This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1 NEAL R GROSS CO INC 2 RPTS PATERSON 3 HIF073030 4 5 6 DOE MODERNIZATION LEGISLATION ADDRESSING 7 CYBERSECURITY AND EMERGENCY RESPONSE 8 Wednesday March 14 2018 9 House of Representatives 10 Subcommittee on Energy 11 Committee on Energy and Commerce 12 Washington D C 13 14 15 16 The subcommittee met pursuant to call at 10 00 a m 17 in Room 2322 Rayburn House Office Building Hon Fred Upton 18 chairman of the subcommittee presiding 19 Members present Representatives Upton Olson Barton 20 Shimkus Latta Harper McKinley Kinzinger Griffith 21 Johnson Long Bucshon Mullin Hudson Walberg Duncan 22 Walden ex officio Rush McNerney Peters Castor NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 23 Sarbanes Welch Tonko Loebsack Butterfield and Pallone 24 ex officio 25 Staff present Mike Bloomquist Deputy Staff Director 26 Daniel Butler Staff Assistant Kelly Collins Legislative 27 Clerk Energy Environment Jordan Davis Director of Policy 28 and External Affairs Wyatt Ellertson Professional Staff 29 Energy Environment Margaret Tucker Fogarty Staff Assistant 30 Adam Fromm Director of Outreach and Coalitions Jordan 31 Haverly Policy Coordinator Environment Ben Lieberman 32 Senior Counsel Energy Mary Martin Chief Counsel 33 Energy Environment Drew McDowell Executive Assistant 34 Brandon Mooney Deputy Chief Counsel Energy Mark Ratner 35 Policy Coordinator Annelise Rickert Counsel Energy Dan 36 Schneider Press Secretary Peter Spencer Professional Staff 37 Member Energy Jason Stanek Senior Counsel Energy Austin 38 Stonebraker Press Assistant Madeline Vey Policy 39 Coordinator Digital Commerce and Consumer Protection Hamlin 40 Wade Special Advisor External Affairs Everett Winnick 41 Director of Information Technology Priscilla Barbour 42 Minority Energy Fellow Jeff Carroll Minority Staff 43 Director Jean Fruci Minority Energy and Environment Policy 44 Advisor Tiffany Guarascio Minority Deputy Staff Director NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 45 and Chief Health Advisor Rick Kessler Minority Senior 46 Advisor and Staff Director Energy and Environment John 47 Marshall Minority Policy Coordinator Alexander Ratner 48 Minority Policy Analyst and C J Young Minority Press 49 Secretary NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 50 Mr Upton Good morning Good morning So this DOE 51 modernization hearing is going to focus on the proposed 52 legislation relating to core energy security missions of the 53 Department 54 This mission is to ensure the supply and delivery of 55 energy that is vital to our economic and national security 56 our public welfare and health 57 For the last two Congresses we have been working to 58 update the Department's authorities and capabilities both to 59 mitigate against and respond to energy supply emergencies 60 especially with respect to critical energy infrastructure and 61 to cybersecurity 62 For example we directed the Department to modernize its 63 strategic petroleum reserve and response capabilities 64 clarified and enhanced DOE's role as the sector-specific 65 agency for the energy sector especially for critical 66 electric infrastructure 67 We We moved through the House H R 3050 last summer to 68 strengthen DOE's support for state energy emergency offices 69 in their cybersecurity efforts and the common theme has been 70 to update DOE's cybersecurity and emergency coordinating 71 functions and provisions of technical assistance to other NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 72 73 agencies states and asset owners So in keeping with these modernization efforts the 74 legislation today continues that work 75 Emergency Leadership Act introduced by Mr Walberg and 76 Ranking Member Rush elevates the role in DOE and specifies 77 certain emergency and preparedness functions to ensure full 78 attention to the risks of cybersecurity and other threats to 79 the energy sector 80 H R 5174 the Energy Given the reliance on energy in modern society ensuring 81 that supply has become of such surpassing importance that we 82 have to be able to make sure that the agency has sufficient 83 leadership focus to meet its responsibilities 84 Similarly H R 5175 the Pipeline and LNG Facility 85 Cybersecurity Preparedness Act which I introduced along with 86 Mr Loebsack would enhance DOE's ability to coordinate the 87 interconnected systems of energy delivery and supply which 88 includes ensuring the security of digital systems in pipeline 89 and grid operations 90 Although several governmental authorities play a role 91 DOE has got to have the adequate visibility across the energy 92 sector to ensure the federal state and asset owners are 93 sufficiently prepared and coordinated and to efficiently NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 94 deploy where needed its world class technological 95 capabilities 96 This bill certainly aims to assure that it can be done 97 Both H R 5239 the Cyber Sense Act of 2018 and H R 5240 98 the Enhancing Grid Security Through Public-Private 99 Partnership Act have been introduced by Mr Latta and Mr 100 101 McNerney two leaders on grid innovation The Cyber Sense bill a version of which passed the 102 House as part of H R 8 back in 2016 seeks to establish a 103 voluntary DOE program that would permit cybersecure