[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


            ENHANCING AMERICA'S GRID SECURITY AND RESILIENCE

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON ENERGY, CLIMATE, AND GRID SECURITY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION
                               __________

                             JUNE 16, 2023
                               __________

                           Serial No. 118-49
                           

                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                           


     Published for the use of the Committee on Energy and Commerce

                   govinfo.gov/committee/house-energy
                        energycommerce.house.gov
                        
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
57-185 PDF                WASHINGTON : 2024   


                    COMMITTEE ON ENERGY AND COMMERCE

                   CATHY McMORRIS RODGERS, Washington
                                  Chair
MICHAEL C. BURGESS, Texas            FRANK PALLONE, Jr., New Jersey
ROBERT E. LATTA, Ohio                  Ranking Member
BRETT GUTHRIE, Kentucky              ANNA G. ESHOO, California
H. MORGAN GRIFFITH, Virginia         DIANA DeGETTE, Colorado
GUS M. BILIRAKIS, Florida            JAN SCHAKOWSKY, Illinois
BILL JOHNSON, Ohio                   DORIS O. MATSUI, California
LARRY BUCSHON, Indiana               KATHY CASTOR, Florida
RICHARD HUDSON, North Carolina       JOHN P. SARBANES, Maryland
TIM WALBERG, Michigan                PAUL TONKO, New York
EARL L. ``BUDDY'' CARTER, Georgia    YVETTE D. CLARKE, New York
JEFF DUNCAN, South Carolina          TONY CARDENAS, California
GARY J. PALMER, Alabama              RAUL RUIZ, California
NEAL P. DUNN, Florida                SCOTT H. PETERS, California
JOHN R. CURTIS, Utah                 DEBBIE DINGELL, Michigan
DEBBBIE LESKO, Arizona               MARC A. VEASEY, Texas
GREG PENCE, Indiana                  ANN M. KUSTER, New Hampshire
DAN CRENSHAW, Texas                  ROBIN L. KELLY, Illinois
JOHN JOYCE, Pennsylvania             NANETTE DIAZ BARRAGAN, California
KELLY ARMSTRONG, North Dakota, Vice  LISA BLUNT ROCHESTER, Delaware
    Chair                            DARREN SOTO, Florida
RANDY K. WEBER, Sr., Texas           ANGIE CRAIG, Minnesota
RICK W. ALLEN, Georgia               KIM SCHRIER, Washington
TROY BALDERSON, Ohio                 LORI TRAHAN, Massachusetts
RUSS FULCHER, Idaho                  LIZZIE FLETCHER, Texas
AUGUST PFLUGER, Texas
DIANA HARSHBARGER, Tennessee
MARIANNETTE MILLER-MEEKS, Iowa
KAT CAMMACK, Florida
JAY OBERNOLTE, California
                                 ------                                

                           Professional Staff

                      NATE HODSON, Staff Director
                   SARAH BURKE, Deputy Staff Director
               TIFFANY GUARASCIO, Minority Staff Director
           Subcommittee on Energy, Climate, and Grid Security

                      JEFF DUNCAN, South Carolina
                                 Chairman
MICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio                  Ranking Member
BRETT GUTHRIE, Kentucky              SCOTT H. PETERS, California
H. MORGAN GRIFFITH, Virginia         LIZZIE FLETCHER, Texas
BILL JOHNSON, Ohio                   DORIS O. MATSUI, California
LARRY BUCSHON, Indiana               PAUL TONKO, New York
TIM WALBERG, Michigan                MARC A. VEASEY, Texas
GARY J. PALMER, Alabama              ANN M. KUSTER, New Hampshire
JOHN R. CURTIS, Utah, Vice Chair     KIM SCHRIER, Washington
DEBBIE LESKO, Arizona                KATHY CASTOR, Florida
GREG PENCE, Indiana                  JOHN P. SARBANES, Maryland
KELLY ARMSTRONG, North Dakota        TONY CARDENAS, California
RANDY K. WEBER, Sr., Texas           LISA BLUNT ROCHESTER, Delaware
TROY BALDERSON, Ohio                 FRANK PALLONE, Jr., New Jersey (ex 
AUGUST PFLUGER, Texas                    officio)
CATHY McMORRIS RODGERS, Washington 
    (ex officio)
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Jeff Duncan, a Representative in Congress from the State of 
  South Carolina, opening statement..............................     1
    Prepared statement...........................................     3
Hon. Richard Hudson, a Representative in Congress from the State 
  of North Carolina, opening statement...........................     5
    Prepared statement...........................................     8

                               Witnesses

Mark Aysta, Managing Director of Enterprise Security, Duke Energy    10
    Prepared statement...........................................    13
    Answers to submitted questions...............................    85
William Ray, Director and Deputy Homeland Security Advisor, 
  Emergency Management Division, North Carolina Department of 
  Public Safety..................................................    17
    Prepared statement...........................................    19
    Answers to submitted questions...............................    87
Timothy Ponseti, Vice President, Operations, SERC Reliability 
  Corporation....................................................    22
    Prepared statement...........................................    24
    Answers to submitted questions...............................    91
Jordan Kern, Ph.D., Assistant Professor, Department of Industrial 
  and Systems Engineering, North Carolina State University.......    42
    Prepared statement...........................................    44
    Answers to submitted questions...............................    94

 
            ENHANCING AMERICA'S GRID SECURITY AND RESILIENCE

                              ----------                              


                         FRIDAY, JUNE 16, 2023

             U.S. House of Representatives,
Subcommittee on Energy, Climate, and Grid Security,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:00 a.m., at 
395 Magnolia Road, Pinehurst, NC 28374, Hon. Jeff Duncan 
(chairman of the subcommittee) presiding.
    Members present: Representatives Duncan, Latta, Griffith, 
Bucshon, Palmer, Lesko, and Weber.
    Also present: Representatives Hudson and Allen.
    Staff present: Kate Arey, Digital Director; Sydney Greene, 
Director of Operations; Tara Hupman, Chief Counsel; Brandon 
Mooney, Deputy Chief Counsel, Energy; Kaitlyn Peterson, Clerk; 
and Olivia Shields, Communications Director.
    Mr. Duncan. OK. The Subcommittee on Energy and Climate and 
Grid Security will now come to order.
    The Chair will recognize himself for 5 minutes for an 
opening statement.

  OPENING STATEMENT OF HON. JEFF DUNCAN, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF SOUTH CAROLINA

    First off, thanks for being here today. Great audience, and 
I look forward to the panelists as we delve into this issue.
    So let me begin by welcoming everyone to the House Energy 
and Commerce Committee, Subcommittee on Energy, Climate, and 
Grid Security. It is a field hearing, ``Enhancing America's 
Grid Security and Resilience.'' As a subcommittee chairman, I 
am excited to be here in Moore County, North Carolina, with my 
colleagues at the invitation of my good friend and colleague on 
the Energy and Commerce Committee, Representative Richard 
Hudson. There is no better a Member of Congress.
    The Energy and Commerce----
    [Applause.]
    Except for myself.
    The Energy and Commerce Committee exercises broad 
jurisdiction over Federal agencies and issues related to 
America's electric grid. As part of these responsibilities, we 
work closely with the Department of Energy and the Federal 
Energy Regulatory Commission, known as FERC, to ensure that our 
electric grid and the utility companies that operate it are 
well coordinated and prepared to address all hazards to the 
electric grid, whether they be severe weather events, physical, 
or cybersecurity threats.
    America's power grid is the world's most complex and highly 
interconnected system in the world. The challenge of protecting 
it is immense and it is growing, especially as our power mix 
shifts and we add more and new and varied generations to that 
mix. According to the Energy Information Administration, our 
Nation's power grid consists of more than 7,300 power plants, 
160,000 miles of high-voltage power lines, millions of miles of 
low-voltage power lines, and more than 50,000 substations where 
transformers convert raw electricity to higher or lower 
voltages.
    Historically, natural events, especially severe weather 
events, present the greatest risk to the system's reliability 
and resilience. However, we are also facing a growing threat of 
physical and cyber attacks to our electric grid and other 
energy infrastructure like pipelines and electric substations. 
There have been several grid security instances that have 
occurred recently that we are examining as part of our 
oversight responsibilities. Within the last year, we have seen 
electrical transmission substations attacked in Tacoma, 
Washington, and right here in Moore County. Both of these 
attacks resulted in blackouts that affected tens of thousands 
of people for multiple days. Prior to these instances, we saw 
one of the Nation's most critical pipelines, the Colonial 
Pipeline, suffer a cyber attack that created fuel shortages and 
price spikes that lasted for weeks.
    As members of the Energy and Commerce Committee, we are 
taking a close look at these instances to gather lessons 
learned and determine whether Federal laws or regulations 
should be revised to enhance grid security and resilience. We 
are also gathering the perspectives of the electric industry 
and State partners to learn how we can harden our grid, improve 
situational awareness, and enhance grid security, and support 
the response efforts.
    With that, I would like to welcome our witnesses and thank 
them for appearing before us today. I look forward to learning 
more about the substation attack that occurred here in Moore 
County so I can share the lessons learned with electric 
utilities and State officials in my home State of South 
Carolina and others across the country and with my colleagues 
back in Washington.
    [The prepared statement of Mr. Duncan follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. So I would now like to recognize your 
Congressman from North Carolina, Richard Hudson, for an opening 
statement.

