[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
   CRITICAL INFRASTRUCTURE CYBERSECURITY: ASSESSMENTS OF SMART GRID 

                                SECURITY
=======================================================================



                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 28, 2012

                               __________

                           Serial No. 112-120



      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov




                  U.S. GOVERNMENT PRINTING OFFICE
76-641                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001


                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana              Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 7_____

              Subcommittee on Oversight and Investigations

                         CLIFF STEARNS, Florida
                                 Chairman
LEE TERRY, Nebraska                  DIANA DeGETTE, Colorado
SUE WILKINS MYRICK, North Carolina     Ranking Member
JOHN SULLIVAN, Oklahoma              JANICE D. SCHAKOWSKY, Illinois
TIM MURPHY, Pennsylvania             MIKE ROSS, Arkansas
MICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida
MARSHA BLACKBURN, Tennessee          EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California         GENE GREEN, Texas
PHIL GINGREY, Georgia                DONNA M. CHRISTENSEN, Virgin 
STEVE SCALISE, Louisiana                 Islands
CORY GARDNER, Colorado               JOHN D. DINGELL, Michigan
H. MORGAN GRIFFITH, Virginia         HENRY A. WAXMAN, California (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)

                                  (ii)


                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     1
    Prepared statement...........................................     4
Hon. Diana DeGette, a Representative in Congress from the State 
  of Colorado, opening statement.................................     6
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................     7
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, opening statement..............................     8
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     8
Hon. Phil Gingrey, a Representative in Congress from the State of 
  Georgia, opening statement.....................................     9
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................     9

                               Witnesses

Gregory C. Wilshusen, Director, Information Security Issues, 
  Government Accountability Office...............................    11
    Prepared statement...........................................    13
David C. Trimble, Director, Natural Resources and Environment, 
  Government Accountability Office \1\...........................
    Prepared statement...........................................    13
Richard J. Campbell, Specialist, Energy Policy, Congressional 
  Research Service...............................................    31
    Prepared statement...........................................    33

----------
\1\ Mr. Trimble did not offer oral remarks for the record. Mr. 
  Trimble and Mr. Wilshusen submitted a joint statement.


                   CRITICAL INFRASTRUCTURE CYBERSECU-
                RITY: ASSESSMENTS OF SMART GRID SECURITY

                              ----------                              


                       TUESDAY, FEBRUARY 28, 2012

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:19 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. Cliff 
Stearns (chairman of the subcommittee) presiding.
    Members present: Representatives Stearns, Terry, Myrick, 
Burgess, Blackburn, Gingrey, DeGette, and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight and 
Investigations; Todd Harrison, Chief Counsel, Oversight and 
Investigations; Katie Novaria, Legislative Clerk; Andrew 
Powaleny, Deputy Press Secretary; Alvin Banks, Democratic 
Investigator; Brian Cohen, Democratic Investigations Staff 
Director and Senior Policy Advisor; and Kiren Gopal, Democratic 
Counsel.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Good morning, everybody. I call the 
subcommittee's second hearing on cybersecurity and critical 
infrastructure protection to order.
    My colleagues, America's infrastructure systems have become 
more automated and more reliant on information systems and 
computer networks to operate. While our systems are more 
efficient, they also open the door to cyber threats and cyber-
attacks. Today, the subcommittee focuses on that part of the 
critical infrastructure known as smart grid, which refers to 
the information technology systems increasingly incorporated 
into the Nation's electricity networks.
    Smart grid technologies are designed to lower operation 
costs, reduce maintenance costs, and expand the flexibility of 
operational control relative to the current grid system. Their 
operational efficiency and improved asset use is driven by 
advanced communication and information technologies.
    I believe that we must update our electric grid with better 
technology integration, which is why I spearheaded the effort 
to secure funding for Energy Smart Florida, the largest smart 
grid demonstration project in the country. This initiative will 
invest hundreds of millions of dollars in smart grid technology 
and renewable energy in Florida and throughout the entire 
county. Energy Smart Florida will revolutionize how people use 
energy in their homes and enable them to make smarter choices 
about energy consumption and better control their carbon 
emissions. In addition, the widespread deployment of smart 
meters will provide Floridians with more reliable electrical 
service through an intelligent network that will be able to 
detect potential problems and automatically reconfigure the 
grid to minimize or eliminate outages.
    But ask any expert in the national security field and see 
what keeps them up at night. They would probably tell you, as 
they tell me, that it is the increased possibility of a 
devastating cyber-attack. This threat is real and is why it is 
virtually important--vitally important for us to do what we can 
to protect our critical infrastructure from these threats. We 
have seen in the past decade what impact both man-made and 
natural disasters have on our Nation's utility systems. Imagine 
the impact of a cyber-attack to the electrical grid. How many 
days could hospitals operate with onsite electric generation? 
How would metro rail systems operate, if at all? How would we 
recharge our smart phones or access the internet? The goal of 
the smart grid is to improve efficiency, reliability and 
interoperability. An equal goal, however, must be to improve 
upon the security controls and to minimize the impact from a 
man-made or natural disaster to ensure reliability and avoid 
such possibilities.
    Now, a recent report completed by the Pike Research company 
estimated that utilities' initiatives to secure their 
infrastructure will drive increasing investments to involve 
cybersecurity systems and total roughly $14 billion from now 
through the year 2018. While the Department of Energy has 
emphasized investment in technologies such as smart meters, 
among other technologies, we want to ensure that where there is 
investment, there is not a cybersecurity gap. We want to 
emphasize that there is also investment in securing control 
system segments including transmission upgrades, substation 
automation, and distribution automation systems.
    Protecting critical infrastructure is a complicated issue. 
We are talking about facilities and frameworks owned by private 
companies, and by Federal, State, and local governments. They 
are interconnected. Electricity powers water systems that cool 
nuclear reactors, for example. They are vulnerable to threats 
from a number of different sources, including nation-states, 
criminals, and hackers.
    The issues surrounding critical infrastructure protection 
and security are complex. To help analyze these complexities, I 
am pleased to be joined by our panel of experts in the field. 
Today, we will hear testimony from two witnesses at GAO: Mr. 
Gregory Wilshusen, Director of Information Security Systems, 
and Mr. David Trimble, Director of Natural Resources and the 
Environment. I look forward to their testimony, and getting a 
better understanding of their extensive work examining 
cybersecurity implications of the smart grid. I also would like 
to welcome Mr. Richard Campbell, of the Congressional Research 
Service, who has examined this very subject and we look forward 
to his contributions today.
    My colleagues, as I mentioned previously, this is the 
subcommittee's second hearing in this Congress on critical 
infrastructure protection and cybersecurity. The purpose of 
this hearing, in particular, is to get an overview of smart 
grid cybersecurity, and how it is working and what can be done 
better. It is my intention to call the Department of Energy and 
possibly other stakeholders to a future hearing for further 
consideration of smart grid security.
    I have enjoyed working with the Ranking Member, Ms. DeGette 
and the Minority in these matters and look forward to working 
with them on overseeing cybersecurity issues again. So I look 
forward to this hearing, the perspectives of our expert 
witnesses about the safety of this vital part of critical 
infrastructure, and whether we are taking the right steps to 
protect them from cybersecurity risks and threats.
    [The prepared statement of Mr. Stearns follows:]