products 104 intended for use in the bulk power system 105 And the Enhancing Grid Security Act bill seeks to 106 facilitate and encourage public-private partnerships aimed at 107 strengthening the physical and cybersecurity electric 108 utilities especially mid-size and small utilities which may 109 not have met the resources to identify and address 110 cybersecurity vulnerabilities and system risks 111 Two panels of witnesses this morning are going to 112 provide their perspective on these bills and discuss what 113 other measures may be helpful to ensure DOE can fulfil its 114 energy security and emergency missions 115 I want to welcome back Undersecretary of Energy Mark NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 116 Menezes who returns from his appearance in January 117 forward to his comments and to talk about his own plans to 118 elevate DOE's leadership in emergency response 119 I look He's accompanied by Pat Hoffman principal deputy 120 assistant secretary in the Office of Electricity who can 121 provide technical perspective from her experience addressing 122 cybersecurity and energy emergency functions 123 Our second panel will feature a range of energy security 124 and emergency perspectives 125 National Lab will help us understand federal capabilities to 126 support cybersecurity in the energy sector 127 One witness from DOE's Idaho We are going to hear from the state of Indiana's 128 Emergency Response Authority from Dominion Energy on pipeline 129 security from EEI on electric cybersecurity and from the 130 National Electrical Manufacturers Association to talk about 131 cybersecurity of grid components 132 We welcome you all and with that I would yield to the 133 ranking member of the subcommittee my friend Mr Rush 134 The prepared statement of Mr Upton follows 135 136 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 137 138 The Bills H R 5174 H R 5175 H R 5239 and H R 5240 follow 139 140 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 141 Mr Rush I want to thank you Mr Chairman for 142 holding this important hearing today on legislation 143 addressing cybersecurity and emergency response 144 Mr Chairman I support the four bills before us and I 145 want to specifically and respectfully acknowledge Mr Walberg 146 of Michigan who worked with my office on the Energy Emergency 147 Leadership Act 148 This bill will establish a new DOE assistant secretary 149 position with jurisdiction over all energy emergency and 150 security functions related to energy supply infrastructure 151 and cybersecurity 152 Mr Chairman while cybersecurity is an important issue 153 I would be remiss if I did not point out that today at this 154 very same time students have declared this as National Walk- 155 Out Day 156 And as we speak Mr Chairman students from across the 157 country are leaving their classrooms to honor the lives of 158 the 17 people killed at Stoneman Douglas High School last 159 month and to press policy makers to pass common sense gun 160 control laws 161 162 Mr Chairman cybersecurity is a serious issue that must be addressed However nothing can be more urgent than NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 163 answering the cries and the pleas emanating from our nation's 164 youth -- students who have had enough of being scared and 165 anxious and frustrated by the lack of leadership coming from 166 both the administration and this Congress on the issue of gun 167 violence 168 Mr Chairman as policy makers as parents as 169 grandparents as adults and as leaders we are failing our 170 youth by letting politics and influential interest groups 171 come before our most sacred responsibility and that is 172 protecting our children 173 Mr Chairman every single Democrat on the four Energy 174 and Commerce committees sent a letter to Chairman Walden on 175 March 7th urging him to hold hearings as soon as possible to 176 address gun violence in America 177 That followed a February 16th letter also signed by all 178 24 Democrats on the full committee to Chairman Walden and 179 Health Subcommittee Chairman Burgess urging the Republican 180 leadership to hold a hearing as soon as possible on federal 181 investment in gun violence prevention research 182 Mr Chairman we owe it to our children at the very 183 least to examine this problem in a serious and thoughtful 184 manner and I can assure you that this issue will come up NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 185 again and again regardless of the planned topic of 186 discussion until we hold a hearing 187 188 189 190 191 With that I yield the remainder of my time to my friend and colleague from California Mr McNerney Mr McNerney Well I thank the ranking member for yielding and the chairman for holding this hearing Today we will examine several legislative proposals 192 concerning our nation's grid security 193 Grid Innovation Caucus Bob Latta and I are focused on 194 providing a forum that advocates for grid investments and 195 examines the risks and opportunities with our grid 196 As co-chairs of the Our work through the Grid Caucus has led to the 197 introduction of two bills we will discussing today H R 198 5239 the Cyber Sense Act of 2018 would create a program to 199 identify cybersecure products for the bulk power grid system 200 through testing