 OPENING STATEMENT OF HON. RICHARD HUDSON, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Mr. Hudson. Thank you, Chairman. This is a day we have been 
looking forward to for a long time. I want to thank all the 
folks in the audience who are here today. I want to thank my 
colleagues for making this trip to my home here in the 
beautiful Sandhills. I want to thank Chairman Jeff Duncan for 
your leadership. I want to thank our witnesses for making time 
to be here today. We really look forward to your testimony.
    I think the testimony we are going to hear today is really 
going to set the table for a national discussion on grid 
vulnerability, and I am proud that this discussion begins in my 
home here today with my friends and neighbors who are part of 
this. We, just this morning, toured the site of one of the 
substations that was attacked, and I wanted my colleagues to 
see the sophistication of that attack and understanding the 
larger implications that plays into the vulnerabilities of our 
total grid. And I think we can learn from what happened here, 
what could happen somewhere else if a more larger-scale attack 
of this sophistication ever were to happen.
    There are a number of VIPs in the audience, and I am going 
to get in trouble if I start naming some of them, but I have to 
single out our sheriff, Ronnie Fields, for your incredible 
leadership, and particularly the way you stepped up and you and 
your deputies working with local law enforcement throughout 
this. Thank you, sir. Incredible job you do every single day.
    Mr. Duncan. Is your mic on?
    Mr. Hudson. My mic on. Oh, wow.
    Mr. Duncan. I thought I was speaking loud.
    Mr. Hudson. Let there be light. That is a little too loud.
    I am not going to start over, but thank you, Sheriff. Also, 
Senator Tom McInnis, thank you for your leadership on the State 
level and the State Senate. I see Neal Jackson, our 
representative, and Ben Moss. They have been working on 
legislation, really important legislation. In fact, I think the 
Governor today is signing legislation that you all worked on to 
increase penalties for attacks like this. I think that is 
really important. I am going to get in trouble, but I have got 
to know the chairman of our county commissioners, Nick Picerno, 
is here and a number of our commissioners. Thank you for your 
leadership. Thank you for being here today.
    We have got our mayor, John Strickland, of Pinehurst. Thank 
you for being here, sir. I see a number of members of the 
village council. Mayor Bob Farrell from Aberdeen, I understand, 
is here. Taylor Clement is here representing the City of 
Southern Pines. Thank you. Mike Hardin, our district attorney. 
We went to separate high schools together. We have known each 
other a long time. Thank you for your leadership. I could go on 
and on. There are so many dignitaries and people here who have 
shown great leadership throughout this. Thank you for being 
here with us today.
    Again, as I said, earlier this morning we toured the 
substation sites, one of the attacks on December 3 leaving my 
home and 45,000 of my neighbors without power for, in some 
cases, almost a week. In the aftermath of this attack, our 
hospital was impacted, threatening medical treatment. Schools 
were shut down, businesses were affected, stoplights went dark, 
gas stations were closed, cell signal was impacted, water 
couldn't be heated. Our region suffered millions of dollars in 
damage, and right before Christmas holiday. It really made the 
hundreds of pounds of deer meat that I lost in my freezer seem 
pretty insignificant, but we felt that.
    An attack like this could have devastated our community, 
and we didn't go without our struggles, but overall I am so 
proud of the resilient response of the people of Moore County 
in the days and weeks that followed these attacks. The people 
here truly showed the best of Moore County, the best of North 
Carolina, and the best of our Nation.
    Community groups stepped in and ensured our vulnerable 
neighbors weren't left without access to critical care and 
resources. Within hours, churches like First Baptist Church of 
Aberdeen and First Baptist Church of Pinehurst and the Yates-
Thagard Baptist Church offered shower, laundry, and meal 
services. Harris Teeter offered free ice for folks for medicine 
and food. Staff and volunteers of the Boys & Girls Club in the 
Sandhills partnered with our food bank to prepare 800 care 
packages. Our fire and rescue, police department, and library 
opened up their doors for folks to access the internet and to 
charge their phones and devices.
    All throughout, I am grateful for the tireless and heroic 
efforts of the workers of Duke Energy and local providers, 
including Randolph Electric Membership Corp., Lee Electric 
Construction, and Pike Electric, who worked tirelessly in the 
cold, 24/7, in the dark, under tremendous stress to get these 
substations back online. Thank you for your incredible 
commitment to our community. It is inspiring to see how 
everyone came together in our time of need, and I want to 
reiterate my many thanks to all those who assisted during this 
time.
    Again, I want to recognize our sheriff, Ronnie Fields, for 
his incredible response and his leadership working with local 
law enforcement and for continuing to follow up on tips and 
leads to determine who is responsible for December's attack. I 
share the community's frustration that we still haven't found 
those responsible. But in Washington, I have worked with the 
Select Committee on Intelligence to coordinate classified 
briefings from the FBI on their assessed threat, not only in 
this case but the overall threat to our grid. I will continue 
to push the FBI to make these attacks a priority and to make 
sure that the appropriate information sharing occurs and the 
cooperation with our local law enforcement so that those 
responsible can be held accountable.
    Since the attack occurred, I have been in listening mode. I 
have heard from constituents, from our grid operators, from 
community developers and business owners who have concerns 
about our grid security and resilience, all against the 
backdrop of historic high energy costs. I share your concerns. 
That is why, as I promised in the days following the attack, I 
brought Washington to Moore County. I want to show my 
colleagues who are here today not just the numbers and facts, 
but the people personally affected and to hear their 
experiences.
    Everyone needs to know the full impact of this kind of an 
attack, the urgent need to address vulnerabilities that this 
exposes in our grid. There are 45,000 stories of why Moore 
County and our Nation need greater grid resilience. Now we have 
the opportunity to hear from experts in the industry and those 
who call North Carolina home on the current state of our grid 
security and how we move forward from these attacks. My 
colleagues and I welcome these testimonies to help us do our 
jobs effectively. And I can guarantee you, when we head back to 
Washington to work, our critical energy transmission 
infrastructure and what vulnerabilities exist will be at the 
forefront of our conversations.
    So I thank my colleagues for being here today. I thank our 
witnesses again for making the time. We look forward to the 
discussion that is going to follow. With that, Mr. Chairman, I 
yield back.
    [The prepared statement of Mr. Hudson follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. I thank the gentleman for his statement, and 
that concludes Members' opening statements. The Chair would 
like to remind Members that, pursuant to the committee rules, 
all Members' opening statements will be part of the record.
    I want to echo my colleague and thank Duke Energy and 
really all the utilities that are involved in how to do these 
things, but this was a Duke Energy site, and we thank them for 
their work with us. I also want to thank Sheriff Fields and the 
information you provided, and my longtime friend Senator Tom 
McInnis. And I will applaud the legislature of North Carolina 
for the work you have recently done that is going to be signed 
into law today that addresses the penalties for these type of 
attacks. So thanks, North Carolina Legislature, for that.
    I want to remind the crowd this is an official 
congressional oversight hearing. It is not a town hall. We are 
going to operate it like an official hearing and ask you to 
just listen as participants and let us do our work.
    So I want to thank all the witnesses for being here today 
and taking time to testify before the subcommittee. I am going 
to introduce you, and then you will be recognized for 5 
minutes: Mr. Mark Aysta, managing director of enterprise 
security for Duke Energy Corporation; Mr. Will Ray, director of 
emergency management for the State of North Carolina; Mr. Tim 
Ponseti, vice president of operations for the SERC Reliability 
Corporation; and Mr. Jordan Kern, assistant professor at North 
Carolina State University. Go Tigers.
    Mr. Hudson. Come on, Chairman. Come on.
    Mr. Duncan. So per committee custom, each witness will have 
5 minutes for an opening statement and followed by a round of 
questioning from the Members, and there are some lights in 
front of you, I think. Green will designate when we start. When 
it gets to yellow, you need to start kind of wrapping up. When 
it gets to red, your 5 minutes are up. We are not going to 
adhere directly to 5 minutes, but just wrap up there so we can 
be on time.
    So now I recognize Mr. Aysta for 5 minutes for your opening 
statement.

   STATEMENTS OF MARK AYSTA, MANAGING DIRECTOR OF ENTERPRISE 
    SECURITY, DUKE ENERGY; WILLIAM RAY, DIRECTOR AND DEPUTY 
HOMELAND SECURITY ADVISOR, EMERGENCY MANAGEMENT DIVISION, NORTH 
  CAROLINA DEPARTMENT OF PUBLIC SAFETY; TIMOTHY PONSETI, VICE 
PRESIDENT, OPERATIONS, SERC RELIABILITY CORPORATION; AND JORDAN 
KERN, Ph.D., ASSISTANT PROFESSOR, DEPARTMENT OF INDUSTRIAL AND 
      SYSTEMS ENGINEERING, NORTH CAROLINA STATE UNIVERSITY

                    STATEMENT OF MARK AYSTA

    Mr. Aysta. All right. Thank you, Chairman Duncan and 
members of the subcommittee. My name is Mark Aysta, and I 
appreciate the opportunity to be here with you today 
representing Duke Energy, where I serve as the managing 
director of enterprise security. I have more than 27 years' 
experience as a law enforcement officer, including almost 22 
years at the FBI. For the past 4\1/2\ years, I have been 
applying that experience at Duke Energy.
    We are one of the largest energy holding companies in the 
Nation, serving 10 million electric and gas customers across 
seven States in the Southeast and the Midwest, and our 
customers depend on us for an essential service. We know how 
critical it is that we provide our customers and communities 
with reliable, affordable, and increasingly clean energy, and 
our comprehensive security strategy is a part of that 
commitment. In my role, I am responsible for the safety and 
security of nearly 28,000 employees as well as the thousands of 
assets that we have in the field. My team oversees all aspects 
of security, including physical access control systems, 
uniformed security officers, threat intelligence, and more.
    Duke Energy has always had a robust security strategy to 
deter attacks and respond quickly as they occur, and that 
approach is much more than just physical security, barriers, 
and defenses. Our multilayered security strategy includes 
protective barriers, monitoring and control capabilities, and a 
cross-functional team assessing threats 24 hours a day, 7 days 
a week, 365 days a year. We also partner with industry peers 
and engage in daily intelligence sharing with law enforcement 
at all levels. The strategy is always evolving as we evaluate 
new and emerging threats and expand our partnerships.
    We are all here today because on the night of December 3, 
two Duke Energy substations in Moore County were attacked, 
cutting power to 45,000 customers. The repairs were extensive, 
and Duke Energy had crews doing 24-hour shifts, working through 
multiple repair paths, and replacing several large and 
important pieces of equipment in order to restore service.
    We appreciate how patient our customers were, and we sought 
incredible support from the local community during this 
extended and challenging outage. We continue to work with the 
FBI and local law enforcement on their investigations into the 
attacks in Moore County. We have also taken steps to enhance 
our security strategy in the wake of the attacks. I would like 
to share with you some of the measures that we have taken.
    Immediately after the attacks, we increased monitoring 
capabilities at our substations in Moore County, and over the 
last 6 months, we have done a comprehensive review of our 
electric assets across our six-State territory. As a result of 
our review, we are shifting from a tiered ranking system 
focused largely on an asset's impact to the bulk electric 
system to a tiered approach with a greater focus on potential 
impact to customers. It is through this lens we have identified 
opportunities to increase security and surveillance, and we are 
developing implementation schedules for this work.
    We are also improving our processes and rapid-response 
protocols for essential equipment and personnel. We have 
identified critical parts with long lead times that may be 
needed for repairs to essential equipment, and we are working 
to strategically locate those parts to be available for rapid 
deployment. We have embarked on a plan to train chief law 
enforcement officers across our six-State footprint on threats 
to the grid and how they can better protect it. We will 
continue exploring opportunities for additional improvements in 
the future, even as we execute on those upgrades today.
    But we understand that, even with a robust strategy of 
deterrence and monitoring, no utility can completely eliminate 
the risk of an attack. That is a reality of operating an 
electrical system that extends across nearly 100,000 square 
miles and includes thousands of substations and millions of 
components. It is why we firmly believe grid resiliency must be 
a part of the conversation. The same self-healing technology 
that can detect outages from storms, isolate problems, and 
reroute power to restore service to customers can also help 
mitigate the impact of an attack on the grid.
    Investments in resiliency are a critical part of the $75 
billion in grid improvements Duke Energy has planned for its 
electrical utilities over the next decade. With an electric 
grid that spans multiple States, Duke Energy does not believe 
that grid security mandates containing a one-size-fits-all 
approach would lead to better protection, affordability, or 
reliability for our customers. We look forward to taking part 
in the conversation and working with Congress on how best to 
deter attacks, protect our infrastructure, bolster our supply 
chain to more quickly replace critical equipment, and recover 
faster from attacks and other adverse events.
    With that, I welcome your questions.
    [The prepared statement of Mr. Aysta follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. I thank the gentleman. I will now recognize 
Director Ray for 5 minutes.

