist scenarios for states and cities to plan. The federal government does not have this basic planning scenario for a cyber threat to the power system, and theres a huge disparity in different groups think and what is a potential scenario in what state and local government should prepare. The difference would be significant for local governments. If the power is out for a few days, it can be an inconvenie e inconvenience. But if its out for several weeks or a month or more, the local government has to potentially plan for increased Public Safety, water treatment, sheltering or evacuation, fuel delivery for generations and many other contingencies. What should we plan for . Ted in his book says that we should plan on six to 18 months of uninterrupted black outs. The industry seems to say a cyber attack at most could cause an interruption in terms of days, not weeks. Today were going to hear testimony from the federal Emergency Management agency, department of energy, department of Homeland Security director, the congressional and the electrical industry. I hope to get an answer for the states that are on the ground ask charged with protection of people in property. Imagine what we would do without electricity for a day, week, month, a year. Virtually all Critical Infrastructure is on the grit and particularly the lifeline sectors and transportation, water and financial services. If the goal of the bad guys is to collapse the system, theyre going to try to cut off the power. They have been reports of hacking attempts on the facilities by foreign and domestic parties and the National Security and Public Safety and economic competitiveness and according to the the Homeland Security, the Energy Sector was the target of more than 40 percent of all recorded Cyber Attacks. Even more discerning was the attack on ukraine that affected 4 dozen substations and left a quarter of a Million People without power. Call centers were hit with the telephone denial of Service Attack as customers were trying to report the outages. If anyone thought this was a glitch, think again. The electrical grid is under attack and the power sector is all too familiar with the devastation storms like Hurricane Sandy can leave behind and the physical attacks like the 2013 incident at the sub cap station in california. Thankfully in the cases of storms and physical attacks, the power sector has strong plans in place and redundant systems to restore the power quickly and to avoid the loss of life and property. But i am concerned about a cyber attack. Are there similar plans in place for industry and for the state and local government . Will those redundancies provide the same types of protection . Most recently i have been discussing this topic with those in my district asking what they will do in their communities if the power is out for a long period of time. Honestly, most of them do not know because we dont know what to plan for. We have brought together the right people here to tell us today. We are also going to discuss what preparedness looks like and the best practices and how to achieve a greater level of readiness all the way down to the local majors and townships. I am encouraged to hear the talk about an all hazards approach and focussing on the greatest risks, but i think that there are unique characteristics of of the threat that requires specific planning guidelines. I know we cannot fight the system but given the daily lives, its crucial that we understand the risks and be prepared for the likely consequences possible from the failure of that system. I look forward to had this conversation today and starting with the witnesses, and i thank you all for being here. I now call on Ranking Member for his comments. Thank you, mr. Chairman. You certainly laid it out all against the critical and electrical grid. We know that theres probing and being done by the states and in the just terror groups to the u. S. And we need to be certain that we are as prepared that we can be. The ukraine attack was a harbor of things to come. I think that it can cover the cyber attack area. The issue of of probably most immediate concerns for us that live in the northwestern United States is the treat of a cascade abduction of a quake of nine or nine plus. That will knock you out our, so there are going to be exercises conducted. Two exercises this year with the cooperation of the Homeland Security and all of the local and state authorities in the region to simulate what would be possible in face of that sort of a disaster. Many of the problems that could occur will be the same. The loss of trans formers is particularly a concern, and im going to be probing the witnesses today. Theres a question if the federal government should be stockpiling since theyre Custom Orders and take six to 18 months. It seems to me a no brainer that we should either through the governmental sources or through the industry approximate be creating an industry here in the United States to to deal with with any and soul of the sorts of potential attacks and coordinate a physical and cyber attack that could of course be the most devastating outside of a massive earthquake and again many of the same issues arise and then one that does not get talked about very much but we held a series on it and then called the committee over the nuclear you power is the potential for a bomb in place. Thats a nuclear plant. The if you destroy the back up system and take over the plant, you create a melt down. How good is the security at our Nuclear Plants these days . I know that this hearing is not going to get to that topic. I am not sure that its in the jurisdiction, but its a concern to me and i just wanted to raise that issue. Like aviation and electricity and the grid, and Nuclear Plants theyre of interest to the terror groups and i am pleased that youre holding this hearing today. We have two administrators on the panel. Assistant secretary haufman from the department of emergencys office of electricity, delivery and energy reliability. This is the office charged with coordinating the federal efforts to facilitate the recovery from disruptions in the emergency and energy supply. Assistant secretary for the protection from the department of Homeland Security, and mr. Richard campbell, an expert at the Congressional Research service and the electric power sector. On the second panel its the president and ceo of the Liability Corporation and those who the mission is to insure the system in north america and mr. William spencer, ceo and the corporation and one of the largest and the Utility Companies in United States. And ms. Bobby kiln mother, president and ceo of the Rural Electric cooperative, a utility serving square miles in northeastern pennsylvania. I ask consent that the witnesses full statement be included in the record. Without objection, so ordered. The subcommittee would request you limit your oral testimony to five minutes. Lets start with the first panel, administrator fugate, you may proceed. Thank you. I want to address the question of what they need to plan for. Based on our experiences dealing with other has that have caused disruptions, planning needs to be measured in weeks. Particularly if theres damage to infrastructure. With cyber, we have seen restoration potential ly very quickly if theres not physical damage. But if you have damage to transformers or generator capacity, that will extend it. We do know its important that in an initial response that you provide for safety and security. When lights are out, power is out. We have had major metropolitan areas go with this. We have had people trapped in elevators and that may mean to go out and wait for problems and not wait for the call of 911. The next steps are again as the members point out and all hazards. You have to provide the needs and hopefully the Critical Infrastructure has power