and verification 201 The bulk power system is the backbone of American 202 industry and provides all the benefits of reliable electric 203 power to the American people 204 this system as secure as possible as cyberattacks pose a 205 serious threat to our electric grid 206 It's essential that we make Any vulnerable components of our grid is a threat to our NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 207 security and this bill will go a long way to strengthen our 208 system 209 Enhancing Grid Security Through Public-Private Partnerships 210 Act 211 Mr Latta and I are also co-leads of H R 5240 the This bill will create a program to enhance the physical 212 and cybersecurity of electric utilities through assessing 213 security vulnerabilities increase cybersecurity training 214 and data collection 215 It will also require the interruption cost estimate 216 calculator which is used to calculate the return on 217 investment on utility investments to be updated at least 218 every two years to ensure accurate calculations 219 These two bipartisan bills along with the other bills 220 we have before us today will help put us on the path to 221 better securing our electric utility system 222 I welcome the panelists and look forward to hearing 223 their insights on the useful of our legislation and how it 224 may be improved 225 Thank you I yield back 226 Mr Upton Gentleman's time is expired 227 The chair will recognize the chairman of the full 228 committee the gentleman from Oregon Mr Walden NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 229 Chairman Walden Thank you very much Mr Chairman 230 I want to thank my colleague from California for his 231 good work on these issues 232 for our country and those of us who have been briefed up on 233 it know the importance of the work that's going on in our 234 agencies and the security issues that are really before us 235 This is really important stuff Today's hearing examines legislation addressing 236 cybersecurity and emergency response 237 respond to some of the most urgent challenges -- the 238 reliability of our nation's energy infrastructure 239 It will help us Because our energy infrastructure drives the entire 240 nation's economy I've made it a top priority for this 241 committee to focus on emerging threats and proposed solutions 242 to make our infrastructure more resilient 243 We are looking ahead to make sure we are doing 244 everything we can to protect our electric grid and our oil 245 and natural gas infrastructure as well and improve our 246 ability to respond when the unexpected happens 247 Because nearly all of our nation's energy infrastructure 248 is privately owned and operated the federal government needs 249 to work closely with representatives of the energy sector and 250 the companies in the supply chain that manufacture equipment NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 251 252 and technologies In today's highly interconnected world the threat of 253 cyberattacks is ever present 254 must also be prepared for physical threats whether they be 255 sabotage or natural disasters like the hurricanes we 256 experienced last year 257 So we have to be vigilant We As the sector-specific agency for energy the Department 258 of Energy has a very important coordinating role to play and 259 this function was on display earlier this year in response to 260 Hurricanes Nate Maria Irma and Harvey 261 Many of us followed DOE's situation reports on the 262 storms' impacts and the energy industry's recovery and 263 restoration activities 264 The Department of Energy's emergency responders in the 265 field provided critical subject matter expertise and assisted 266 with waivers and special permits to aid restoration 267 To prevent a major fuel supply emergency the Department 268 of Energy's strategic petroleum reserve provided much-needed 269 oil to refiners 270 determine whether it needed to draw on its Federal Power Act 271 authorities to secure the energy grid 272 The DOE also analyzed electricity supply to So today's hearing will examine four bipartisan bills NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 273 designed to improve DOE's energy security and emergency 274 response authorities 275 working across the aisle on these important issues 276 I want to thank all our members for I join Chairman Upton in welcoming back Undersecretary 277 of State -- Undersecretary of Energy I guess noted in 278 tweets this morning -- Undersecretary of Energy Mark Menezes 279 to our panel 280 Department of Energy's security priorities and its views on 281 the legislation 282 I look forward to your comments on the I also want to welcome the witnesses appearing on the 283 second panel where we will hear a range of perspectives from 284 state government the energy industry and supply chain 285 manufacturers 286 We are also joined by a witness from DOE's Idaho 287 National Lab 288 the briefings including the classified ones and so I am very 289 impressed by the work that goes on at INL and our country 290 should be very proud of the incredible men and women and the 291 work they do there in every regard 292 I was there on Monday Very much appreciated I also know that -- saw the unique capabilities to test 293 system wide cybersecurity applications on a full scale 294 electric grid