                    STATEMENT OF WILLIAM RAY

    Mr. Ray. Good morning, Chairman Duncan, Representative 
Hudson, and members of the committee. Thank you for this 
opportunity to speak on behalf of the State of North Carolina.
    Broadly, critical infrastructure protection is a vital 
piece of our overarching homeland security enterprise as we 
continue to see the types of threats, hazards, and incidents 
emergency management and public safety agencies nationwide are 
having to prepare for and respond to increase both in frequency 
and in complexity. The intersection and integration of the 
traditional emergency management and the homeland security 
enterprise continues to grow in importance. As the team here in 
North Carolina has reviewed some of the recent incidents, there 
are four areas that we would like to highlight as a part of our 
evaluation today.
    First is the importance of partnership. In emergency 
management, we utilize a whole-of-community approach as we 
execute our all-hazards mission. I cannot overstate the 
importance of partnerships here in North Carolina to do that 
effectively. Regardless of incident type or need, it takes 
public sector, private sector, nonprofits, and volunteer 
agencies at all levels--Federal, State, local, Tribal, and 
territorial--to effectively work through the continuum of 
mitigation, preparedness, response, and recovery. This concept 
is not simply a talking point or a platitude but a strategy 
that is central to what we do here. At every level of the 
response for the December incident, partnerships were key, 
whether facilitating movement of equipment for power 
restoration in feeding or addressing the needs of those 
impacted or as we have moved through the investigation. 
Relationships fostered and developed preincident have been and 
continue to be essential to enhancing and improving what we do 
as emergency managers.
    Second, information-sharing protections. As I have said, 
the private sector is an essential part of preparedness and 
response. The percentage of the Department of Homeland 
Security-defined critical infrastructure sectors owned by the 
private sector is significant. We must evolve and recognize 
that, public or private, we need the members of those 16 
sectors at the table and in partnerships in which they can be 
fully transparent. Part of the value of the emergency 
management and homeland security enterprises is we come largely 
without a regulatory role. The information-sharing protections 
currently in place do not adequately support open, honest, and 
transparent dialogue between public and private sector, and we 
must be able to work together in an environment that addresses 
the needs of both public and private sector in that information 
and intelligence sharing. The current Federal and State 
information-sharing and intelligence protections do not fully 
address the need for open dialogue while protecting the parties 
engaged, as well as limiting information sharing due to 
classification requirements.
    Third would be related to preparedness, funding levels, and 
needed flexibility. Many States, including North Carolina, 
heavily rely on Federal funding from the Department of Homeland 
Security and the Federal Emergency Management Agency to support 
critical infrastructure protection program execution. Federal 
funding levels have largely plateaued, accompanied by an 
increasing requirement to fund various national priorities with 
that limited funding. While we certainly acknowledge the 
importance and the validity of those national priorities, those 
do not always translate to meet the specific needs of the 
States, locals, Tribes, or territories. By forcing States to 
adopt those strict and specific spending targets, funding is 
not as effective as it can be. We have incredibly smart and 
competent emergency management and homeland security 
professionals in States across this Nation, and we should trust 
the abilities of those individuals to make the best choices for 
their respective State or jurisdiction.
    Finally, we want to highlight some of the authority 
challenges. Currently, the Robert Stafford Disaster Relief and 
Emergency Assistance Act is the major governing authority for 
Federal disaster response and recovery. By extension, this act 
has influenced many of the State disaster declaration 
authorities in place across this Nation. Currently, this 
Federal act is not structured in a way that can support 
response and recovery for incidents such as the recent Moore 
County event standing on its own. It is still largely focused 
on the impacts of a large-scale natural hazard event.
    If we are going to support the emergency management and 
homeland security apparatus across this country in responding 
to consequence management needs of communities and individuals 
in need, we need a modernized Federal Disaster Relief Act. We 
know that FEMA and other agencies in the Federal family have 
and will continue to support response as they are able and will 
fully engage under their existing authorities, but the 
significant gap will be in the lack of ability of Federal and 
State governments to support critical recovery efforts for 
communities that are experiencing significant impacts.
    In closing, I would like to acknowledge the men and women 
of Moore County. During the incident in December, the response 
was a demonstration of this whole-of-community approach we 
talked about at the beginning--public, private, nonprofit, and 
volunteer coordinating--to meet the needs of their community. 
We are incredibly proud of this community and their resilience. 
On behalf of the State of North Carolina, thank you for holding 
this hearing, and thank you for highlighting the importance of 
critical infrastructure protection as an integral part of our 
homeland security strategy and enterprise. Thank you.
    [The prepared statement of Mr. Ray follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. I thank the gentleman for his statement. I now 
go to Mr. Ponseti. Am I pronouncing that right? Yes, you are 
recognized for 5 minutes.

                  STATEMENT OF TIMOTHY PONSETI

    Mr. Ponseti. Thank you, Chair Duncan and members of the 
subcommittee. I am Tim Ponseti, VP of operations at SERC, 
headquartered in Charlotte, North Carolina, and I really 
appreciate the opportunity to provide SERC's perspective on 
grid security and resilience. As someone who spent the better 
part of my career working to keep the lights on in one form or 
another, I appreciate your focus on these critical issues.
    SERC is one of six regional entities that cover North 
America, working with and under the oversight of the North 
American Electric Reliability Corporation, or NERC, responsible 
for preserving and enhancing the reliability, resilience, and 
security of the bulk electric system. SERC is an independent 
resource for the industry, regulators, and policymakers. Our 
central mission is the effective and efficient reduction of 
risk to the bulk power system using all the tools and powers at 
our disposal. These tools include not only shining a light on 
key risks through outreach and training but ensuring that the 
mandatory standards are followed and met through a regular 
cadence of audits and spot checks. And when they are not, we 
have a variety of enforcement and mitigation tools we can use 
as well, which include potential for significant fines for 
major program failures.
    Every year, SERC staff works with our technical committees, 
which include 1,500 industry subject matter experts, to 
identify the top regional risks facing our footprint. Thirty 
are called out in our recent regional reliability report and 
the top 10 highlighted. It is worth noting that the SERC team, 
along with its technical committee members, identified seven 
common themes and emerging trends among all the risks, and I 
want to highlight two of those.
    First, security risk, both cyber and physical, are growing, 
and in the top 10 we have 4 that are in that area: supply 
chain, legacy architecture, exploiting cyber vulnerabilities, 
and extreme physical attacks like we saw in Moore County. 
Extreme weather is also a key risk to the SERC region, 
especially when coupled with the lack of situation awareness 
and lack of fuel diversity.
    Along with NERC and the regional policymakers here today, 
SERC shares a deep concern for the recent increase in physical 
attacks on electric infrastructure. While we have always seen 
substation break-ins for copper theft, we are seeing more and 
more attacks which exceed the threshold of criminal mischief 
and rise to the level of sabotage. Clearly, Moore County and 
the Seattle-Tacoma attacks which resulted in outages last 
December, all with the plot that the FBI thwarted in Baltimore, 
have triggered growing concerns around the physical security of 
our electric infrastructure. Fortunately, the bulk power system 
has built into it extraordinary levels of redundancy, which 
enhances reliability and creates resilience. It takes 
widespread system damage, like from a hurricane or tornadoes or 
ice storms, or targeted attack, like what happened in Moore 
County, to leave a large number of people in the dark for an 
extended period of time.
    FERC, NERC, and the regions are focused on the protection 
of bulk power system, generally defined as 100 kV and above on 
the transmission system, 75 megawatts and above from 
generation. Our focus is on the avoidance of large-scale 
reliability events, events that generally affect millions of 
people. That is the framework of CIP-014, which is the physical 
security standard for protecting the most critical transmission 
substations.
    Given the recent increase in physical attacks on the bulk 
power system, and shortly after the Moore County attack, the 
Federal Energy Regulatory Commission ordered NERC to conduct a 
study to examine the effectiveness of the CIP-014 standard. 
This order directed NERC to address three questions: the 
adequacy of the criteria, the adequacy of the risk assessment, 
and whether a minimum level of physical protection should be 
established for all BPS transmission substations. At FERC's 
April 20, 2023, meeting, Jim Robb, NERC's president and CEO, 
summarized that CIP-014 study. The study found the criteria and 
risk assessments are adequate but also identified additional 
actions and areas for further study. As a next step, NERC and 
FERC are holding an open technical conference on August 10 in 
Atlanta to determine if further risk-based measures are needed 
in this area.
    In wrapping up my remarks, the impact of localized events 
such as the Moore County incidents are high-profile and deeply 
concerning. As each of my five kids reminded me during COVID 
lockdown while doing school from home every day online, 
reliable electric power and reliable internet service are now 
viewed as part of life's basic necessities. SERC is committed 
to working with its registered entities, policymakers, NERC, 
FERC, and others to ensure a highly reliable, resilient, and 
secure bulk power system in North America. Thank you.
    [The prepared statement of Mr. Ponseti follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. Thank you, Mr. Ponseti. Dr. Ray, you are 
recognized for 5 minutes.

                STATEMENT OF JORDAN KERN, Ph.D.