    [GRAPHIC] [TIFF OMITTED] 76641.001
    
    [GRAPHIC] [TIFF OMITTED] 76641.002
    
    Mr. Stearns. And with that, I recognize the ranking member, 
Ms. DeGette.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Mr. Chairman, for holding 
this hearing on smart grid cybersecurity.
    Last year in July, representatives of the Department of 
Homeland Security came before this subcommittee to discuss 
their efforts to protect and deploy Federal resources and to 
coordinate with the private sector to prevent and respond to 
cyber attacks. This hearing, as you mentioned, is an important 
follow-up to that hearing.
    Protecting our critical infrastructure from cyber attacks 
is, of course, of vital importance. As our electric grid 
evolves, we become more and more dependent on so-called smart 
technologies to control, connect, and maintain this 
interconnected system. This is a good thing. It will make the 
grid more efficient and more reliable. For example, consumers 
will soon be able to track the price of electricity minute by 
minute and adjust electricity use accordingly, waiting, for 
example, until prices are right to do the laundry or start the 
dishwasher.
    However, these investments also expose us to new threats. 
These new technologies can be easy prey for hackers or 
terrorists who seek to bring down unprotected networks. As the 
smart grid becomes more interoperable, these attacks could have 
debilitating effects nationwide, as you mentioned, Mr. 
Chairman. In 2007, DHS ran a test known as Aurora, which 
showcases just how dangerous grid vulnerabilities can be. They 
used a dial-up modem to rewrite computer code and remotely 
detonate an industry-controlled system generator. That is why I 
am pleased we are having this hearing today. We as a Congress 
must do everything in our power to ensure that the grid remains 
safe and secure.
    The testimony we hear today will help us understand our 
successes and identify flaws in the current approach so that we 
can understand what else can be done to protect the smart grid. 
This hearing will also help us understand if Congress needs to 
provide more resources or more legislative authority for key 
cybersecurity agencies.
    The administration has made cybersecurity a priority, 
launching a comprehensive national cybersecurity initiative to 
protect the digital infrastructure. The President's 2013 budget 
includes $769 million to support the National Cybersecurity 
Division within the Department of Homeland Security. These 
funds are targeted at improving monitoring on Federal networks 
to respond to cyber threats, and supporting cyber attack 
responses for critical infrastructure owners and operators, and 
for State and local authorities.
    I commend this targeted focus on cybersecurity, but I am 
hoping that today our witnesses will help us learn more about 
any gaps in security that may still exist.
    Mr. Chairman, as I said, I appreciate that you are holding 
this hearing, and I am encouraged that you have announced that 
we are going to keep looking into other areas where we can work 
together in a bipartisan fashion. For example, we will hear 
from witnesses today the issue of cybersecurity goes well 
beyond the protection of the critical infrastructure. Consumers 
entrust important personal information on their banks--to their 
banks, their internet service providers, their credit card 
companies, and the retailers from whom they purchase items from 
online. These companies should ensure that they are protecting 
this information and Congress needs to be doing its oversight 
job to make sure that this is the case.
    Every day we hear stories about e-mail accounts being 
hacked, credit card information being hijacked, and Social 
Security numbers or other important personal information being 
stolen by cyber criminals. It has even happened to some of us 
who sit on this panel. The loss of this information can be 
costly and personally damaging. In September of last year, the 
internet security company, Symantec, issued the Norton Cyber 
Crime Report and calculated that cyber crimes cost companies 
and consumers $114 billion annually. That same report found 
that more than 2/3 of adults online had been victims of a cyber 
crime.
    As our use of internet services becomes more and more 
integrated, using the same internet services for e-mail, social 
networking, photo sharing, bill paying, and browsing and 
search, we have to be more vigilant in ensuring the protection 
of our personal information. Sites like Google, Yahoo, and 
Facebook will be targets for hackers, and if successful, these 
cyber attacks will have a major impact on the American public.
    For that reason, Mr. Chairman, in addition to investigating 
how the government can improve critical infrastructure 
cybersecurity, I think this subcommittee should also look 
closely at what the private sector is doing to prevent cyber 
attacks and keep consumers' personal information safe.
    I look forward to working with you on all of these issues, 
Mr. Chairman, and with that, I will yield back.
    Mr. Stearns. Thank the gentlelady and recognize the 
gentleman from Nebraska, Mr. Terry, for 2 minutes.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Chairman, for holding this 
important hearing. Of course, one of the cornerstone 
responsibilities of this Committee is finding--determining 
reliability of our electricity delivery system. In today's 
world, that means when we are protecting the grid, it means we 
have to look into the cyber attacks.
    Let me just give you one quick story from University of 
Nebraska at Omaha, PKI Institute of Information Assurance. They 
set up as a class project in their master's program an electric 
company fake Web site, and then tracked who would attack it. 
Within about 48 hours, there was probably about 50 hack 
attempts, most of them coming from a certain region in China, 
but all over the world. This just shows how vulnerable we are.
    Now as we move to more of a smart grid, that also means 
that we have more vulnerabilities, whether it is from EMPs or 
from cyber attacks. So looking at how we can strengthen our 
ability to defend from these attacks is just part of our core 
effort here.
    So at this time, I would like to yield the rest of my time 
to----
    Mr. Stearns. The gentleman yields back the balance of his 
time?
    Mr. Terry. Yes.
    Mr. Stearns. And so we have extra time here, and we 
recognize Dr. Burgess for a minute and a half to 2 minutes.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. Thank you, Mr. Chairman for the recognition. I 
want to thank our witnesses for being here today, because this 
is an issue of extreme importance. We are facing threats from 
around the world, and certainly, all of us want to remain 
vigilant.
    From hearings that we have had in previous Congresses in 
this subcommittee, and from talking to people who are charged 
with protecting our country, defending our country in an 
increasingly adverse cyber environment, we are well aware that 
every day from around the world, as Mr. Terry mentioned, are 
trying to break into our vital modes of infrastructure and 
technology, and not the least of that being the electric grid.
    We are also concerned about cost and that is why I am so 
grateful that some of the testimony today has focused on the 
effectiveness and the effectiveness of even the metrics that we 
use in order to assess how we are doing, and I think that is of 
critical importance, both as a consumer and certainly, it is 
clear that the utility companies themselves will be interested 
in knowing what the effectiveness of the measures that we are 
asking them to implement--they have to be interested in the 
effectiveness of those measures.
    We want these to be informed decisions. We do not want them 
to be emotional or political decisions, but we want them to be 
based on the best possible information, so that is why I am 
grateful, Mr. Chairman, that you called this hearing. I am 
grateful for our witnesses to be here, and I will yield back to 
the chairman.
    Mr. Stearns. Gentleman yields back and we recognize the 
gentlelady from Tennessee, Ms. Blackburn----
    Mrs. Blackburn. Thank you so much----
    Mr. Stearns [continuing]. For a minute and a half.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you. I appreciate that. I do want to 
welcome our witnesses.
    We all know and we realize how very--how debilitating these 
attacks would be. Some of the reports that I have read indicate 
that we could see blackouts for 9 to 18 months in areas if we 
were hit with a cyber attack, and certainly last year as we 
have looked at the series of attacks known as Night Dragon and 
how the hackers broke into and stole proprietary information 
worth millions of dollars, we see how this has a direct impact 
on not only U.S. but European energy companies.
    I think that one of the things that concerns me is looking 
at what we have found out with the increase from '06 to '10 a 
650 percent increase in the number of attacks and the 
incidences that have been tracked. So we welcome you and we 
look forward to hearing what you have to say, and some of the 
accelerated planning issues that are in front of us.
    Thank you very much. Yield back.
    Mr. Stearns. Gentlelady yields back and I recognize the 
gentleman from Georgia, Mr. Gingrey, for 1 minute.