loop NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 295 INL is one of 17 DOE national labs tackling the critical 296 scientific challenges of our time and the threats that come 297 our way and I want to thank INL leadership and staff for 298 sharing their research and expertise with the committee 299 This subcommittee has held dozens of hearings on energy 300 infrastructure and produced several bipartisan bills to 301 improve the resilience and reliability of our nation's energy 302 delivery system and these bills will ultimately make our 303 nation more energy secure reduce the cost of fuels and 304 electricity for consumers 305 So at the end of the day if we focus on what's best for 306 consumers we will continue to make good public policy 307 decisions 308 309 310 With that Mr Chairman I yield back the balance of my time and thank our witnesses for their participation The prepared statement of Chairman Walden follows 311 312 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 313 Mr Upton 314 The chair recognizes the ranking member of the full 315 Gentleman yields back committee the gentleman from New Jersey Mr Pallone 316 Mr Pallone Thank you Mr Chairman 317 Today's hearing revolves around a quartet of bipartisan 318 bills designed to enhance the security of our nation's energy 319 infrastructure 320 like to talk for a minute about the security of our nation's 321 children 322 However before we get to cybersecurity I'd Today one month has passed since the tragic shootings 323 at Marjorie Stoneman Douglas High School that took the lives 324 of 17 children and educators and as we sit here students all 325 across the nation have just completed a 17-minute walkout in 326 memory of those killed in that attack as well as to protest 327 this body's refusal to take action on the gun violence 328 epidemic 329 Students and their families are justifiably frustrated 330 with the inaction here in Washington They are sick and 331 tired of a president who says one thing in front of the 332 cameras and then works behind the scenes to push the NRA 333 agenda as soon as he thinks the cameras are focused somewhere 334 else NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 335 And they are also sick and tired of a Republican 336 leadership in Congress that won't move forward on any common 337 sense legislation some of which has strong bipartisan 338 support 339 Americans have legitimate questions about the ever- 340 increasing capacity of guns to kill in large numbers and the 341 ease with which people who are in danger to themselves and 342 others can obtain them in the marketplace and those questions 343 at least deserve to be explored through hearings in this 344 committee 345 Every Democrat on this committee has asked in two 346 separate letters to the chairman for a series of five 347 hearings on the gun violence epidemic 348 We have not received a response and no hearings have yet 349 to be scheduled 350 Republican colleagues will finally see the need to schedule 351 the five hearings we requested 352 So I hope that the chairman and my We don't expect them to necessarily agree with us or 353 those participating in today's walkout on all the solutions 354 to the gun violence epidemic 355 356 However we do hope that they will finally acknowledge the legitimate need to explore the questions we are asking NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 357 358 and for this committee to take action And now with regard to cybersecurity I appreciate the 359 majority taking these small but important bipartisan steps to 360 enhance the Department of Energy's authorities with regard to 361 our nation's energy infrastructure 362 These four bills build upon the good work done by this 363 committee and the FAST Act under Chairman Upton's leadership 364 I think it makes sense from both the security and business 365 standpoint to have the department with the best knowledge of 366 the energy industry taking the primary role in coordinating 367 efforts to prevent and respond to cyberattacks on these 368 facilities 369 In general I am supportive of each of these bills 370 H R 5174 the Energy Emergency Leadership Act sponsored by 371 Representative Walberg and Ranking Member Rush would create 372 a new DOE assistant secretary position with jurisdiction over 373 all energy emergency and security functions related to energy 374 supply infrastructure and cybersecurity 375 H R 5175 the Pipeline and LNG Facilities Cybersecurity 376 Preparedness Act was introduced by Chairman Upton and Mr 377 Loebsack 378 It would require the secretary of energy to carry out a NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 379 program to establish policies and procedures that would 380 improve the physical and cybersecurity of natural gas 381 transmission and distribution pipelines hazardous liquid 382 pipelines and liquefied natural gas facilities 383 Representative Latta and McNerney's bill H R 5239 the 384 Cyber Sense Act of 2018 is based on McNerney's language 385 included in the last Congress energy bill 386 It would require the secretary to establish a voluntary 387 program to identify cybersecure products that can be used in 388 bulk power systems 389 Mr McNerney and Mr Latta also introduced H R 5240 390 the Enhancing Grid Security Through Public-Private 391 