    Dr. Kern. It is Kern. Sorry.
    Good morning and thank you for the invitation to speak 
today. My name is Jordan Kern. I am an assistant professor at 
North Carolina State University in the Department of Industrial 
and Systems Engineering. At NC State, I conduct research on 
bulk electric power systems. My group builds software that 
simulates the behavior of real-world systems, for example, the 
North Carolina grid, the Duke Energy grid, and/or the entire 
eastern interconnection. We use these models to stress test 
systems' performance and explore how the vulnerability of the 
power grid might change in the future.
    My group's research is funded by the National Science 
Foundation and Department of Energy, and many of my most 
consistent and productive collaborations are with national 
laboratories, especially Pacific Northwest National Laboratory. 
My group's research also frequently involves stakeholders in 
the electric power industry, including electric utilities, 
merchant power generators, system operators, and regulators.
    There are some important challenges for grid planners and 
operators in which I have comparatively little expertise, 
especially alongside these folks. These include global supply 
chains, cybersecurity and terrorism, and regulatory permitting 
and market reforms. I am more qualified to talk about the 
challenge of protecting the grid against more frequent and 
extreme weather while also reducing greenhouse gas emissions to 
very low levels.
    More than 80 percent of major power outages, or outages 
affecting at least 50,000 people, are caused by extreme 
weather. This costs $25 billion to $75 billion per year in the 
form of damaged equipment and service outages. In order, the 
most damaging weather events to the grid are typically from 
severe thunderstorms and winter weather, hurricanes and 
tropical storms, extreme heat, and then wildfires. Generation, 
high-voltage transmission, substations, and low-voltage 
distribution infrastructure are all vulnerable in different 
ways.
    Apart from economic costs, service interruptions pose life-
threatening risks for people who depend on electricity-powered 
medical devices, and these risks can be exacerbated if power 
outages are associated with or occur at the same time as 
hazardous conditions like flooding, wildfire, or extreme 
temperatures. I am often asked how climate change will impact 
this dynamic, and the answer is it is different across the U.S. 
and somewhat uncertain. The risks for the grid that scientists 
are confident about include more intense hurricanes, more 
frequent and severe heat waves, and, depending on the region, 
drought.
    Although there are a range of different technology pathways 
in which the U.S. can achieve adequate cuts in carbon emissions 
to avoid the worst impacts of climate change, the lowest-cost 
scenarios look likely to involve a lot more reliance on wind 
and solar. A growing number of tools are available for managing 
variability in wind and solar, and these include, but are not 
limited to, energy storage, flexible uninterruptible demand, 
maintaining responsive generators as backup, increased 
transmission and coordination across system operators, and 
improved forecasting.
    Utility-scale renewable energy has been documented in some 
cases to perform well during periods of grid scarcity, and 
distributed solar, in particular, offers some unique 
capabilities for resiliency in remote areas. Nonetheless, tying 
a majority of the U.S. electricity supply to variable energy 
could alter the exposure of the grid to weather risk in 
important ways.
    For example, in my own research I have observed that, due 
to uncertainty in weather conditions, the amount of backup or 
firm capacity needed in grids decarbonized via wind and solar 
could be somewhat higher than what some national modeling 
studies have suggested. There are other important ways in which 
a rapid transition to clean energy could alter risks associated 
with extreme weather. For example, I worry that we don't fully 
understand the potential for reduced mobility of vulnerable 
communities during weather disasters if we largely electrify 
light-duty vehicle transportation in the U.S.
    One of the best ways to protect against some of these risks 
is to perform stress tests of our current systems and the 
systems we hope to build in the future. There are already 
established practices in place at utilities, system operators, 
and regulators to do this. However, as the grid expands into 
other economic sectors, as we add less controllable sources of 
generation to the mix, and as climate change alters the chance 
of extreme events occurring, I believe it is becoming more 
difficult to characterize the plausibility, let alone the 
likelihood, of different future scenarios and extreme events. 
And as a result, stress testing the grid is becoming more 
difficult to perform and the results somewhat more difficult to 
interpret, even as the grid is becoming more and more important 
in the lives of Americans.
    So I will leave it there, and thank you for allowing me to 
speak today.
    [The prepared statement of Dr. Kern follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Duncan. Thank you, Dr. Kern. I apologize for 
recognizing you wrongly a minute ago.
    This concludes opening statements of our panelists, and now 
we will move into the question-and-answer portion of the 
hearing today. And so I want to start out with Director Ray.
    I want to thank you for being here sharing the insights. 
And as a director of North Carolina Emergency Management, you 
have many responsibilities, including coordinating the response 
and recovery to energy disruptions like we saw in December, and 
energy blackouts. Were there lessons learned from the 
substation attack in December or aspects of the response and 
recovery that went well that we can take back with us to 
Washington?
    Mr. Ray. Thank you for that question and for your earlier 
introduction, I will take the field promotion to doctor. Thank 
you.
    Mr. Duncan. Yes.
    Mr. Ray. I think I really, truly can't overstate the 
partnership piece, and one thing that I did not expand upon --
--
    Mr. Duncan. Hold that mike just a little bit closer. There 
are a lot of folks in here, and I want to make sure that TV and 
everybody can hear it better.
    Mr. Ray. Certainly.
    Better?
    We have a longstanding practice here in North Carolina of 
blue sky partnership with all of the partners across the 
electric sector, to include Duke Energy as well as Dominion and 
the co-ops and some of our municipal providers. That is 
something that needs to continue to be incentivized and that we 
have the latitude and ability to continue to do that.
    Here in North Carolina, we are structured, from an 
emergency preparedness response and recovery standpoint--as you 
all know, everything begins and ends locally. This community 
was there responding to the incident well before we get there, 
and they will continue to deal with the impact of the incident 
well after anyone from the State leaves. I think that structure 
here in North Carolina, our ability to surge resources, whether 
it is people or equipment, into impacted jurisdictions and 
having the authority to continue to do that, I think, is going 
to continue to be key.
    The other piece of the lesson learned, I think, is some of 
what I spoke about in my statement, I think, to what would help 
continue to facilitate our ability to respond decisively to 
support our local jurisdictions is appropriate funding levels 
and flexibility to meet that expanding need as we talk about a 
very complex issue broadly of critical infrastructure 
protection. And then secondly, that we have the protections in 
place to be able to open and transparently talk with private-
sector partners at large about impacts they are seeing as well 
as to be able to transfer and translate information from what 
is historically law enforcement into our private sector, 
obviously putting appropriate protections in place for tactics, 
methods, et cetera, but that we are able to provide actionable 
information to our local jurisdictions and our private-sector 
partners to take appropriate steps.
    Mr. Duncan. Thank you for that. And I think the most 
valuable thing is just forward thinking, you know, trying to 
anticipate these type of events before they do happen and how 
we can do that, but great answer.
    Mr. Aysta, I don't believe there was a one-size-fits-all 
approach to harden the grid or electrical substations. We 
talked about that a little bit this morning. You mentioned in 
your written testimony that Duke is switching from a tiered-
ranking system focused largely on an assets impact on bulk 
power system to a tiered approach with a greater focus on 
potential impacts to customers. Can you explain why this new 
approach is better, and what does it mean in practice?
    Mr. Aysta. Yes. Chair Duncan, thank you for that question. 
Every substation is unique. It is unique in its location, in 
its design, in its topography, and the customers it serves. So 
this starts with tiering the substations with both their 
criticality to the bulk electric system but also to those where 
there is customer impact. When I say ``customer impact,'' we 
are talking about those substations where we can't reroute 
power. So if there is a substation and it is taken out of 
service by a tornado or hurricane or a threat actor and we can 
field switch that power and the customers feel no impact, that 
is not a substation that we are going to focus on. We are going 
to focus on those substations like what you saw at West End 
this morning, where we cannot switch power. We have to use ----
    Mr. Duncan. When you say ``switch,'' you are just talking 
about rerouting so there is no interruption?
    Mr. Aysta. Rerouting power, yes, sir. We cannot reroute 
power. So the customers don't care what route, what circuit 
their electricity comes on. They just want their lights on.
    So we start with having an intelligence-driven program. 
That is understanding what is the threat, who are the threat 
actors, why do they want to hurt the grid, what are their 
tactics, their techniques and procedures, what is their level 
of maturity? And by understanding that now, we can start 
implementing controls on those bulk electric system assets and 
those assets where there is customer vulnerability. And we do 
that by utilizing a philosophy called defense in depth. You may 
have heard of defense in depth in the cybersecurity world. 
Well, we have the same thing in the physical security world, 
which is a series of overlapping security controls that allow 
us to have earlier detection of a threat actor, decrease our 
response time, and allow a quicker law enforcement response to 
be able to mitigate the attack. We talked about in West End 
today that that was a very sophisticated attack.
    Mr. Duncan. Thank you for that. I am going to go over time 
just a little bit, but according to the Energy Information 
Administration's website, it contains a tremendous amount of 
information about sensitive information, maps identifying 
locations of power plants and power lines. I don't want to give 
the bad guys a roadmap to attack our grid. Are you concerned 
about the amount of information that might be out there, and 
quickly, please, Mr. Aysta?
    Mr. Aysta. Yes, sir. We are concerned. It is not only on 
that website, but there are also other websites that threat 
actors have used to identify targets to ----
    Mr. Duncan. Are you all starting to remove that data from 
your website? Is Duke Energy addressing that? I am sure we are 
going to be talking with the Energy Administration about that 
as well.
    Mr. Aysta. We do not have that level of data on our Duke 
Energy website.
    Mr. Duncan. OK. Good. Thank you. I now recognize my friend 
from North Carolina, Mr. Hudson, for 5 minutes.
    Mr. Hudson. Thank you, Chairman. This is on? OK. Thank you 
all for this.
    Mr. Ray, thank you for your excellent testimony. I think we 
have one of the, if not the best, emergency management State 
organizations in the country. Thank you for your great work and 
the folks over there. Unfortunately, it is because we have had 
a lot of practice with hurricanes and other issues, but as you 
mentioned, there is a difference between a power outage and a 
storm response. I don't have time now, but I want to get into 
the information-sharing issue too. I think that is a major 
issue you have raised this committee needs to address.
    But on the issue of authorities, in particular, I would say 
two-part question. One, what are the security gaps and 
challenges associated with delivering an emergency response 
during a blackout as opposed to a storm, but number two, what 
are the new authorities or different authorities you need to be 
able to address this type of threat?
    Mr. Ray. Thank you for that question. And first, I will say 
I am privileged to be in my role and work alongside the men and 
women of North Carolina Emergency Management every day. We are 
a 300-strong, small but mighty organization and really value 
the work that they do every day.
    I will take the second part of your question first. I think 
a couple of things. One, I think our current information-
sharing and intelligence protections are very narrow and 