  OPENING STATEMENT OF HON. PHIL GINGREY, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF GEORGIA

    Mr. Gingrey. Mr. Chairman, I thank you for giving me a 
minute of time. I was looking for an e-mail on my iPhone, but I 
don't know how to use the iPhone so I couldn't pull up the e-
mail. But basically I received an e-mail on my iPhone just a 
couple of days ago, purportedly from literally my best friend, 
who happens to be of European descent, and it was this typical 
e-mail, ``I am contacting you with tears in my eyes. We went on 
vacation in Spain, we got mugged at the--we can't get home, 
could you please e-mail us or wire us 1,600 Euros? God bless 
you and thank you for your help.'' I mean, that kind of thing 
is amazing. It is the first time I have ever received one of 
those, but that is small potatoes, of course, compared to what 
we are talking about here, but it just is a small example of 
the seriousness of cyber attack on the smart grid, so I am 
really looking forward to hearing from the witnesses and 
learning more about this----
    Ms. DeGette. Will the gentleman yield? Maybe your iPhone 
doesn't work because you opened that e-mail from your friend 
and now they have destroyed all your network.
    Mr. Gingrey. I have been attacked.
    Ms. DeGette. Yes.
    Mr. Gingrey. Thank you, Ms. DeGette.
    Ms. DeGette. You are welcome.
    Mr. Stearns. All right, our side is complete. With that, 
recognize the Ranking Member of the Full Committee, the 
gentleman from California for 5 minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you, Mr. Chairman. I appreciate your 
holding this hearing, and I want to say, this is exactly the 
type of oversight this subcommittee should be conducting, 
ensuring that our government uses its resources wisely, and 
that the private sector is taking appropriate steps to 
guarantee the safety and security of our Nation's critical 
infrastructure.
    Today's hearing will give us an opportunity to learn about 
the key challenges to ensuring the security of this Nation's 
electric grid. As the grid becomes more technologically 
advanced, it becomes more exposed to hackers, terrorists, and 
foreign enemies. As the grid becomes more interoperable, the 
potential effect of a cybersecurity breach becomes more 
widespread.
    The smart grid offers tremendous potential benefits. 
Modernizing the grid will make electricity cheaper, more 
efficient, more reliable, but at the same time, we must take 
appropriate action to protect the electric grid and to improve 
services and access for citizens across the Nation.
    In 2007, Congress and then-President Bush approved the 
Energy Independence and Security Act of 2007. This legislation 
authorized the Smart Grid Investment Grant Program and the 
smart grid Demonstration Program. The 2009 Recovery Act amended 
these programs and provided funding to ensure their 
implementation.
    The first program, the Smart Grid Demonstration Program, 
funded 32 projects to verify the viability of smart grid 
technology and quantify the costs and benefits of these 
improvements. The second program, the Smart Grid Investment 
Grant Program, awarded grants for smart grid technology 
updates. These grants have allowed the installation of smart 
meters in millions of homes, implementation of automatic peak 
pricing, response for commercial and industrial customers, and 
the development of comprehensive demand response programs. 
These programs provided 99 grants to recipients in 42 States, 
the District of Columbia, and Guam. In total, the Energy 
Department invested $3.4 billion in grants, which was matched 
by $4.6 billion in private investments, for a total public 
private investment of over $8 billion.
    Today will give us an opportunity to evaluate what is 
working and what can be improved in these programs. The 
Department of Energy's Inspector General recently issued a 
report on the Smart Grid Grant Program and identified some 
reimbursement issues and concerns about approval of some 
cybersecurity plans. Today's hearing will allow us to explore 
those issues.
    Beyond oversight, we must also do our part in protecting 
the electrical grid. Both GAO and the DOE Inspector General 
have acknowledged that Federal Energy Regulatory Commission has 
only limited authority to ensure the grid is truly secure. In 
fact, the Inspector General found that FERC does not have the 
authority to develop its own standards or mandatory alerts, 
even when new threats are identified. This gap in authority 
creates serious potential risks.
    Last May, the Subcommittee on Energy and Power held a 
hearing to discuss the bipartisan Grid Reliability and 
Infrastructure Defense Act, a bill that would give FERC 
additional authority to protect the electric grid from 
potentially dangerous vulnerabilities. Today's hearing will 
again demonstrate why we need to act on this legislation 
without further delay. We must continue to invest in making our 
electric grid the best in the world. That includes investing in 
standards and technologies so that the electric grid is secure 
in the face of unexpected terror attacks or hacking attempts. 
This hearing is an important step in identifying what can be 
done to ensure that the electric grid is protected.
    I have focused my opening statement on the electric grid, 
but I hope this hearing produces some ways for members to learn 
how to use their iPhones, and to be able to realize that when 
they get e-mails asking for money, they had better think twice 
about it. I nearly fell for that one myself. A good friend was 
evidently not able to afford to leave Paris. Things could be 
worse, but they wanted something worse, they wanted my money. 
This shows that our security of our technology is very 
important objective, and I think it is worthwhile for our 
hearing to do it.
    I am sure, since I have 19 second left, I want to comment 
that I am sure by the end of this hearing, whatever we find we 
don't like, the Republicans will blame on President Obama. Such 
is life. But I think this is a good hearing and I compliment 
the chairman for holding it. I will yield back my second.
    Mr. Stearns. The gentleman yields back his second, and I 
point out that sometimes we hear on your side everything is 
blamed on Bush, so----
    Mr. Waxman. Too late for that.
    Mr. Stearns. All right. Let me direct my comments to our 
witnesses this morning. As you know, the testimony that you are 
about to give is subject to Title 18 Section 1001 of the United 
States Code. When holding an investigative hearing, this 
Committee has a practice of taking testimony under oath. Do you 
have any objection to testifying under oath?
    The Chair then advises you that under the rules of the 
House and the rules of this Committee, you are entitled to be 
advised by counsel. Do you desire to be advised by counsel 
during your testimony today? If not, would you please rise and 
raise your right hand?
    [Witnesses sworn.]
    Mr. Stearns. You may now give your 5-minute summary of your 
written statement, and Mr. Wilshusen, you are first.

   TESTIMONY OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED 
     BY DAVID C. TRIMBLE, DIRECTOR, NATURAL RESOURCES AND 
 ENVIRONMENT, GOVERNMENT ACCOUNTABILITY OFFICE; AND RICHARD J. 
  CAMPBELL, SPECIALIST, ENERGY POLICY, CONGRESSIONAL RESEARCH 
                            SERVICE

               TESTIMONY OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Thank you, Mr. Chairman.
    Chairman Stearns, Ranking Member DeGette, and members of 
the subcommittee, thank you for the opportunity to testify 
today at today's hearing on cybersecurity for the smart grid. I 
am joined today by David Trimble, who is the Director for GAO's 
Natural Resources and Environment team. In addition, Mr. 
Chairman, if I may, I would like to recognize John Logoson, 
Mike Gilmore, and especially Lee McCracken for their efforts--
--
    Mr. Stearns. Ask them to raise their hand. We are not 
sure----
    Mr. Wilshusen. For their efforts in developing our written 
statement that we submitted today.
    As you know, the electric power industry is increasingly 
incorporating information technology systems and networks into 
its existing infrastructure as it modernizes the electricity 
grid. In 2007, the Energy Independence and Security Act 
established that it is Federal policy to support this 
modernization. Known as a smart grid, these nationwide efforts 
are aimed at improving the reliability and efficiency of the 
grid, and facilitating the use of alternative energy sources. 
Smart grid technologies include smart meters that enable two 
way communications between utilities and customers, smart 
components that provide system operators with detailed data on 
the conditions of transmission and distribution systems, and 
advanced methods for controlling equipment. The use of these 
systems may have a number of benefits, such as fewer and 
shorter outages of electrical service, lower electricity rates, 
and an improved ability to respond to attacks on the electric 
grid.
    However, the increased reliance on IT systems and networks 
also exposes the grid to cybersecurity vulnerabilities. For 
nearly a decade, GAO has identified the protection of systems 
supporting our Nation's critical infrastructures as--which 
include the electric grid--as a government-wide high risk area. 
Mr. Chairman, the threats to these systems supporting these 
infrastructures are evolving and growing. They include both 
unintentional and intentional threats, and may come in the form 
of equipment failure, as well as targeted and untargeted 
attacks from our adversaries.
    The interconnectivity between information systems, the 
internet, and other infrastructures can amplify the impact of 
these threats, potentially affecting the operations of critical 
infrastructures, the security of sensitive information, and the 
flow of commerce.
    In January 2011, GAO reported on a number of key challenges 
to securing smart grid systems and networks. For example, the 
Federal Energy Regulatory Commission, or FERC, which has 
responsibility for adopting cybersecurity and other standards 
it deems necessary to ensure grid functionality and 
interoperability, had not developed a coordinated approach with 
other regulators to monitor industry compliance with voluntary 
standards. In addition, we reported other challenges affecting 
industry efforts to secure the smart grid. Specifically, the 
electricity industry had not consistently built security 
features under certain smart grid devices, established an 
effective mechanism for our sharing cybersecurity information, 
and created a set of metrics for evaluating the effectiveness 
of cybersecurity controls.
    GAO made several recommendations to FERC aimed at 
addressing these challenges, and the Commission agreed with our 
recommendations.
    To summarize, Mr. Chairman, the electricity industry is in 
the midst of a major transformation as a result of smart grid 
initiatives. While these initiatives hold the promise of 
significant benefits, including a more resilient electric grid, 
lower energy costs, and the ability to tap alternative sources 
of power, the prevalence of cyber threats aimed at the Nation's 
critical infrastructure and the cyber vulnerabilities arising 
from the use of new technologies highlight the importance of 
securing smart grid systems. In particular, it will be 
important for Federal regulators and other stakeholders to work 
closely with the private sector to address key cybersecurity 
challenges posted by the transition--posed by the transition to 
smart grid technology. While no system can be made 100 percent 
secure, proven security strategies could help reduce risks to a 
manageable and acceptable level.
    Chairman Stearns, Ranking Member DeGette, and other members 
of the subcommittee, this completes my statement, and David and 
I would be happy to answer your questions.
    [The prepared statement of Mr. Wilshusen and Mr. Trimble 
follows:]
[GRAPHIC] [TIFF OMITTED] 76641.003

[GRAPHIC] [TIFF OMITTED] 76641.004

[GRAPHIC] [TIFF OMITTED] 76641.005

[GRAPHIC] [TIFF OMITTED] 76641.006

[GRAPHIC] [TIFF OMITTED] 76641.007

[GRAPHIC] [TIFF OMITTED] 76641.008

[GRAPHIC] [TIFF OMITTED] 76641.009

[GRAPHIC] [TIFF OMITTED] 76641.010

[GRAPHIC] [TIFF OMITTED] 76641.011

[GRAPHIC] [TIFF OMITTED] 76641.012

[GRAPHIC] [TIFF OMITTED] 76641.013

[GRAPHIC] [TIFF OMITTED] 76641.014

[GRAPHIC] [TIFF OMITTED] 76641.015

[GRAPHIC] [TIFF OMITTED] 76641.016

[GRAPHIC] [TIFF OMITTED] 76641.017

[GRAPHIC] [TIFF OMITTED] 76641.018

[GRAPHIC] [TIFF OMITTED] 76641.019

[GRAPHIC] [TIFF OMITTED] 76641.020

    Mr. Stearns. All right, and I understand, Mr. Campbell, 
your opening statement is welcome.