and emergency power. You have to fuel supply that you need. We have found in many cases that communities have not planned for that. Either they dont have critical equipment on backup power or fuel supply. They only have enough to run the weekly and monthly test but not for a crisis. Generators are very expensive and in my other cases there are options. The idea is is what are the things required to keep the the community up and running until the you power can be restored and the lifeline . Water treatment and hospitals and communication and the 911 and other facilities. They usually have them but they have to be planned. Not just during the monthly test. As you pointed out, mr. Chairman, it starts to drive other issues. As we saw the longer that you have them, the longer that you have the affects and not getting to Retail Stores and others and gasoline distribution and as they start to get back to normal, theyre all challenges. So the planning is based on the safety, keeping the life systems up, focuses on the restoration of the grid and the reality that the areas are going to be last to get the power because youre going to try to get the Retail Sectors and Major Centers up first. The industry has shown a lot of capable of doing the structures. We think that it would apply for cyber. Cyber has a lot of unknown. I will differ to my experts to my left on what they are and the potential threats and how likely they are. You said how big is by . Well, we look at things and thats jail to the storms. Because of the way that its built and the transform ers, we have developed what we would do and the satellites and systems. We are working currently now with the lessons of the previous out Power Outages on the annex to add to the natural response frame work to look at the Power Outages and a lot of the agencies that the government brings and this has to be a true working relationship. We cannot do this separately as a partnership. We have to have levels and then we have the power in the states through the utility regulatory management. That frame work the this summer is going to our Senior Leadership in the agency to begin the process of occurrence and updating it. Its the framework if something were to happen now. Based on the lessons from sandy and other disruptions. The challenge for people to look at planning for not what they do everyday but what happens if the you power is out. Not just for hours but for weeks. Do they understand what they need to do and that the critical lifelines have the power . I have been through enough hurricanes and few had enough to pass what was there and in a full load of crisis, they failed. They did not maintain enough fuel in the systems for that. They did not have the contracts for the firm deliveries when the crisis occurred. You really need to get people to focus on this. If youre going to provide the emergency power, it has to be for real and provide it for a long time. You have to do it from a stand approach. We dont know how long its going to be out. We have the response steps, and you have to ask the question if its only on the 72 hours and if were out for a week, what are the things that we have to focus on. The story of the industry is also good. We learned a lot about how to get the systems back up and bypass the failed systems. In many cases they have replaced the man in the middle and then come back and run a system and get the you power back. So i think theres both a good news story, but theres still a lot that we do not know. So against that, were not going to run a plan for everything that cannot happen. We need the right thing on consequences. As we have the duration of the impacts,hats going to shake the guidance and officials. Were dealing with the extensive Power Outages. Regardless of the cause of it but the time and what would be happening and the next steps are. Again a lot of the lessons are learned from the hazards and then how wide spread and how they are impacted. Thats probably the one difference that a physical threat as much as a hurricane. We know the geographical area and we know that its not assigned by the boundaries and thats a system wide. Thats another area that we ask questions about. Thats probably outside of an a p and thats the largest impact to the utilities and a lot of work is done to minimize. Mr. Chairman, i stand ready for the questions, but i tried to answer them in the opening statements. Thank you for the testimony. Before we move on, i want to recognize the Ranking Member of the the subcommittee mr. Carson for the opening statement. I want to thank you guys and for the the sake of time we should continue, and i was the one that was late. Thank you. Thank you. We will move on assistant secretary. You may proceed. Thank you for focusing on the attention of being prepared on the outage and to discuss the electricity system in an increasingly challenging environment. Our economy, National Security and even the health and safety of citizens depend on the reliable electricity. The mission of the office of electricity and delivering a liability is to strengthen, transform and improve the structure to improve the access to the clean sources of energy. Were committed to working with the public and private sectors to protect the structure and including the power from the disruption whether its caused by natural or manmade events, Cyber Attacks. The crucial factor is to be proactive and cultivate what i call an ecosystem of resilience and that owner, operators, vendors and consumers Work Together to prepare, respond and recover. Our Organization Works on indepth strategies, products and tools to inform and educate state and local officials in their Energy Emergency preparedness activity. This is done through training, exercises that includes federal, state and local energy officials. In the area of Cyber Security, as part of the administrations effort to improve electric sector capabilities, the department of energy and Industry Partners have developed the electric sector Cyber Security capabilities maturity model. This is an evaluation tool that helps organizations prioritize and develop Cyber Security can capabilities. In april d. O. E. In washington, d. C. , clear path is an interagency exercise focused on testing and evaluating the Energy Sector roles and responsibilities and response plans utilized for an abduction zone 9. 0 earthquake and tsunami. The Department Works to access the impacts of disaster on local and Regional Energy infrastructure, coordinate delivery of assets, monitor and report on restoration efforts and provide regular Situational Awareness to key Decision Makers at the state, the white house and our inner agency partners. D. O. E. Provides strategic leadership by requesting and facilitating the development of an Energy Information sharing and Analysis Center as well as the development of an electric Sector Coordinating Council. This council is a group of leaders across the electric sector that meet regularly with government to coordinate and share information. When power goes out, the local eutility is the first responder. Should any threat or emergency exceed the capability of any local or private sector resources the federal government and the electric sector through the council will engage in coordinating a response to this type of a crisis. Congress enacted several important new security measures in the fast act. This act affirms d. O. E. s responsibility and Cyber Security coordination, oil and gas information sharing, the development of a transformer reserve plan. In addition, the fast act provides the secretary of energy with a new authority. Upon declaration of an emergency by the president , the secretary can issue orders to protect and restore Critical Infrastructure or defense Critical Infrastructure. This Authority Allows d. O. E. To respond as needed to Cyber Threats