specific, and we need to be able to take a look at those and 
broaden them to address these types of complex incidents. 
Again, I think this is a natural evolution of as we see 
authorities that have been put in place over the years, we need 
to take a step back and evaluate how do the incidents we are 
required to prepare for, respond to, and recover from. However, 
they are also now included in those information-sharing 
protections.
    I think it needs to be one that is mutually beneficial. As 
I said, the private sector holds a significant amount of 
critical infrastructure that we rely on in public safety and in 
our homeland security enterprise every day to do the work that 
we do. To be able to integrate with them, to be able to support 
them and have them support us and our communities that are 
impacted, we need protections that, I think, benefit both sides 
of the equation. I think anytime we put emergency responders 
out or have individuals moving out in an area of operation, 
whether it is due to a natural event or one like we dealt with 
in Moore County, there is always a heightened risk. As well as 
I know our local partners here in Moore County, we take 
personal--personnel accountability and safety is really one of 
our top operational priorities as we start moving people 
around.
    Obviously, when you talk about a response that is not 
supported by power in a jurisdiction, I think those bring on 
some specific risks that are different from the short-term 
risks that we see in a natural hazard. That is something we 
take into account as we develop response strategies. It is 
something that the team here in Moore County certainly did as 
well. And I think it is a testament to, really, the work that 
they did in protecting their public safety personnel that the 
many individuals and teams and equipment they had out moving 
across this jurisdiction during the response did so without 
major incident. That is truly a testament, I think, to their 
leadership and abilities here.
    Mr. Hudson. Thank you for that. Folks who aren't from here 
may have realized we are 35 miles away from the largest Army 
base in the world. I am proud to be their Congressman. I have 
been working to make that installation a leader in energy, 
security, and resilience within fiscal year 2022 NDAA. I helped 
secure provision to replace or to require the Secretary of 
Defense--that was funny. I did not say we are going to replace 
Secretary of Defense, but that is a good idea. Maybe we ought 
to strike that out of the record.
    But anyway, to require a Secretary of Defense to plan and 
design for military construction projects that would install an 
energy microgrid with intentional landing capability for at 
least 7 consecutive days, and in the upcoming NDAA for 2024 
authorize the Secretary to construct a 10-megawatt microgrid, 
utilizing existing and new generators at Fort Bragg, Fort 
Liberty. I am excited to support this legislation through our 
negotiations and push for this to get over the finish line.
    I would ask Mr. Aysta--and maybe Mr. Ray may want to jump 
on this too--but how would the construction of microgrids help 
in situations like this in terms of getting customers back 
online quicker? Do you see that as a solution that we ought to 
pursue? Mr. Aysta, I ask you to start.
    Mr. Aysta. Yes, Congressman, thank you for that question. 
The grid is very complicated and very interconnected. What I 
would like to do is be able to take that question back to my 
team and then circle back with you.
    Mr. Hudson. That would be great. And I am out of time, but 
Mr. Ray, if you have a brief ----
    Mr. Ray. I think anytime we can diversify and as well as 
integrate solutions that we are putting out into the field, I 
think that is going to be key, whatever the technology.
    Mr. Hudson. And I would just, Mr. Chairman, ask if any of 
the other witnesses, particularly Mr. Ponseti--this may have 
been more your area of expertise--but I would love a response 
in writing to that, your thoughts on microgrid as a solution as 
we look forward. I appreciate that very much.
    And, Mr. Chairman, I appreciate your indulgence, and I 
yield back.
    Mr. Duncan. Absolutely. We are in your territory, so 
definitely. I will now go to Ohio, Mr. Latta, for 5 minutes.
    Mr. Latta. Well, thank you, Mr. Chairman, and thanks for my 
good friend from North Carolina for having us down. Thanks for 
being here. You know, we only have 5 minutes to ask questions. 
I am going to have to ask my questions quickly if I get my 
responses.
    First, one of the things that we have always been concerned 
about is, you know, information is out there. We want to make 
sure it is getting disseminated, and information is only as 
good if it is getting shared with its partners. Mr. Ray, you 
know, when I read through your testimony, I was a little bit 
concerned because also what you said in your testimony, but the 
words you use--``open, honest, and transparent dialogue.'' Is 
that not occurring?
    Mr. Ray. It is occurring within, I think, the current 
structure that we have. I think it is something that we are 
always aware of and in the back of our minds. And so if there 
is an opportunity to strengthen or harden what those 
information-sharing protections are, and that as we are working 
through the complexity of an incident response and recovery, 
that is something we have very clear and established and not 
something we continue to--we have to think about in the back of 
our head.
    Mr. Latta. Let me follow up. Let's talk from the Federal 
side. Do you think you are getting enough information from the 
Federal side and make the decisions you have to make here in 
North Carolina?
    Mr. Ray. I think we enjoy really critical partnerships with 
our Federal family here in North Carolina. We have a State 
Homeland Security advisor workgroup that meets monthly, and 
many of our Federal agencies are a part of that, and so I do 
feel like we are supported well from our Federal agencies. I 
think in any response, as you evaluate it, could we do things 
better? Certainly, and I think, broadly, communication and 
information sharing is always going to be one of those things.
    Mr. Latta. Let me just follow up real quickly. Another 
point you made, and you touched on it before, but by forcing 
States to adopt strict and specific spending targets, the 
funding is not effective as it can be. And again, the one thing 
we worry about is the one-size-fits-all coming out of 
Washington. You know, what you do here in North Carolina might 
not work with what we do in Ohio. And so, you know, we want to 
make sure that we have good followup with you because, as we go 
forward, that, again, it doesn't work if it sounds like coming 
out of Washington because, oddly enough, Washington doesn't 
know it all. And we need to hear from the people in the States 
as they make these things work.
    Mr. Ponseti, if I could turn to you, quickly. When I looked 
through your testimony, you know, one of the things that I am 
concerned about, especially when you have your report that you 
issued, the top 10, we are looking at supply chain exploitation 
and vulnerabilities and extreme physical events being made, and 
sabotage. Again, these are the things we are worried about 
because, again, what happened here. It is not just Mother 
Nature anymore. And I guess my question is that, if we have 
coordinated attack--let's go back to 9/11. You know, the 
terrorists came back after trying a truck bomb, and what 
happens if we would have a massive attack across country, not 
just isolated maybe in a State or two? What would that do to 
the system out there across the country because, again, you 
know, we have had testimony in committee on supply chain 
issues, and the supply chain is--that we don't have it, and so 
what happens if we do have an attack like this? And, again, 
because your top two on supply chain and that exploitation of 
vulnerabilities, and then you are number seven in extreme 
physical events, either manmade, sabotage, and attacks, what 
happens? What happens to the grid?
    Mr. Ponseti. Great question. And one of the reasons that 
physical cybersecurity standard, CIP-014, one of the things it 
does is it goes after the most, you know, the diamonds, if you 
will, the most critical stations across the country, and then 
asks each utility to go through a separate, a very precise set 
of assessments. And so, you know, if you have one of these 
diamonds in your territory, these are the protections you need 
to put in place. So that has worked very well.
    So for our force, it recognizes one size doesn't fit all, 
which has been made a couple times, but it makes sure those 
critical jewels, if you will, the transmission grid are 
protected from cascading outages, from uncontrolled separation, 
and from voltage collapse or instability, so the whole grid 
collapsing because of that shouldn't happen. But just like you 
have during a major storm, you are going to have a bunch of 
widespread local outages.
    Mr. Latta. Let me follow up on the last 15 seconds that I 
have. You know, we had a wind chill in Ohio several years ago, 
and so we had power companies from across the country sending 
trucks up to Ohio to help us from the west side of State to the 
east side of the State, but, again, that is a State. But again, 
my concern is if we have a coordinated massive attack, do we 
have the supply chain out there to be able to meet it, because 
we have a vulnerability out there. We have had testimony in 
committee before on transformers that there is only a set 
number there, but all of a sudden, that is like, OK, we are 
going to do a triage out there to figure out who needs to get 
them first.
    Mr. Ponseti. The industry works together to share 
equipment, and they have spares and redundancy, but certainly 
in a widespread attack, you are going to face challenges. Some 
of these specialized equipment, like you all saw today at West 
End, are long-lead-time items to replace. And they are 
specialized and specific, usually for the type of substation 
that they are being plugged into, so that is why supply chain, 
it has moved to number one on our list.
    Mr. Latta. Thank you, Mr. Chairman. My time has expired, 
and I appreciate your indulgence.
    Mr. Duncan. I think one of the critical points you just 
made was the need for domestic sourcing of these critical 
components, and that is vital, and we have got to work on that 
as a nation. I now go to Mr. Griffith from Virginia for 5 
minutes.
    Mr. Griffith. Thank you, Mr. Chairman. I appreciate it. I 
represent a big chunk of Virginia north of here and have a 
little piece of central territory, and it is a huge rural 
district, just outside of Lynchburg. I am just outside of 
Roanoke, got southside, part of central, and then all of 
southwest Virginia. Dr. Kern, I want to give you an 
opportunity, because I heard something--and maybe I heard it 
wrong.
    Dr. Kern. Yes.
    Mr. Griffith. So, understanding my district, this is why my 
ears picked up on this. You seem to be concerned that if we 
convert a large part of our fleet to electric vehicles, that in 
extreme weather conditions, folks like I represent in very 
rural areas are going to have significant mobility issues. Did 
I hear that correctly?
    Dr. Kern. Yes, I think that there is a possibility that 
that could happen. I think in theory, the idea of having people 
who have access to batteries or stored energy in their vehicles 
could represent a source of resiliency. But if the outages are 
prolonged enough and there is a limited capacity in people's 
vehicles, then they have a choice to make about whether they 
power lifesaving devices in their homes or whether they get out 
of there.
    Mr. Griffith. Now let's talk about the lifesaving devices 
too, because you are really concerned about blackouts and those 
types of things as well. Did I hear that in your testimony as 
well?
    Dr. Kern. Yes, sir.
    Mr. Griffith. And so we need to make sure that the grid is 
reliable and that we have that supply chain. Mr. Ponseti, I am 
going to go to you next because, you know, we had some 
definitely rolling blackouts in my district and in part of that 
SERC central, I think there were some blackouts in Kentucky 
during that severe weather right before Christmas. This area 
was dealing with the transformers that got shut up. I have to 
wonder how much more severe it would have been if the 
temperature had been 3 degrees, like it was in my district on 
Christmas Eve.
    So as a part of that, let's talk transformers for a minute. 
I am looking at the NERC 2023 Summer Reliability Assessment 
where also that central section is on a higher--just make sure 
I get the terminology--an elevated risk level for the summer, 
but it applies to the severe weather in the winter as well. We 
don't have enough transformers. Now, part of that--you tell me 
if I am wrong--part of that was because of the increased 
efficiency standards set by the Department of Energy in 2013, 
and now they want to go again. And the report says that, as far 
as supply chain, ``new efficiency standards for distribution 
transformers proposed by the United States Department of Energy 
could further exacerbate the transformer supply shortage.'' So 
is that your assessment? Do we got a problem there?