                TESTIMONY OF RICHARD J. CAMPBELL

    Mr. Campbell. Good morning, Chairman, Ranking Member, and 
members of the subcommittee, my name is Richard Campbell. I am 
a Specialist in Energy Policy for the Congressional Research 
Service. On behalf of CRS, I would like to thank the Committee 
for inviting me to testify here today. I would like to request 
that my written testimony be entered into the record.
    Mr. Stearns. By unanimous consent, so ordered.
    Mr. Campbell. My testimony will provide background on the 
development of the smart grid, the Department of Energy's 
vision for the smart grid, and plans for the cybersecurity of 
the smart grid. I should note that CRS does not advocate policy 
or take a position on specific legislation.
    The electrical grid in the United States comprises all of 
the power plants generating electricity, together with the 
transmission and distribution systems which bring power to end-
use customers. The grid also connects the many public and 
private electricity companies and power companies throughout 
the United States. The modernization of the grid to accommodate 
today's power flows, serve reliability needs, and meet future 
projected uses is leading to the incorporation of the 
electronic intelligence capabilities for power control and 
operations monitoring. The smart grid is the name given to this 
evolving intelligent electricity network. While these 
intelligent components may enhance the efficiency of grid 
operations, they also potentially increase the susceptibility 
of the grid to cyber, that is, computer-generated, attack, 
since they are built around microprocessor devices controlled 
by software programming. The potential for a major disruption 
or widespread damage to the Nation's power system from a large-
scale cyber attack has increased focus on the cyber security of 
the smart grid.
    The Department of Energy summarized its view of the 
potential of the smart grid by the year 2030 as a fully 
automated power delivery network that monitors and controls 
every customer and node, ensuring a two-way flow of electricity 
and information between the power plant and the appliance, and 
all points in between.
    Federal funding has been provided to help develop concepts 
and technologies for the smart grid. The American Recovery and 
Reinvestment Act of 2009 provided $4.5 billion in funding to 
the DOE for projects to modernize the grid. DOE's Smart Grid 
Investment Grant program received $3.5 billion of these funds 
with the expressed purpose of stimulating the rapid deployment 
of advanced digital technologies needed to modernize the grid.
    The SGIG is a cost-shared program, meaning recipients of 
grants were to provide as much as 50 percent of a project's 
total costs.
    According to a recent report from the DOE's Office of 
Inspector General, all the available grant funds from the SGIG 
program have been awarded to 99 recipients, with awards ranging 
in value from $397,000 to $200 million. An approach to 
cybersecurity was required as part of the SGIG application 
process. Recipients of awards were required to submit a 
detailed plan addressing specific cybersecurity elements and 
concerns. The DOEIG report observed that DOE approved these 
cybersecurity plans even though weaknesses in the plans were 
identified and not fully addressed. The DOE responded to the 
report saying that it will require award recipients to update 
their cybersecurity plans later this year.
    The DOE funded the development of the recently released 
Roadmap to Achieve Energy Delivery Systems Cybersecurity. This 
Roadmap provides a plan to improve the cybersecurity of the 
electricity, oil, and natural gas sectors.
    The Roadmap recognizes the changing landscape of 
cybersecurity, and the continuing need to seek out and address 
cybersecurity gaps, and includes an implementation strategy for 
cybersecurity built on milestones to be achieved by the year 
2020.
    The DOE has recently begun to update its vision for the 
smart grid, focusing on three key attributes it sees as 
desirable for the smart grid of the future: a seamless, cost-
effective electricity system; a system capable of accommodating 
all generation choices; a system which enables customer choice.
    According to this updated vision, the smart grid will still 
see regional diversity in power choices, while allowing for the 
development of a national framework. According to DOE, a 
reliable, secure, and resilient grid will be the key to 
achieving this vision.
    In conclusion, it is the very features which can add 
seamless integration and utility to the smart grid that also 
add cyber vulnerabilities to electricity networks. Some assert 
that the smart grid and cybersecurity systems will have to 
develop along parallel but interconnected paths if the electric 
grid of the future is to develop in a manner that can enhance, 
and not impair, future economic development.
    Congress could provide funding for research and development 
of systems to bridge gaps in cybersecurity and build the smart 
grid. Federal funding could also be used to bring government 
and industry together in forums to address the needs and 
directions of these developing systems.
    Congress may also provide for a regulatory framework which 
could achieve a basic level of cybersecurity. But due to the 
constantly changing nature of cyber threats, it is unlikely 
that effective cybersecurity of the grid will be achieved by 
regulation alone. Some assert that electric utilities must be 
focused on cybersecurity as keenly as they are on their current 
obligation to serve or to provide shareholder value.
    Thank you for the invitation to appear today. I will be 
pleased to address any questions you may have.
    [The prepared statement of Mr. Campbell follows:]
    [GRAPHIC] [TIFF OMITTED] 76641.021
    