Partnership Act which directs the secretary to create and 392 implement a program to enhance the physical and cybersecurity 393 of electric utilities 394 In addition to these bills I also wanted to direct the 395 committee's attention to the LIFT America Act the 396 infrastructure bill that committee Democrats introduced last 397 year 398 A number of the bill's provisions would enhance the 399 security and resiliency of the grid through new grant 400 programs and by requiring certain projects receiving DOE NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 401 assistance including the cybersecurity plan written in 402 accordance with guidelines developed by the secretary 403 And the bill would also establish a strategic 404 transformer reserve program to reduce electric grid 405 vulnerability to physical and cyberattacks natural 406 disasters and climate change and these are provisions that 407 will better assure the security of our energy infrastructure 408 and I hope this committee will consider them as we move 409 forward 410 411 412 And again Mr Chairman thanks for bringing up these bipartisan bills and I yield back Mr Upton Gentleman yields back and as I indicated 413 we are joined for our first panel with the Honorable Mark 414 Menezes the undersecretary of energy 415 I would just note for those of us that went on the 416 bipartisan trip to look at the hurricane damage in Puerto 417 Rico on my local radio website this morning I see that the 418 bridge that we saw that was washed out was rededicated 419 yesterday with the governor and it's opened up 420 It's been six months 421 of about 33 000 folks 422 or so back in December It connects 60 families in a town So I know we were there for an hour So I just thought I'd give that NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 423 424 little update And with that Mr Menezes welcome back again to the 425 committee 426 rules 427 give you five minutes to sum it up and then we will ask 428 questions from that point 429 We look forward to your testimony You know the Thank you in advance for your testimony We will So welcome NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 430 STATEMENT OF THE HONORABLE MARK MENEZES UNDERSECRETARY U S 431 DEPARTMENT OF ENERGY 432 433 434 435 Mr Menezes Thank you Chairman Upton Ranking Member Rush and distinguished members of the subcommittee Good morning and thank you for the opportunity to 436 participate in this legislative hearing to discuss the 437 strategic priorities addressing the cybersecurity threats 438 facing our national energy infrastructure and the Department 439 of Energy's role in protecting these critical assets and 440 responding to emergencies 441 Maintaining and improving the resilient energy 442 infrastructure is a top priority of the secretary and a major 443 focus of the department 444 statement 445 written statement so my remarks will be limited to just the 446 highlights 447 You referred to the written I have submitted a much more comprehensive To demonstrate our commitment and focus on this mission 448 the secretary announced last month that he is establishing 449 the Office of Cybersecurity Energy Security and Emergency 450 Response to be known as CESER 451 This organizational challenge -- change will strengthen NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 452 the department's role as the sector-specific agency or energy 453 sector cybersecurity supporting our national security 454 responsibilities 455 The creation of CESER office will accomplish several 456 goals -- one build on the programs that we have today two 457 elevate the department's focus on energy infrastructure 458 protection and response three enable a more coordinated 459 preparedness and response to cyber and physical threats and 460 natural disasters and most importantly four create a 461 structure and an office with an evolving mission to ensure 462 sufficient authorities and resources are in place to address 463 present and future threats 464 The focus of the office will necessarily include 465 electricity delivery oil and natural gas infrastructure and 466 all forms of generation 467 The secretary's desire to create dedicated and focused 468 attention on these responsibilities will provide greater 469 visibility accountability and flexibility to better protect 470 our nation's energy infrastructure and support its asset 471 owners 472 473 As more fully explained in my submitted written testimony DOE works in collaboration with other agencies and NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 474 private sector organizations including the federal 475 government's designated lead agencies for coordinating the 476 response to significant cyber incidents -- DHS the FBI the 477 National Cyber Investigative Joint Task Force as well as 478 DOT PHMSA U S Coast Guard and FERC and others through the 479 Energy Government Coordinating Council and other coordinating 480 councils 481 The FAST Act designated DOE as the sector-specific 482 agency for energy sector cybersecurity Congress enacted 483 several important new energy security measures in the FAST 484 Act as it relates to cybersecurity 485 The secretary of energy was provided new authority upon 486 declaration of a grid security emergency by the president to 487 issue emergency orders to