    Mr. Ponseti. I am probably not the right person to comment 
on policy and that impact, but I do know that transformers, if 
they become scarce and/or damaged, like what happened during--
here in Moore County, to fully replace it is a long-lead-time 
item. And Duke did an extraordinary job with some mobile spares 
and other stuff to get that power back very quick.
    Mr. Griffith. And I would agree, Duke did a fantastic job, 
but with the new standards that came in 2013, we eliminated all 
but one of the American suppliers of steel for transformers, so 
now we are having to import that. If we have a major disaster 
that Mr. Latta was talking about, we are not going to have the 
transformers out there available. And do you think we would be 
better off if we had something along the lines of the Rene-
Olmos proposal of a public-private partnership to have some 
large distribution transformers stored at various locations 
around the country to make sure that, if we have either a 
natural disaster or an attack by an enemy, that we are able to 
put our power grid back together in a quicker--never going to 
be immediate--but in a quicker time period?
    Mr. Ponseti. So I am a former planner and former Boy Scout, 
and being prepared makes good sense to me.
    Mr. Griffith. Basically, do you think that Duke would be 
willing to participate and put some cash on the table if we 
could have a national public-private partnership to have 
transformers sitting in warehouses waiting to see if we had a 
disaster of some form? Yes or no, because my time is running 
out.
    Mr. Ponseti. Congressman, we can definitely engage in that 
conversation.
    Mr. Griffith. All right. And, Mr. Ray, you indicated that 
some of the national priorities don't match up to help States 
to be more efficient. I got to know, what are they?
    Mr. Ray. So I think, again, we are not in any way, shape, 
or form trying to minimize what I think our Federal partners 
see at a high strategic level. We know their priorities.
    Mr. Griffith. Yes, I get it. What do you see the problems 
in the State?
    Mr. Ray. I think, currently, we don't have the flexibility 
to say we don't want to spend as much money on one national 
priority versus another that may be higher here in North 
Carolina, and I am happy to ----
    Mr. Griffith. So if we are fighting between electric 
vehicle chargers in rural areas or transformers, you would like 
the flexibility to choose transformers. I put the words in your 
mouth. I also say Stafford needs to be reformed. I yield back.
    Mr. Duncan. All right. The gentleman yields back. We now go 
to the crossroads of America, Indiana, Dr. Bucshon, for 5 
minutes.
    Mr. Bucshon. Thank you, Mr. Chairman. Thank you to our 
witnesses. In recent years, we have obviously been confronted 
with just how vulnerable the grid is. Physical and 
cybersecurity threats, weather events, and delays in 
maintenance all contribute to the uncertainty for providers and 
ratepayers, but it is not just the electrical grid. It is all 
critical infrastructure, as we saw with the Colonial Oil 
Pipeline shutdown, going forward, ensuring that State/local 
governments and the electric industry have the necessary 
capabilities to prevent attacks and to coordinate respond and 
recover from grid attacks should they occur.
    Director Aysta, I am aware of the challenges Duke Energy 
has faced pertaining to security of electrical grids and 
substations, as have all pretty much all other providers across 
the Nation. I think it is critically important that private 
companies work with governmental agencies, including law 
enforcement. There can be barriers. Has Duke been able to share 
information on this incident with law enforcement and the local 
agencies without the requirement for time-wasting legal 
paperwork or court action?
    Mr. Aysta. Congressman, we maintain very close 
relationships with our law enforcement and intelligence 
partners. On this specific case in Moore County, when we are 
going to be releasing confidential information about customers 
or about employees, we will require court orders or some kind 
of legitimate legal process.
    Mr. Bucshon. Sure, understood. And, you know, we just want 
to make sure, obviously, there are not barriers in place that 
unnecessarily delay action on instance--across the country--and 
I understand that legal barriers can exist. I recently visited 
CenterPoint Energy in Houston, Texas. They serve about 2 
million people in the Greater Houston area, but they also serve 
the natural gas in southern Indiana, hence was the reason I was 
down there.
    And this is a question for you, Mr. Aysta, also. It was 
interesting to me--yet we are talking about cyber, we are 
talking about physical attacks, weather events--but also what 
they are doing for EMP, for electromagnetic pulse protection, 
at their control station was actually pretty impressive. It is 
a new station. Not a retrofit. This is a proactive thing. Is 
Duke Energy looking to address EMP attacks on your stations?
    Mr. Aysta. Congressman, we work very closely with the 
Electric Power Research Institute that is doing a large-scale 
study on EMPs, and that is a part of our company is engaged 
very closely with them on that type of an attack.
    Mr. Bucshon. Yes, I mean, you know, upfront, there's some, 
obviously, capital costs what they did at CenterPoint in 
Houston, and retrofitting, you know, will be another challenge. 
But I just wanted to bring that up, that EMP attacks are on the 
horizon and are potentially very damaging.
    Director Ray, in recent events pertaining to physical 
attacks our Nation's electrical grid--and you may have answered 
some of this--do you have any specific measures your department 
has had to change or implement to help ensure these attacks are 
minimized or mitigated?
    Mr. Ray. So thank you for that question.
    Mr. Bucshon. Specific things that you found and what you 
are doing that you had to reassess and adjust.
    Mr. Ray. So I think over the last several years, as we have 
seen the evolution, as I said, of threat and risk and type of 
incident that we are being required to prepare for and respond 
to, we have had to adjust some of the partners that are at the 
table. I think, as has been alluded to here, we, for better or 
for worse, have a lot of practice here in North Carolina 
responding to some of our natural hazard threats. Those are 
specific partnerships that are needed. And I think one of the 
tactics that we have done is really ensure that the 
partnerships and the partners that are in our EOC, that are at 
the table in preparedness and response, now are including those 
critical infrastructure sector partners as well as our law 
enforcement and intelligence agencies. And that is everything 
from their participation and engagement in preparedness 
workgroups and planning efforts as well as integration into our 
fusion centers to ensure, preincident, those right folks are at 
the table. That is one of the largest, I think, tactics that we 
have had to employ.
    Mr. Bucshon. Great. Mr. Ponseti, man, I only have about 30 
seconds, but could you discuss how a diverse energy source mix 
could help bolster reliability and security for the grid?
    Mr. Ponseti. Sure. The diversity really is key because you 
need enough generation to cover not just megawatts but all the 
services, the critical reliability services that are provided. 
So if you use a baseball analogy, and say let's go play 
baseball, you don't just show up with nine pitchers. You have 
got to have a pitcher, catcher, so same thing with generation. 
It is not just the megawatts you need. You got to have all the 
other ancillary services. Traditional generation often shows up 
with those. New generation, you got to plan carefully to make 
sure that when you take older sources off the field, that they 
are being replaced in kind.
    Mr. Bucshon. Thank you. Mr. Chairman, just if with your 
indulgence, I just want to say--and I am speaking for myself--
the national level, one of the things we are trying to 
determine is, for critical infrastructure, and I mentioned that 
earlier, that includes pipelines and other things, what is the 
role of the Federal Government, how do we work with our 
private-sector partners?
    And it is very clear that, like the Colonial Pipeline 
shutdown, we are going to have to reassess in critical 
infrastructure, potentially, some of those relationships and 
make sure there is good coordination to prevent these attacks 
that could affect not only a large portion of the American 
people but our national security. I yield.
    Mr. Duncan. The gentleman's time has expired. I will now 
recognize the former Bear Bryant football player from Alabama, 
Mr. Palmer, for 5 minutes.
    Mr. Palmer. As I have to constantly do, correct the record. 
I practiced for Bear Bryant.
    Director Ray, on November 30 of last year, the Department 
of Homeland Security issued a bulletin warning that our 
Nation's critical infrastructure was a potential target. Did 
you get that warning?
    Mr. Ray. Yes, sir.
    Mr. Palmer. What did you do with that? Did you pass that on 
to Duke Energy?
    Mr. Ray. So I think ----
    Mr. Palmer. That is a ``yes'' or ``no.''
    Mr. Ray. Yes, sir. Yes, sir.
    Mr. Palmer. You passed down to Duke Energy. Mr. Aysta, did 
you receive that warning?
    Mr. Aysta. We did.
    Mr. Palmer. What measures did you take to secure critical 
infrastructure?
    Mr. Aysta. So we get notifications like that routinely, and 
so we ----
    Mr. Palmer. I understand that. But it is also reported that 
there was an intelligence security memo detailing at least 15 
instances over the course of less than a year showing suspected 
extremists openly threatening and calling for acts of sabotage 
against the energy side, especially electricity substations. 
And there was another direct warning issued by the Department 
of Homeland Security in January, earlier. I don't think I would 
consider that routine.
    Mr. Aysta. So we will surge security resources into areas 
where we believe we have an increased threat. We cannot protect 
the thousands of substations across our jurisdiction.
    Mr. Palmer. I am not talking about--I think I am not going 
to buy that, Mr. Chairman, that you can't protect them. I mean, 
you have got security cameras, you have got other things. We 
are not talking about necessarily putting up ballistic-proof 
fencing or things like that. We are talking about just simple 
surveillance with someone sitting in an office 24/7 monitoring 
these facilities because, depending on time of year, when you 
knock out a system for a couple of weeks or longer, it is not 
just about loss of business opportunities. It is talking about 
loss of life.
    I mean, we just saw a report that 68,000 people died, 
classified as excess winter deaths, in Europe because they 
can't afford their house or utility bills. I can only imagine 
what would happen to people with cardiovascular issues, 
respiratory issues, that don't have power at all because you 
didn't do an adequate job of protecting your critical 
infrastructure. How do you respond to that?
    Mr. Aysta. So we critically understand the need for energy 
in our society.
    Mr. Palmer. Then you ought to be taking the steps necessary 
to protect that infrastructure. So why haven't you?
    Mr. Aysta. Congressman, when we get specific intelligence 
about increased threats in an area, we will surge security 
resources, work with our law enforcement and intelligence 
partners to do just that.
    Mr. Palmer. I don't think you did that. You had an attack 
in California. We had two people arrested planning attacks in 
Washington and Oregon. Did you know about that?
    Mr. Aysta. We did.
    Mr. Palmer. And you didn't take additional steps to secure 
your infrastructure? I think that is a problem.
    Mr. Aysta. Certainly we briefed our teams that were in the 
field to be additionally vigilant.
    Mr. Palmer. When I was out on the substation site, I saw 
possibly one place where you had a closed-circuit television. 
The only other camera I saw were, like. game trail cameras.
    Mr. Aysta. So we have three trailer cameras that are 
deployed with 360 coverage, so they were placed strategically 
around that substation.
    Mr. Palmer. After the shooting?
    Mr. Aysta. Yes, sir.
    Mr. Palmer. That is the problem that I have with this, Mr. 
Chairman, that we get these warnings, we don't do anything 
about them. Dr. Kern, I would like to turn to you ----
    Dr. Kern. Yes, sir.
    Mr. Palmer [continuing]. Following on with what my 
colleague from Indiana was talking about in terms of EMP. Most 
people think of that in terms of a human-induced attack, but 
you are familiar with the Carrington Event, occurred in 1859, 
the electromagnetic storm.
    Dr. Kern. No, sir.
    Mr. Palmer. Well, you need to be because Lloyd's of London 
takes it so seriously, sir, that they put out a report about 
what the estimated damage would be if we had a Carrington-level 
solar event. In 1859, we didn't have substations, things like 
that. We had telegraph wires, and they caught on fire. There 
was one in 1989--not near the severity of the Carrington Event, 
those occur about every 150, 250 years--so we are kind of in 
that window. That 1989. these occur about every 50 years, that 