    [GRAPHIC] [TIFF OMITTED] 76641.022
    
    [GRAPHIC] [TIFF OMITTED] 76641.023
    
    [GRAPHIC] [TIFF OMITTED] 76641.024
    
    [GRAPHIC] [TIFF OMITTED] 76641.025
    
    [GRAPHIC] [TIFF OMITTED] 76641.026
    
    [GRAPHIC] [TIFF OMITTED] 76641.027
    
    [GRAPHIC] [TIFF OMITTED] 76641.028
    
    Mr. Stearns. Thank you, Mr. Campbell. I will start with my 
questions.
    Let us see if we get something that is current here. A 2011 
bulletin by the Department of Homeland Security titled 
``Insider Threats to Utilities'' stated that ``based on the 
reliable reporting of previous incidents, we have a high 
confidence in our judgment that insiders and their actions pose 
a significant threat to the infrastructure and information 
systems of the United States facilities,'' vis-`-vis the grid. 
Mr. Wilshusen, are you aware of any specific power outage or 
threat to the electric grid that has transpired in such a way 
that is talked about in this Homeland Security report from 
2011?
    Mr. Wilshusen. You mean specifically from an insider 
threat?
    Mr. Stearns. Yes.
    Mr. Wilshusen. I can't say I know of a specific incident 
where that occurred; however, certainly insider threats are 
very important and a threat that our agencies and entities need 
to consider, because insiders typically have advanced knowledge 
and even access to the systems and the types of systems that 
contain information that they could have the ability then to 
perpetrate, if they have malicious intent to cause disruptions 
and damage. And it is not just those with malicious intent, but 
also insiders who may be careless or who may be untrained that 
conduct activities that also impair or harm their systems and 
networks. But clearly, that is a key threat.
    Mr. Stearns. Are you aware of any outsiders soliciting 
people in the smart grid viable areas? Are you aware of any 
outsiders that are trying to do this?
    Mr. Wilshusen. In terms of corrupting----
    Mr. Stearns. Yes.
    Mr. Wilshusen [continuing]. And using insider threats? I 
can't say I know of specific examples of where that occurs--
that occurred.
    Mr. Stearns. Can you describe the controls and checks in 
place at utilities to prevent these kinds of attacks?
    Mr. Wilshusen. Well, clearly one of the key controls that 
utilities and, indeed, agencies should do is background checks 
on their employees and those----
    Mr. Stearns. Are they doing the background checks, in your 
opinion, adequately?
    Mr. Wilshusen. We haven't examined the--how the securities 
are----
    Mr. Stearns. So there has been no examination of how those 
background checks have been done and how they have been 
corroborated, or the credibility of those checks?
    Mr. Wilshusen. No, we have not assessed that as part of our 
review.
    Mr. Stearns. Do you think that should be done?
    Mr. Wilshusen. Well certainly it should be monitored and 
checked, because I do believe that individuals that have 
sensitive positions and hold--and have sensitive access to 
systems should have some level of background investigation 
performed. And there are other controls, too, that should be in 
place to help restrict and limit insiders, either careless or 
untrained insiders, as well as malicious from performing these 
types of acts, and that includes by limiting their access to 
only that level needed for them to perform their jobs, as 
opposed to giving them broader access to systems.
    Mr. Stearns. The MacAfee Corporation did a report in early 
2011, another current report, in which they surveyed about 200 
executives from critical electricity infrastructure across the 
United--across the world, in fact. That found that 85 percent 
had experienced network infiltrations, and 80 percent had faced 
a large scale denial of service attack. Do you think that 
number is correct? That is quite large, 80 percent of both 
network infiltrations and 80 percent faced a large scale denial 
of service attack. Do you think those figures are accurate?
    Mr. Wilshusen. I have no basis to form whether they are 
accurate or not, but I will say as it relates to Federal 
Government agencies----
    Mr. Stearns. Is that typical?
    Mr. Wilshusen. In terms of those that have reported 
security incidents, yes, most Federal agencies have done that 
and as the Congresswoman mentioned earlier, the number of 
reported security incidents within the Federal Government has 
risen by 650 percent from 2006 through 2010.
    Now, what one disparity or inconsistency with that comment 
that you made, the statistics in that MacAfee report is that 
within the Federal Government, there was only about 1 percent 
or so of the reported security incidents were considered to be 
denial of service attacks, which would be those that would 
disrupt the----
    Mr. Stearns. So I assume you reviewed the MacAfee report 
yourself?
    Mr. Wilshusen. No, I have not.
    Mr. Stearns. How do these people get into cause these 
infiltrations? I mean, do you have any idea how it actually 
happens?
    Mr. Wilshusen. Well, there are a number of different attack 
patterns----
    Mr. Stearns. Just give me two quick, the most prevalent.
    Mr. Wilshusen. Well, one would be, for example, if they put 
malicious software on a thumb drive and then an employee of 
that corporation----
    Mr. Stearns. Puts that thumb drive into the computer?
    Mr. Wilshusen. Pardon?
    Mr. Stearns. He puts that thumb drive in the software?
    Mr. Wilshusen. Puts the thumb drive into the computer and 
then downloads the malicious software onto the computer. That 
is one way.
    Mr. Stearns. To the hard disk, yes.
    Mr. Wilshusen. Another way would be if the attacker would 
set up a malicious Web site and which would also then entice 
employees of the service center to--or wherever--to go to that 
Web site and download what appears to be an innocuous or an 
attractive program, when in fact, that too contains malicious 
code that could then allow----
    Mr. Stearns. Could the facility put software in place to 
prevent both of those from occurring?
    Mr. Wilshusen. They can, and disable certain functions--
physical ports on the laptop or on the desktop to prevent that 
from happening. And indeed, the Department of Defense had such 
an attack on their networks based upon a thumb drive that led 
them to disable the thumb drives on the vast majority of 
their----
    Mr. Stearns. Last question. Has the Department of Homeland 
Security or the Department of Energy issued any guidance to the 
electricity sector on best practices that we just talked about 
in these two cases?
    Mr. Wilshusen. Well, as part of the Energy Independence and 
Security Act, NIST, the National Institute of Standards and 
Technology, had responsibilities for developing security 
guidelines in connection with input from a number of different 
organizations that were then to be provided to FERC at 
Department of Energy to either approve if there is a consensus 
on those, and some of those controls would help to prevent such 
attacks, or could.
    Ms. DeGette. Thank you. Mr. Wilshusen, were those controls, 
in fact, promulgated by FERC?
    Mr. Wilshusen. No.
    Ms. DeGette. Why not?
    Mr. Wilshusen. It determined that there wasn't a consensus 
on those--development of those standards and cybersecurity 
guidelines, and under the Act, there--in the process are 
required to develop a consensus for----
    Ms. DeGette. So now what? Are they developing standards?
    Mr. Wilshusen. My understanding is that NIST is working to 
gain such a consensus.
    Ms. DeGette. OK. I want to talk with you a minute more 
about FERC, because what I am wondering is if they need extra 
authorities to protect the electric grid from these potentially 
dangerous vulnerabilities.
    Can you just give us a quick example of the types of 
security flaws that might leave the grid vulnerable to hackers?
    Mr. Wilshusen. One would be if they do not appropriately 
assess the risk to those various different components of the 
smart grid and implement the appropriate security controls over 
that. For example, if the access controls are not appropriately 
applied to different components of the grid, that could 
potentially allow a path into----
    Ms. DeGette. And of course, the development of this smart 
grid increases this risk because it is more and more 
computerized, correct?
    Mr. Wilshusen. Yes, the increased use of IT systems and 
networks provide additional paths and access points for 
potential attackers to gain access to it. In addition, the 
increasing interconnectivity of these systems and networks also 
allow potential attackers broader range and access to other 
devices.
    Ms. DeGette. And yet at the same time that there is broader 
vulnerability, the increased interconnection and the smart--
development of the smart grid, it is a really valuable part of 
our system because it gives us--number one, it gives us more 
efficiency so consumers can get better prices, and number two, 
it allows us to use some of these renewable technologies that 
the chairman was talking about in his opening statement, 
correct?
    Mr. Wilshusen. Yes.
    Ms. DeGette. And so here is my question. The GAO and others 
have said that there could be gaps in the FERC's regulatory 
authority to deal with development of these standards to 
respond to new vulnerabilities. Can you talk about that for a 
minute?
    Mr. Wilshusen. Well in our recent report that we issued 
back in January of 2011, we identified that FERC did not have 
appropriate authorities, that their authorities were pretty 
much--since they didn't have the appropriate authorities, their 
authorities were limited to basically adopting and approving 
standards that were developed by others for the smart grid, and 
then primarily just at the bulk power level and bulk power 
supply level, not necessarily at the distribution level where 
certain smart grid investments and devices are being 
implemented. And we made the recommendation to NERC that they 
need to really work with these other parties and stakeholders 
to include the State public utility commissions that do have 
such authorities and responsibilities to monitor the 
implementation of any standards that it adopts.
    Ms. DeGette. So----
    Mr. Wilshusen. And it had not done that.
    Ms. DeGette. So do they have the authority to do that, or 
does Congress need to give them more authority to coordinate 
with those other operators?
    Mr. Wilshusen. Well, they have the authority to coordinate 
with the other operators----
    Ms. DeGette. OK.
    Mr. Wilshusen [continuing]. And utility commissions at the 
State level----
    Ms. DeGette. OK.
    Mr. Wilshusen [continuing]. But they don't have the 
authority to mandate particular cybersecurity standards.
    Ms. DeGette. Do you think they need that authority?
    Mr. Wilshusen. We do not make that recommendation or really 
go there. We just actually made the recommendation to FERC that 
it determined whether, you know, what gaps overlaps exist, so--
--
    Ms. DeGette. Yes, so if FERC determined that, they could 
come to us----
    Mr. Wilshusen. Right.
    Ms. DeGette [continuing]. And ask for that authority.
    Mr. Wilshusen. That is correct.
    Ms. DeGette. Now, there are some--do you know how many of 
these local and State authorities there are that FERC would 
need to be coordinating with?
    Mr. Trimble. Well, you are--FERC is----
    Ms. DeGette. Mr. Trimble?
    Mr. Trimble. Yes, sorry.
    Ms. DeGette. That is OK.
    Mr. Trimble. FERC is--has jurisdiction over the bulk power 
system, but once it gets into the distribution system at the 
State level or at the local level, it falls to the State 
utilities. So the----
    Ms. DeGette. There are thousands of them, right?
    Mr. Trimble. Right, so you are talking about 50 States plus 
those that aren't under State control or under minimal State 
control.
    Ms. DeGette. Right, and then there is other agencies like 
Homeland Security, Energy and National Security Agency that 
also have oversight responsibilities over the critical 
electrical infrastructure, correct?
    Mr. Trimble. Um-hum.
    Ms. DeGette. So all of those individual utilities would 
have to work together to really address this, right?
    Mr. Trimble. That is correct.
    Ms. DeGette. OK. Now, one last question, Mr. Chairman. I 
have got a lot more questions in this line, but maybe I will 
have an opportunity to ask then, but the Energy Independence 
and Security Act of 2007 directed the National Institute of 
Standards and Technologies to develop those standards, but 
those standards haven't been adopted for the reasons Mr. 
Wilshusen just explained, right?
    Mr. Trimble. Right.
    Mr. Wilshusen. That is correct.
    Ms. DeGette. And do we have any sense when they are going 
to be adopted, now that it has gone back to the agency?
    Mr. Trimble. We have not seen a timeline.
    Ms. DeGette. OK, thank you.
    Mr. Stearns. The gentlelady from Tennessee is recognized 
for 5 minutes.
    Mrs. Blackburn. I thank you all and appreciate so much the 
time that you are giving us today, and continuing to work with 
us through this issue.
    I have found it so interesting, as we have worked through 
these hearings, how our constituents are paying attention to 
this, and how they come back to us, those constituents that are 
working in informatics or in energy delivery systems, and they 
have different things they want to add to the discussion that 
we are having.
    One question I do have on the smart meters that are out 
there. Is there a way that someone's proprietary information is 
being tracked or pulled or hacked into--what are the 
protections that are on these meters? Can you give me just a 
little bit of information on that, because some of our 
constituents--and Ms. DeGette talked about this when she said 
people can watch and find out when the electricity is going to 
cost them less and then do chores at that time, but our 
customers are saying now wait a minute. Is this--while it is 
giving me information, is this going to be giving--what are the 
protections, the privacy protections that are going to exist to 
the consumer about protecting that virtual presence and 
knowledge of themselves?
    Mr. Wilshusen. Right, that is certainly an area of concern 
insofar as that those meters need to have the appropriate 
cybersecurity, information security controls built into them. 
We convened a panel of cybersecurity experts as part of our 
review that we issued a report back in January of 2011, and 
they identified that there are control deficiencies in some of 
those meters, to include not having the appropriate login 
capabilities, which would help and--or the forensics 
capabilities to determine how and whether an attack had 
occurred.
    Mrs. Blackburn. OK, then let me ask you this. With those 
meters, would it be easy just to--is it very easy just to hack 
into them? Should people consider there to be so much 
transparency in these that they are not protecting their usage? 
Help me with that.
    Mr. Wilshusen. Well, I would just say that it really 
depends upon the facts and circumstances of each individual 
type of meter----
    Mrs. Blackburn. OK.
    Mr. Wilshusen [continuing]. And the security 
vulnerabilities or strengths relative to the individual meters.
    Mrs. Blackburn. OK. Mr. Wilshusen, I want to ask you, May 
'08 you made some comments about TVA's corporate network 
contains security weaknesses that could lead to disruption of 
their control systems, and of course, for those of us in the 
Tennessee Valley and TVA as the main power generator, we are 
very concerned about that. You had 19 specific recommendations 
that you had for the TVA at that point in time. In your follow 
ons, has TVA implemented these? Have they been responsive to 
putting these controls in place? How are we doing with 
tightening that system up?
    Mr. Wilshusen. Yes, TVA has been responsive in implementing 
not only the 19 recommendations that were made in the public 
report, but also we made a number of other recommendations in a 
limited distribution report----
    Mrs. Blackburn. Exactly, yes.
    Mr. Wilshusen [continuing]. That dealt more with the 
technical controls over their networks and their industrial 
control system networks. TVA has been responsive, has 
implemented most, if not all, of our recommendations and we 
have closed them out.
    Mrs. Blackburn. Thank you. With that, I will yield back.
    Mr. Stearns. Gentlelady yields back. Ms. Myrick is 
recognized for 5 minutes.
    Mrs. Myrick. Thank you, and really, this is for any of you, 
but it concerns giving the cybersecurity threats and the 
weaknesses that were identified in the GAO report and in the 
Inspector General for the Department of Energy's report. It 
seems to be that cybersecurity is not a real high priority with 
some companies today, and given the wealth of information that 
is out there about the threats that exist--I am also on Intel 
and we deal with this all the time. And it just seems apparent 
to me that we--that companies really aren't taking this as 
seriously as they should. Not just companies, of course, 
dealing with the electric grid, but other companies as well 
when it comes to how they fit into the big picture in the 
country.
    Is it because they don't feel that there is any incentive 
for them to do it in any way? I am at a little of a loss, I 
guess, because some of them just seem to be kind of blase about 
it, even though they are so vulnerable. It is unreal and then 
it affects the rest of us from a national security standpoint.
    Mr. Trimble. I would answer in two ways. One, from our 
expert panel that we convened one of the concerns that they had 
was confusion and uncertainty over who is in charge in terms 
of----
    Mrs. Myrick. OK.
    Mr. Trimble [continuing]. Where the guidance was given, the 
complexity of the regulatory oversight. From--if you are 
putting yourself in the producer of the utilities perspective, 
they are faced with--so the standards haven't been adopted, 
even though--even when they are adopted, they are voluntary, 
and then if you are a producer under State control, you don't 
have anything from the States. To recover those costs, to make 
those investment decisions, those costs have to be recoverable. 
There is no necessary guarantee that you will recover those 
costs if you make those investments in this uncertainty.
    So again, this goes back to our recommendation as to when 
you adopt, you need to closely monitor to what extent these 
standards are being followed and to what extent they are 
effective, and make changes quickly. So it really, you know, 
sort of asking the system something it hasn't done necessarily 
in the past, which is act quickly and sort of more nimbly than 
it has. But I think part of the answer is really I would just 
put yourself in the shoes of the utility when faced with making 
those decisions and trying to balance the cost and benefits and 
risks that you are looking at.
    Mr. Wilshusen. And I want to add to that. Also in some 
instances these utilities may or may not be fully aware of some 
of the threats and risks that are there, particularly certain 
incidents. In many cases, some of the most actionable and alert 
information may not necessarily be able to be shared with the 
utilities because it is classified.
    Mrs. Myrick. Right.
    Mr. Wilshusen. And so the information sharing equation is 
also a factor in terms of the agency--or the utilities 
receiving timely and actionable information.
    We issued a report a year ago or 2 years ago that dealt 
with the expectations and the delivery of those expectations 
between the public-private partnership model that is currently 
in use, and many--this is not only just the electricity 
industry, but also across other critical infrastructure 
sectors, in that most of the respondents on the private sector 
side indicated that--in fact, 98 percent of them said that 
receiving timely, actionable, alert and threat information was 
very important to them, but only 27 percent of them responded 
and said that their Federal partners were greatly or moderately 
providing that information to them.
    Mrs. Myrick. So it is not a resistance or lack of 
understanding on the part of the companies from your 
perspective and what you are seeing, it is really that they--
that this aspect of who is in charge and who they report to and 
how they get the information and what information they get is 
really the problem?
    Mr. Wilshusen. It is a contributing factor.
    Mrs. Myrick. OK. Anybody else wish to comment?
    Then I yield back, Mr. Chairman. Thank you.
    Mr. Stearns. Gentlelady yields back. The gentleman from 
Georgia, Mr. Gingrey, is recognized for 5 minutes.
    Mr. Gingrey. Thank you, Mr. Chairman, and I am going to 
address my first question to all three of you, and I think I 
will start with Mr. Campbell.
    Each of you mentioned in the January 2012 report issued by 
the Department of Energy's Inspector General that 36 of the 99 
grant recipients did not have the sufficient security plans in 
place to provide further risk determent, despite the fact that 
the Federal Government has spent, I think you said $3.5 billion 
in taxpayer money for this Smart Grid Investment Grant Program. 
Now while I am disappointed that for scheduling purposes it 
prevented the DOE Inspector General from being here today, I 
would like to ask each of you your thoughts on these three 
questions, and I will start with Mr. Campbell. What are the 
potential implications of these insufficient security controls?
    Mr. Campbell. Well basically smart grid devices are being 