knocked out power for about 6 million people. So I just think 
we have got to take a long, hard look about how we are securing 
our power bed, and also your point about changing the resource 
mix as the number-one threat to our power grid.
    With that, Mr. Chairman, I yield back.
    Mr. Duncan. All right. I thank the gentleman. I will go to 
the gentlelady from Arizona who has the Palo Verde nuclear 
power facility. In her facility, power is important. Mrs. Lesko 
is recognized.
    Mrs. Lesko. Thank you very much, Mr. Chairman, and I want 
to thank you for having this field hearing, and also to 
Congressman Richard Hudson for talking about this. He talks 
about this quite a bit back in Washington, DC, to educate us 
about it. I am from the great State of Arizona, and I live in 
the Phoenix area, and I have to tell you, the weather here is a 
lot cooler than in Phoenix right now, and it is absolutely 
beautiful. You guys live in God's country here, and I will have 
to come back and visit some more.
    My first question is for Mr.--``Aye-sta''? Is that how you 
say your name?
    Mr. Aysta. ``A-sta.''
    Mrs. Lesko. ``A-sta. A-sta.'' I noticed that at our site 
visit there is a chain link fence that is around the 
substation, and that is the same as in Arizona as well. Do you 
think it would be more secure if you put a tall block wall 
around the perimeter of these?
    Mr. Aysta. Congresswoman, great question. So again, as I 
stated earlier, every substation is unique in its design and 
its topography. In areas of Arizona--you are around Phoenix--it 
is much flatter. We get into areas of North Carolina where it 
is very mountainous. So you could defeat a wall simply by being 
up on the other side of a hill, because we are always balancing 
security, reliability, and affordability.
    So in this case, we are looking at that substation, or that 
subset of substations, where we cannot be resilient and we 
cannot reroute power, and then putting the security controls in 
place there. Today the threat may be from ballistics, somebody 
shooting. Tomorrow the threat may be from drones, that no 
matter how high your wall is, they will be able to defeat it. 
So we believe ----
    Mrs. Lesko. I am sorry. I will have other questions, so I 
am going to interrupt.
    Mr. Ray, what do you think? Do you think that it would 
improve security to have a block wall because, you know, a 
chain link fence, you can shoot right through a chain link 
fence. I agree they could use drones, whatever, but you have 
layers of security, right? Just at my home, lights, a lock on 
the door, you know, cameras, somebody could still throw a rock 
through my window of my front window and come in, but, you 
know, you try to make it as difficult as possible, right? What 
do you think, Mr. Ray?
    Mr. Ray. So I am certainly not a physical security expert. 
I would say certainly, as we work with Duke and all of our 
partners, we are looking at layered approaches, and that is 
something at----
    Mrs. Lesko. OK.
    Mr. Ray [continuing]. The table with a lot of our partners.
    Mrs. Lesko. My next question is for you, Mr. Ray. In this 
incident, did the FBI cooperate with you enough and in a timely 
manner?
    Mr. Ray. So the investigation does not fall into our 
bucket. From what we had to do from a preparedness response and 
recovery standpoint and a general information and intelligence-
sharing standpoint, the FBI was a very good partner for us, 
yes, ma'am.
    Mrs. Lesko. And in your testimony, Mr. Ray, you talked 
about improving public-private cooperation, communication--
honest, open, transparent. What were the problems that happened 
with this incident, and how could they improve?
    Mr. Ray. So happy to follow up with you specifically 
offline. I don't want to take all of your time up for your 
questions, but I think there are some specific changes we could 
make to rules or code to allow us to quickly in an incident----
    Mrs. Lesko. Specifically, I know this is sensitive, but did 
you get enough cooperation from Duke Energy?
    Mr. Ray. As I said at the beginning, they have been a good 
partner of ours for many, many years as we look at all types of 
incidents, and we continued to enjoy that partnership during 
this incident as well.
    Mrs. Lesko. Thank you. Mr. Ponseti, do you think there is 
enough security at substation sites? And if not, how can we 
improve it?
    Mr. Ponseti. So taking out a couple different pieces, I 
think from where we sit--and what we are trying to do is 
protect millions from going in the dark with a cascading outage 
for instability or something like the, you know, 2003 
blackout----
    Mrs. Lesko. Right.
    Mr. Ponseti. We think the standards and the protections 
that are in place, requiring all utilities to do that 
assessment and find those crown jewels that would cause one of 
those top three things to happen, and make sure those 
protection measures are in place. For all the others, it is 
probably best served not for a Federal, national mandate, but 
for each local area to do their own risk assessment, 
vulnerability assessment, and see what works best.
    Mrs. Lesko. Yes.
    Mr. Ponseti. Now, the chain link fences have worked for 
some time, and I think everyone has reassessed ----
    Mrs. Lesko. Yes. Well, and the thing is, is you have to 
balance out the risk and how much damage it will do, right? So 
how much should we invest? Like, what is the catastrophic thing 
that is going to happen versus how much money, because 
obviously, if Duke Energy or any other energy company has to 
put in a bunch of security, it is going to cost money. It is 
going to cost the ratepayers more because you are going to pass 
it on to the ratepayers, but is it worth it to counteract a 
major outage?
    And so I thank you for the work that you are doing, and 
thank you to all of you for being here. It has been 
educational, and I appreciate it.
    Mr. Duncan. The gentlelady yields back. I will now go to 
this side of the dais, Mr. Weber from Texas, for 5 minutes.
    Mr. Weber. Thank you, Mr. Chairman. Mr. Ponseti, I will 
start with you. A couple of years, 2 years back and 4 months, 
we had Winter Storm Uri in Texas. Now, as you know, Texas has 
its own grid. We were severely impacted. It left 4.5 million 
homes and business without power, on average, around 42 hours, 
some up to 120 hours. And although this was extremely rare for 
Texas, we are no strangers on the Gulf Coast where I live to 
hurricanes and tropical storms that tear through our district 
there with tremendous power and destruction.
    I am going to ask you a couple of questions, but let me get 
to the second one before I ask you to respond. Do you have to 
ensure the reliability of the electric grid not only from 
traditional weather effects, obviously, but from rare 
occurrences such as Uri? My second question is, do you think 
redundancy is the key? And I know that this means more money 
for taxpayers where you build additional generation capacity at 
each site.
    Your answer. Yes, sir. Don't look at him. You got to answer 
it.
    Mr. Ponseti. Thanks. Thanks for that question. So, you 
know, very familiar with that storm and the effects of it and, 
you know, the aftermath of that, I think we have got some 
upgraded standards that are now taking effect, and one of the 
key things--and it has been mentioned in a couple places--is 
preparation. And in this case, winter preparation, making sure 
from the pipelines to the generating units to certainly the 
transmission system, are properly protected and winter-
weatherized for such an event.
    Mr. Weber. But we do need some redundancy, don't we, 
because American population is growing. And not only is the 
American population growing, more drivers on the street, now 
there are going to be more electric vehicles on the street. And 
by the way, just tongue in cheek, I saw a survey the other day 
that said 90 percent of electric vehicles are still on the 
highway. The other 10 percent made it home safely. So we want 
to be mindful that we are going to need more generation 
capacity.
    So I will go back. I know this is tough for Duke, but it 
means that we ought to have more capacity at every turn. 
Wouldn't you agree, some redundancy there, a backup so if one 
system goes down, we have a backup?
    Mr. Ponseti. So agree with redundancy, and the system is 
built with that redundancy. It is built to be resilient. And 
one of the requirements is that everyone that is operating the 
grid and every specific second of the day, they have got to 
withstand the next worst contingency. But when you have two--in 
this case, you had two worst contingencies immediately 
happening--sometimes you are not able to recover from those two 
worst contingencies.
    Mr. Weber. Well, I would also argue for nuclear energy 
along with these guidelines as well.
    Mr. Aysta, I wanted to go back to you. After the attack 
here in Moore County, we heard a question from Congressman 
Palmer about what steps did you all take. I want to move over 
to the new Federal regulation proposed that now they are going 
to start requiring material switching--grain-oriented electric 
steel, GOES is the acronym--to amorphous steel for these 
transformers. Are you all following that?
    Mr. Aysta. Yes, sir.
    Mr. Weber. Is that going to be good or bad?
    Mr. Aysta. Sir, we all know that our transformer supply 
chain is strained now. Last year alone, Duke Energy installed 
over 70,000 distribution transformers, and we are on track to 
do 5 percent more than that in 2023. The new energy efficiency 
standards will further exacerbate those supply chain struggles.
    Mr. Weber. Have you written your President about that? No 
pressure.
    Mr. Aysta. No, sir.
    Mr. Weber. No pressure. As I understand it, the material 
that they are pressing for is an amorphous metal, a solid 
metallic metal, usually an alloy with disordered atomic scale 
structure. Most metals are crystalline in their solid state, 
which means they have a highly ordered arrangement of atoms. 
Actually, what they are requiring is the opposite of that. 
Amorphous metals are noncrystalline and have a glasslike 
structure. Is this going to be a problem? I mean, suppose you 
could get to the supply chains and you could get those 
transformers. Is this type of metal going to be a problem in 
transformers?
    Mr. Aysta. Sir, I can tell you our manufacturers are 
concerned about it because it is often foreign sourced, and 
being able to get it to build the transformers will be 
difficult. So we will stand behind or agree with our 
manufacturers that, although energy efficiency is a good thing 
eventually, right now is not the time.
    Mr. Weber. Well, I hope you all are making that known. Mr. 
Chairman, I yield back.
    Mr. Duncan. I thank the gentleman. And I will now go to the 
gentleman from Augusta, Georgia, home of Vogtle Nuclear 
Station, Mr. Allen, for 5 minutes.
    Mr. Allen. Thank you, Chairman Duncan, for allowing me to 
join the Energy, Climate, and Grid Security Subcommittee here 
today, and I want to thank my friend, Congressman Hudson, for 
hosting us here in his home State of North Carolina. As 
Chairman Duncan said, I am from Augusta, home of the Masters 
Golf Tournament, and I am extremely excited that the U.S. Open 
is going to be returning to your community next year--hint, 
hint--Mr. Hudson.
    Getting serious here. Cybersecurity is critical for grid 
resiliency. I am proud that adjacent to my district is the 
Savannah River Site, located in the chairman's home State of 
South Carolina, which we work together all the time in. SRS has 
a robust electric grid that was built to sustain a number of 
key national security functions during Cold War operations at 
the site. Savannah River National Lab, located at SRS, is 
leveraging this grid to conduct research and develop grid 
security.
    One of the key pieces of this grid infrastructure at SRS is 
a 17-mile isolated loop section of 115-kV electrical 
transmission line. SRNL has proposed use of this section of 
line to conduct proof-of-principle testing of advanced security 
devices, such as acoustic sensors that detect anomalies of the 
grid. Data from these anomalies can be sent to operation 
centers to evaluate potential threats and risks to our system. 
Unfortunately, we live in a dangerous world, and today where we 
have soft targets, we have got to harden those targets.
    Mr. Aysta, the DOE National Lab System has technical 
capabilities and tools to address needed research in grid 
security. The Savannah River Site National Lab, as mentioned, 
has a strong background in grid testing and data analytics that 
partnered with utilities and industry, and help facilitate 
rapid analysis and decision making of grid and cybersecurity 
efforts.
    Mr. Aysta, has Duke engaged with any DOE laboratories on 
research and development investments to enhance grid and 
cybersecurity efforts?
    Mr. Aysta. Yes. Thank you for your question, Congressman. 
We work closely with the Department of Energy and several of 
the different national laboratories.
    Mr. Allen. Where do you stand as far as, you know, updating 
and hardening your systems based on their research and 
development?
    Mr. Aysta. We will take the R&D done by the DOE, and we 
will apply it and vet it to see if it is appropriate for our 
system.