developed that may not have full cybersecurity mechanisms built 
in. So if these devices do actually make it to market, there 
could be problems with cybersecurity of the devices going 
forward.
    Mr. Gingrey. Mr. Trimble?
    Mr. Trimble. Yes, I will--what I would add to that, and I 
will defer to my colleague on the cyber aspect of this, that 
one of the downsides if you end up with devices that don't meet 
the standards or aren't sufficiently protected and then the 
utility has to pull those out, you have created a problem in 
terms of who is going to pay for that mistake, because they 
will go to the public utility to recover those costs, the 
public is not going to want to pay for the mistake, and so you 
will have a very contentious situation.
    Mr. Wilshusen. Yes, I would agree with both Mr. Trimble and 
Mr. Campbell in that it could create opportunities where key 
controls are not being implemented into these devices or not 
being implemented in whatever the initiative and grant 
initiative had was developing. One thing that was noted by the 
IG is that these were approved even though the Department had 
requested that the plans be updated, which they were, but not 
in all instances were those key controls addressed and the 
Department has to approve that.
    According to the IG report, if I read that correctly--
again, I defer to the DOEIG on that--is that there was 
apparently an emphasis on the part of the Department to make 
sure that these grants were approved and gotten out.
    Mr. Gingrey. We--as the chairman said in his opening 
remarks, we had hoped to have the IG from DOE here today, and 
hopefully we will schedule another hearing and hear from him.
    But going back to Mr. Campbell, throughout the life of the 
grant, is it feasible that these problems that exist could 
still be corrected?
    Mr. Campbell. The DOE's office has responded that it will 
require the applicant grantees to update their cybersecurity 
plans, I believe it is by April of this year.
    Mr. Gingrey. All right, Mr. Trimble and Mr. W., you all 
have some comments on that as well?
    Mr. Wilshusen. Yes. I would just also add that in the 
report, the IG indicated that the Department was also going to 
be, as part of their annual review process of these grant 
initiatives, were to review the recipient's implementation of 
those cybersecurity controls in their plans.
    Mr. Gingrey. And then the last part of this question, and I 
see I am probably only going to get one question in in the 
allotted 5 minutes, but with this report in mind, the DOE 
Inspector General report, do you know of any instances in which 
the smart grid for which the grant program was supposed to 
bolster has been compromised from a security standpoint? Mr. 
Campbell, any specifics there?
    Mr. Campbell. I am not aware of any specifics.
    Mr. Gingrey. Mr. Trimble?
    Mr. Trimble. No, sir.
    Mr. Wilshusen. No, sir.
    Mr. Gingrey. OK. I do have a little bit of time left. Let 
me go--let us see, back to--well that is all right. I will just 
save that if there is a second round.
    Mr. Chairman, I yield back the balance of my time.
    Mr. Stearns. All right, gentleman yields back. We will do a 
second round and I will start.
    Mr. Wilshusen, in your testimony you stated that Department 
of Energy Inspector General found that under the Smart Grid 
Investment Grant Program, recipients were not always complete 
or lacked sufficient detail in security controls in their 
submissions to Department of Energy. Is that correct?
    Mr. Wilshusen. Yes, sir.
    Mr. Stearns. Is that a big deal?
    Mr. Wilshusen. Yes, it can be.
    Mr. Stearns. And why, specifically?
    Mr. Wilshusen. Well, if those----
    Mr. Stearns. Why is it a big deal?
    Mr. Wilshusen. Well, if it is----
    Mr. Stearns. I think it is a big deal, but I just want you 
to confirm it.
    Mr. Wilshusen. If those plans are incomplete and do not 
identify key controls that should be implemented on as part of 
these smart grid initiatives, that could lead to vulnerable 
devices and therefore, may subject those devices to increased 
risk of being compromised.
    Mr. Stearns. So you have a smart meter device being 
purchased with government grant money that lacks the proper 
security features and if the guarantees don't have specific or 
detailed security plans when installing them into the 
customer's homes, isn't that it?
    Mr. Wilshusen. That could be a possibility.
    Mr. Stearns. Mr. Trimble, is it conceivable that during the 
life of the grant period, that these security plans are not 
complete, are not implemented properly, unless made a condition 
of the grantee to receive the funding? Should we do that?
    Mr. Trimble. I believe that should have been a requirement 
or----
    Mr. Stearns. Do you have your mic on?
    Mr. Trimble. I believe that is what the IG indicated, but 
that was not our work so I can't speak authoritatively.
    Mr. Stearns. Do you know of any specific examples that I 
could hear from you, or Mr. Wilshusen?
    Mr. Wilshusen. Well in the IG report, they identified three 
of the five security plans that it reviewed. These were the 
plans that had already been initially identified by the 
Department as having deficient or shortcomings in the security 
programs, and then updated by the recipient or the grantee 
recipients, and they identified that three of the five still 
had the shortcomings and did not contain complete information. 
And some of that information dealt, as I recall, with the 
auditing and some of the technical security controls associated 
with those initiatives. But as far as more detailed 
information, I did not review or have access to the work papers 
supporting the report by the IG.
    Mr. Stearns. Is this all primarily in the smart meter 
technology? Is that where all this concern is?
    Mr. Wilshusen. With the IG's report, I don't think it was 
specific to that. I don't recall if it was specifically 
mentioned.
    Mr. Stearns. Isn't that where most of the investment is?
    Mr. Wilshusen. That also I don't know.
    Mr. Stearns. Yes, Mr. Trimble?
    Mr. Trimble. I believe it was in a broader range. I thought 
the bulk of the money was into other systems like phase 
measurement units and things like that, but again, we haven't 
done work in that area.
    Mr. Stearns. Mr. Campbell, how many, in your opinion, smart 
grid cyber incidents have there been?
    Mr. Campbell. I am not familiar with the total number, but 
from I have heard in discussion there has been quite a few 
cybersecurity incidents.
    Mr. Stearns. Under 10, under 100?
    Mr. Campbell. Probably more than that.
    Mr. Stearns. Under 1,000?
    Mr. Campbell. I couldn't say with any specific.
    Mr. Stearns. So you have no knowledge of how many specific 
system cyber attacks there have been, incidents, then?
    Mr. Campbell. No, sir.
    Mr. Wilshusen. Mr. Chairman----
    Mr. Stearns. Yes, sure.
    Mr. Wilshusen [continuing]. If I might add, I am not even 
sure if there is a monitoring process or reporting mechanism in 
place for that information to be reported and collected.
    Mr. Stearns. Mr. Campbell, do you think that waiting 3 
years for the grant recipients to implement vigorous 
cybersecurity plans could lead to cybersecurity gaps and 
subsequent compromises in the system integrity?
    Mr. Campbell. It is my opinion----
    Mr. Stearns. If you might pull the mic just a little 
closer.
    Mr. Campbell. It is my opinion that during the 3-year 
period for development, there should be adequate time for the 
DOE to take a look at the requirements in regard to 
cybersecurity, but we should also note that cyber threats are 
continuing to change, so any regulations that you may put in 
place may not be adequate when the final product rolls out.
    Mr. Stearns. OK. My last question, Mr. Wilshusen, are there 
different cybersecurity challenges that are vulnerabilities for 
government-run utility services, such as the Bonneville Power 
Administration versus privately-run utility services?
    Mr. Wilshusen. We haven't looked at the specific security 
controls at private utilities. We have looked at them at TVA, 
and identified a number of security vulnerabilities----
    Mr. Stearns. At TVA?
    Mr. Wilshusen. At TVA, yes, as this was the report that was 
referred to earlier. But my understanding is, it is probably 
likely that what we found at TVA will probably be--could be 
found at other public utilities as well, you know, of a similar 
type of electrical power generation and some transmission.
    Mr. Stearns. Mr. Trimble, anyone else, do you have any 
comments in reference to the private versus government-run 
utilities?
    Mr. Trimble. No, I would defer to Greg on that.
    Mr. Stearns. Mr. Campbell, any suggestions?
    Mr. Campbell. No, that seems to be a reasonable response. 
Private utilities seem to have many of the same systems that 
public utilities have.
    Mr. Wilshusen. And one--if I may just add more broadly, 
when we looked at other sectors, for example, we looked at 
communications network operated by private sector 
organizations, we found vulnerabilities in their networks that 
were similar to the vulnerabilities that we find in the 
networks of Federal agencies. Now while that is not exactly 
electricity industry, but I would be fairly confident to say 
that vulnerabilities identified in government systems are going 
to probably be found in private sector systems in some respects 
because the Federal Government security standards and 
guidelines typically are as robust, if not more robust, than 
private sector guidelines in many cases.
    Mr. Stearns. Thank you. My concluding comment is if it hits 
one sector, it hit government utility versus private utility, 
it is probably the same kind of statistic.
    Mr. Wilshusen. I would agree with that comment, which is 
all the more reason why there should be an effective and robust 
information sharing capability between the public and private 
sectors.
    Mr. Stearns. With that, my time is expired.
    Ms. DeGette. Thank you. Thank you, Mr. Chairman.
    I want to follow up on the chairman's question about 
reporting, because I think I shared his concern. Mr. Campbell 
and Mr. Wilshusen, both of you--all three of you said we don't 
have any kind of specific knowledge as to how many cyber 
attacks there have been. And Mr. Wilshusen, you said that we 
don't really have a systematic approach to reporting. Would it 
be possible to develop that kind of systematic approach, and if 
we did, how would it look, who would be in charge of it, et 
cetera?
    Mr. Wilshusen. Well, we haven't done the work to come up 
and just say definitively, but there are some reporting 
mechanisms in place now. For example, the Department of 
Homeland Security and the U.S. Cert Federal agencies are 
required to report their security incidents that occur at their 
sites to U.S. Cert, and then U.S. Cert collects that 
information and makes reports on it, summarizes it, identified 
trends, and also then provides alerts to other Federal 
agencies.
    Private sector organizations can also report through to the 
U.S. Cert, although in terms of having something formal and 
required, that is--presently does not exist.
    Mr. DeGette. Well, so there is a structure that perhaps you 
could do it, there is just no requirement to do it, is that 
what you are saying?
    Mr. Wilshusen. It may be a model that could be considered 
if one was to develop such a reporting structure.
    Ms. DeGette. Do you think it would be important to have 
some sense of incidences of cyber attacks?
    Mr. Wilshusen. Oh, I certainly do, yes.
    Ms. DeGette. What do you think, Mr. Campbell?
    Mr. Trimble. What I would--I am sorry, what I would just 
jump in on this point is when we convened our expert panel, one 
of the challenges and problems that the experts identified was 
the lack of information sharing among the utilities and the 
generators and the government on precisely these issues, the 
cyber attacks, successful or not.
    Ms. DeGette. So did--so now we have identified--and Mr. 
Campbell, would you agree there is a problem?
    Mr. Campbell. Yes, but I would also think confidentiality 
of reporting would be a key factor in any system that is 
developed.
    Ms. DeGette. Right, so who would develop that system? I 
mean, we are super good at identifying problems, but now how do 
we move towards a solution? Anyone?
    Mr. Wilshusen. Well, within the Federal Government, you 
know, DHS has the overriding responsibility as the focal point 
for protecting critical infrastructures. Each of the 18 
critical sectors--infrastructure sectors have sector-specific 
agencies that monitor it for that particular----
    Ms. DeGette. Yes, I understand all this, so you would say 
it would probably be DHS to develop this?
    Mr. Wilshusen. They have a model in place where Federal 
agencies are required to. It would be a likely place to start.
    Ms. DeGette. OK, thank you.
    Mr. Campbell, I want to follow up on the point about 
privacy that you just raised, because I don't know if the three 
of you saw the story in ``The Washington Post'' today where 
what it talked about was the National Security Agency is 
pushing to expand its role in protecting private sector 
computer networks from cyber attacks. The White House has been 
concerned about privacy concerns, and then the story said ``The 
most contentious issue was a legislative proposal last year 
that would have required hundreds of companies that provide 
such critical services as electricity generation to allow their 
internet traffic to be continuously scanned using computer 
threat data provided by the spy agency. Companies would have 
been expected to turn over evidence of potential cyber attacks 
by the government.'' So this really is an issue about how you 
balance security versus privacy. We have been debating this 
pretty much since September 11, 2001.
    And so maybe, Mr. Campbell, you can talk to me if you have 
some perspective on the tradeoff of cybersecurity versus 
privacy.
    Mr. Campbell. Well, I would say that cybersecurity versus 
privacy is a key issue. Other than that, I would say that we--
CRS is looking at the issue and we would be happy to talk to 
you about it at a later time.
    Ms. DeGette. And you released--CRS released a report on 
privacy and cybersecurity concerns earlier this month, did it 
not?
    Mr. Campbell. Yes.
    Ms. DeGette. And so let me ask you, what information can 
smart meters collect about the people in the households who 
have them? I mean, what is the security issue?
    Mr. Campbell. Well, smart meters collect information on the 
use of electricity, and so the idea is that smart meters 
conceivably could develop a profile of the use of electricity 
within the home. Now if the information is accumulated at a 
high enough level, then individual use of information could be 
lost, but that is an issue that is under development and I 
think in various States there are various rules concerning 
smart meter----
    Ms. DeGette. And that information, it could determine the 
behavioral patterns of the residents in the home, correct?
    Mr. Campbell. Correct.
    Ms. DeGette. So like burglar could figure out--could use a 
smart meter to figure if a family was on vacation or not, 
right?
    Mr. Campbell. If they were sophisticated enough to access 
the information.
    Ms. DeGette. Or a marketer could even use information about 
what appliances a consumer might be using to target that 
consumer, right?
    Mr. Campbell. Possibly.
    Ms. DeGette. So that--I mean, we wouldn't naturally think 
that there would be security issues relating to these meters, 
but that is something we need to consider and balance out, 
right?
    Mr. Campbell. Correct.
    Ms. DeGette. Thank you, Mr. Chairman.
    Mr. Stearns. Gentleman from Georgia is recognized for 5 
minutes.
    Mr. Gingrey. Thank you, Mr. Chairman.
    You know, as I sit here and think about this program and 
the $3.5 billion worth of grant money going towards these 
companies, grantees, 99 of them to help develop the smart grid, 
I also think about the $19 billion that was in the stimulus 
money for fully developing health information technology, you 
know, the Offices of National Coordinator and his salary and 
all the employees there to make sure that people, companies 
small and large that got grants from that $19 billion pot to 
help develop health information technology that is fully 
coordinated, it just makes me concerned that these grantees 
under this program to develop the smart grid are not following 
the guidelines that they should follow and in the final 
analysis 3 years from now we will have wasted a lot of money.
    I want to ask you specifically, you mentioned--and maybe 
some of my colleagues had asked a question about NIST's 
involvement, the National Institute of Standards and 
Technology, the 850-3 program as compared, let us say, to the 
North American Electric Reliability Corporation's critical 
infrastructure protection standards. Now how do those two 
compare and are they overlapping? Are they similar? Is one 
better than the other? What standards should we require of 
these grantees as they develop these programs with taxpayer 
money? Mr. Campbell?
    Mr. Campbell. My knowledge that the NERC reliability 
critical infrastructure standards are just applied to those on 
the bulk electric system, so when we are talking about the 
Smart Grid Investment Grant Program, that is looking at 
developing products, so I think what we are talking about is 
two different types of requirements.
    Mr. Gingrey. Mr. Trimble and Mr. Wilshusen?
    Mr. Wilshusen. I will field that one. Also there is--we 
actually compared the NERC's eight cyber--critical 
infrastructure protections cybersecurity reliability standards 
to the controls that are identified and NIST Special 
Publication 850-3, and we found that of the 198 controls in 
850-3 that the NIST or the NERC standards had about 151 of 
those. One of the issues that the IG reported on in its report, 
also in addition to what Mr. Campbell said, is that those 
standards apply only to the bulk electricity supply, but there 
further only apply to those assets that the entities within 
that sector have designated as a critical asset. And so if the 
entity has not identified any critical assets, then those 
standards would not necessarily apply.
    And the IG report also indicated that back in 2009, the 
former chief information security officer of NERC did a survey 
and identified that about, I think it was 36 percent of the 
power generators, or those entities with power generation and 
about 67 percent of those responsible for transmitting bulk 
power had identified only--at least one critical asset. So that 
left a fair number of--or at least a fair percentage of 
entities that produce power or transmit it that did not 
identify any critical assets.
    Mr. Gingrey. Mr. Trimble?
    Mr. Trimble. I would just--my expertise is not cyber, so I 
will--so to simplify that, the issue as I sort of have come to 
understand it is the NERC CIP standards apply to--for critical 
infrastructure protection but it is limited because it is just 
bulk power and it is just those that the industry have 
identified as being critical assets. But industry self-
identification has not been exactly--has been identified as 
comprehensively as it could be.
    The NIST standards that we are talking about for cyber 
pursuant to ISA are voluntary, primarily focused on 
interoperability and cyber threats. The limitation there is 
that FERC's sort of bailiwick is, again, bulk power so it 
doesn't get into anything beyond sort of interstate 
transmission, if you will. If you are getting into the State 
level, those guidelines, those standards, even though 
voluntary, don't kick in. If you get down to the city level, 
like New York, they don't kick in. So you have got this 
patchwork where there is a whole bunch of places with no 
standards that kick in.
    Mr. Gingrey. My time is expired, but I just want to say 
that, you know, it is pretty much green eyeshades sort of 
stuff, but hugely important, and of course, you are bringing 
important information to us, the members of the subcommittee, 
and I think this is very beneficial. I deeply appreciate you 
being here today, and thank you for your testimony.
    Mr. Chairman, I yield back.
    Mr. Stearns. Thank the gentleman and we are getting ready 
to conclude the hearing, and I, as chairman, have the 
opportunity to give a closing remark. I would say it has been 
brought up here and also I remember in our July hearing. 
Department of Homeland Security fields all this information 
dealing with cybersecurity and then gives it to U.S. Cert 
agency, and they offer the documentation, as I understand it, 
to the private industry, so it sort of filters down that way. 
Is that correct?
    Mr. Wilshusen. I believe it is, yes.
    Mr. Stearns. Well, my concern is, just like the 9/11 
Commission said, there was not full communication between all 
the government agencies as well as private industries on what--
to alert them of possible information it could have thwarted 
and stopped the 9/11 attack. I see it is clear here today in 
the conversation that there is not really full adequate 
communication between the private sector and the government 
sector dealing with utilities with cybersecurities, and I think 
this is a warning that we should all take into effect or we 
might be sitting here at a later date with something that is 
very serious.
    I want to thank the witnesses for their time and effort, 
and the subcommittee is adjourned.
    [Whereupon, at 11:37 a.m., the subcommittee was adjourned.]