    Mr. Allen. After 9/11, it was determined that that attack 
could have been prevented if we had had local, State, and 
Federal law enforcement talking to each other. Mr. Ray, of 
course, we created this huge department now called Homeland 
Security to make sure that our homeland is secure. I am real 
disappointed that we haven't found the perpetrators of this, 
and I am not sure, you know, that we are making the efforts to 
do that. Does your office have any comment on, and I know we 
can't talk about the investigation, but is this investigation 
going the way you think it should go?
    Mr. Ray. So thank you for that question, Congressman. I 
think the investigation is not something that is under our 
purview. It is not something that our office is engaged in as 
far as managing the investigation from a law enforcement 
standpoint. I will tell you, to your point, I think you 
highlight an important construct of the partnership at multiple 
levels in law enforcement intelligence and public safety. It is 
something we are continuing to strive here in North Carolina to 
continue to implement, expand, and make better.
    We have a robust statewide information-sharing platform 
among law enforcement and other public safety agencies. And 
again, we are always committed to trying to make sure that that 
is providing actionable operational intelligence to those that 
are at the very lowest-level boots on the ground, responding as 
quickly as possible. But as far as any comment about the 
investigation, I certainly can't make any at this point.
    Mr. Allen. Well, you know, obviously, national security and 
protecting the American people is goal one, and it should be, 
particularly of this Congress and of our conference, and so we 
need to make sure this does not happen again. There were people 
that were harmed in this and suffered financially, and I heard 
there may have been one death, maybe not knowing what caused 
it.
    We have got to up our game here. I mean, we obviously know 
we got problems at the border, and we know why, and, of course, 
we are going to deal with the Department of Homeland Security. 
Our conference will do that, but these are the kind of things 
that we need to get better. We got to stop this, and you have 
our full cooperation to make it happen.
    Thank you, and I yield back, Mr. Chairman.
    Mr. Duncan. I thank the gentleman. That concludes, really, 
the question-and-answer portion, and some Members do have some 
written questions that they will submit, which I would ask you 
to return those within 10 business days.
    We traveled so far, and this is an important hearing. I am 
going to give Members, if there is a critical question you 
would like to ask right now while we are here, let's just make 
it brief, and I will give Members an opportunity to do that if 
you would like. So I am going to go to Bucshon first.
    Mr. Bucshon. I just want to make a followup quick 
statement. As far as the transformers goes, there is only one 
company that makes electrical steel for transformers left in 
the United States. That is AK Steel. All the rest of it is 
imported. When I was at CenterPoint, as I mentioned, I talked 
about the EMP stuff. I didn't talk about if some of their big 
transformers go down, 2-year turnaround to replace them. So I 
just wanted to point that out. We have a supply chain issue in 
this industry. I yield.
    Mr. Duncan. Great point. Mr. Griffith?
    Mr. Griffith. And on the transformers just quickly, I would 
say that 2 years is important. We probably should have 
mentioned that earlier, which is one of the reasons why we need 
to figure out somehow--and maybe it is private industry, maybe 
it is a combination--how we can have a supply built up because 
it does take a long time to build some of these larger 
transformers.
    Mr. Ray, you talked about Stafford a little bit in your 
opening. I would like for you to expand on that because one of 
my concerns with the Stafford, we went down I think it was this 
subcommittee a number of years ago went down to Puerto Rico 
after they got hit by two hurricanes in a row, and we went to 
the Virgin Islands. And one of the interesting things that I 
saw was in on the Virgin Islands, they had 10 poles that didn't 
have to be replaced, and they were all composite. But the 
Stafford Act, Mr. Chairman, won't let us replace with a better 
product. We have to replace with the same product. So our 
Federal dollars went to putting in new wooden poles, even 
though we know that isn't what works in that condition. So I 
was wondering if you had some similar concerns with the 
Stafford in North Carolina.
    Mr. Ray. I think you hit on one of the important topics. I 
think there is some work to do around Stafford, and I don't 
want to take up the entire committee's time by going through 
the list that we have. And we are happy to follow up with you--
--
    Mr. Griffith. Maybe we can do--maybe I can do a written 
question. You give me a more detailed answer on that.
    Mr. Ray. But I think both from a program delivery, from a 
recovery standpoint, from an incident type, and as well as some 
of the issues that you just mentioned, it is a complex issue 
that, I think, we need to take a hard look at if we are going 
to look at making sure we have the needed capabilities ready to 
respond to support our local jurisdictions across this Nation.
    Mr. Griffith. And I will tell you also, Mr. Chairman, in 
regard to the FEMA, which falls in that same arena, both 
Senators in Virginia, who are Democrats, and myself are looking 
at ways we can help because it doesn't seem to be skewed 
correctly for disasters that occur in rural areas. I yield 
back.
    Mr. Duncan. Mr. Latta?
    Mr. Latta. Well, thank you, Mr. Chairman. And just briefly, 
because one of the things also to point out from the top 10 
regional risks is something that we are dealing with all over, 
is your point number three in the shortage of required skill 
sets. You know, in Ohio, I have been to a lot of meetings. We 
have talked about it, and also in Washington, how are we going 
to get more people in these skill sets because, again, when you 
get 1.9 jobs per person right now, we got a problem. So when 
the lights go out, someone has got to go out there and get it 
done. But how are we going to get these people trained and get 
them into these jobs?
    Mr. Duncan. Good point. Mr. Allen, last comment.
    Mr. Allen. Yes, I just wanted to comment on cybersecurity. 
Fort Gordon is located in Augusta as well, and that is a Cyber 
Center of Excellence for the United States Army. Obviously, 
there was a cyber attack on the Colonial Pipeline. Where are 
we? And I would like to know, Mr. Aysta, as far as Duke Power 
and where you are with cybersecurity, are we again working with 
military and others about those types of attacks?
    Mr. Aysta. Yes, Congressman, we are. There are several of 
us with security clearances in the company. We receive 
classified briefings on a routine basis from the intelligence 
community. We have a robust, 24/7 monitoring capability, and we 
have a robust industry sharing to be able to protect both our 
IT and our OT assets.
    Mr. Allen. Mr. Ray?
    Mr. Ray. Yes, sir. So I think you hit an important topic. 
Here in North Carolina, we are fortunate. We have had some 
leadership over the last several years that has acknowledged 
that we need to do more in the cyberspace as we talk about 
having resources to both prepare and respond. And so I think we 
are very proud to be a part of the State's joint cyber task 
force here in North Carolina. The four primary agencies are the 
North Carolina National Guard, obviously our organization, as 
well as the Department of Information Technology, and our local 
government information systems staff.
    Additionally, the wider intelligence and Federal law 
enforcement community is a part of that task force as well. We 
actually have a cyber mission center that has been stood up at 
our State EOC within the last couple of years. And so we as an 
agency are taking some hard steps into both proactive work, how 
are we helping end users prepare their systems to take 
necessary steps, as well as having boots on the ground to be 
able to put into a jurisdiction or an agency that is 
experiencing some sort of incident or disruption. That is 
always a capability that we are certainly looking to expand, 
but very proud of that group.
    Mr. Allen. Mr. Ponseti, anything you would like to add?
    Mr. Ponseti. One of the things that NERC does, you know, 
you heard it mentioned a couple of times, sharing the 
information quickly and getting ahead of it, especially if 
there's coordinated attacks, is important. And NERC has a 24/7 
electric sector E-ISAC, Information Sharing Analysis 
Communications, and they put out information daily on both 
cyber and physical attacks that quickly alerts the industry 
that are members of that to be prepared and have a heads up.
    Mr. Allen. Dr. Kern, anything you would like to add?
    Dr. Kern. No.
    Mr. Allen. OK. One other comment I would like to make here 
is, when I became a Member of Congress, one thing I learned in 
every county I represent, 23 counties, if I wanted to know what 
was going on in that county, I called my sheriff. Your law 
enforcement officials know everything that is going on. They 
know a lot more than the FBI and other State law enforcement. 
Please work with our local law enforcement people and cooperate 
with them more, because they get frustrated. Law enforcement is 
somewhat frustrated anyway, but they are a tremendous resource. 
And like I said, nothing goes on in this county that your 
sheriff doesn't know about. I can guarantee you that. Thank 
you, Sheriff.
    Mr. Duncan. Let's take an opportunity to thank all the law 
enforcement folks in the room and what you do.
    [Applause.]
    Mr. Duncan. To the gentleman's point, Duke Energy and 
Clemson University have a drivetrain facility where they test a 
lot of the grid components to address some of the things you 
are talking about. I invite Members to go down and see that in 
Charleston at some point.
    This concludes the hearing. I am going to let my fellow 
colleague from North Carolina wrap it up for us, and when he 
finishes his thank yous, we will stand adjourned.
    Mr. Hudson. You are saying it is me standing between you 
and lunch, so I will be brief.
    Hey, thank you all for being here. Thank you to our 
witnesses, and we look forward to your written responses to 
some of the questions. And look, today is the beginning of the 
conversation. We are going to continue to communicate with you 
and rely on you to help us understand the challenges you are 
facing.
    You know, our job now is to take this information and 
figure out what steps are next, what can we do to help. You 
know, we are not law enforcement. We are not going to go out 
and find this perpetrator, but there may be things we can do to 
help the sheriff and others get the kind of cooperation they 
need to do that. You know, we are not the emergency response 
folks, but there may be things we can do to help give you 
better authorities, more flexibility so you can do a better job 
of responding to these type of incidents.
    But we also have a responsibility to this country to look 
at this incident and ask the question, what does this tell us 
about the larger vulnerabilities of our grid? What does this 
tell us about the possibilities not only of this happening 
again, but maybe something worse happening again if we don't do 
a better job of preparing this country through supply chain, 
through redundancy, resiliency? And so we have got a big 
responsibility before us.
    And I am just proud of the members of this committee and 
thankful that, you know, I have been talking about this a lot, 
but I am just not talking in the wind. I am talking to the 
colleagues who care and have the expertise to address this, 
and, again, this is the first of many, I think, hearings and 
activities we will do to address this.
    I do want to mention two bills since my colleagues brought 
it up. I have the bill, Protecting America's Distribution 
Transformer Supply Chain Act. Hopefully, everybody here will 
cosponsor it, but it repeals the Secretary's authority to 
enforce any energy efficiency standards for these distribution 
transformers for next 5 years. So we need a halt on these new 
efficiency standards, particularly with the situation we are 
facing now with transformer supply chain.
    And the 21st Century Jobs Act is a bill I have gotten 
passed out of the House for 3 Congresses now, and we would love 
to have the Senate take it up. But it has the Secretary of 
Energy work with the education system to prepare our students 
for the jobs of the 21st century and the energy industry. 
Whether it is line workers, whether it is building 
transformers, nuclear engineers, whatever those jobs are going 
to be in the future, I want to make sure we are training our 
workforce to be prepared for those jobs.
    But again, thank you, Mr. Chairman, for bringing the 
committee here. Thank you for your serious attention to this, 
and I look forward to moving forward together. Thank you.
    Mr. Duncan. Thank you. With that, adjourned.
    [Whereupon, at 11:36 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

                                 [all]