protect restore or defend the 488 reliability of critical electric infrastructure 489 This authority allows DOE to respond as needed to 490 threats of cyber and physical attacks on the grid and 491 although the administration does not have a formal position 492 on any of the legislation under discussion today we are 493 pleased to continue to work with the committee to provide 494 technical assistance 495 And this morning I would like to provide the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 496 subcommittee with some high-level priorities of the 497 department in the context of the president's fiscal year 2019 498 budget request and which is the subject matter of today's 499 bills 500 Overall investing in energy security and resilience 501 from an all-hazards approach is vital given the natural and 502 manmade threats facing the nation's energy infrastructure 503 the energy industry and the supply chain 504 The fiscal year 2019 request would provide the 505 department an opportunity to invest in early-stage research 506 network threat detection cyber incident response teams and 507 the testing of supply chain components and systems 508 Beyond providing guidance and technical support to the 509 energy sector our Office of Electricity supports R D 510 designed to develop advanced tools and techniques to provide 511 enhanced cyberprotection for key energy systems 512 OE cybersecurity for energy delivery systems' R D 513 program is designed to assist energy sector asset owners by 514 developing cybersecurity solutions for our energy 515 infrastructure 516 517 OE co-funds projects with industry our national labs and university partners to make advances in cybersecurity NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 518 capabilities 519 detect prevent and mitigate consequences of a cyber 520 incident for our present and future energy systems 521 These research partnerships are helping to It's important to emphasize that DOE plays a critical 522 role in supporting the entire energy sector's efforts to 523 enhance the security and resilience of the nation's critical 524 energy infrastructure 525 To address today's ever increasing and sophisticated 526 challenges it is critical for us to be leaders and cultivate 527 a culture of resilience 528 We must constantly develop educate and train a robust 529 network of producers distributors vendors public partners 530 regulators policy makers and stakeholders acting together 531 to strengthen our ability to prepare to respond and 532 recover 533 As part of a comprehensive cyber -- energy cybersecurity 534 resilient strategy the department supports efforts to 535 enhance visibility and situational awareness of operation 536 networks increase alignment of cyber preparedness and 537 planning across local state and federal levels and leverage 538 the expertise of DOE's national labs to drive cybersecurity 539 innovation NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 540 As always the department appreciates the opportunity to 541 appear before this committee and discuss cybersecurity and 542 emergency response in the energy sector and we applaud your 543 leadership 544 We look forward to working with you and your respective 545 staffs and continue to address cyber and physical security 546 challenges and I look forward to your questions 547 548 Thank you The prepared statement of Mr Menezes follows 549 550 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 551 552 553 Mr Upton Thank you for your testimony and as you know we are talking about several bills this morning We want to make sure that DOE in fact does have the 554 clear authority in the energy sector to be prepared for 555 emergencies particularly concerning the distribution of oil 556 and gas and electricity and we welcome your commitment to 557 work with us and the bill's sponsors as you indicated in 558 your testimony to provide the technical assistance to make 559 sure that these proposals provide the tools that the agency 560 can use 561 I want to particularly thank as Chairman Walden 562 indicated in his opening statement the willingness to work 563 with the Idaho National Lab 564 I know that he had a very productive day out there 565 earlier this week and I will tell members of the -- our 566 subcommittee that we are planning to have a classified 567 briefing with them at some point in the near future so that 568 we can -- we can know precisely what we have to be ready for 569 and be able to ask questions in a -- in a classified setting 570 We are looking forward to setting that up in the next couple 571 of weeks 572 Let me just ask if you can help us identify other areas NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 573 we might be able to clarify and strengthen your authorities 574 to respond to energy supply emergencies if we can have that 575 commitment again today and if you want to share any 576 specifics today or certainly down the road where you can help 577 us make sure that the worst doesn't happen and we will put 578 out thousands maybe hundreds of thousands maybe even 579 millions of folks without the ability to hook into the needed 580 energy resources for their daily lives 581 582 583 Mr Menezes Thank you for the question Chairman Upton Indeed having a robust communications and coordination 584 system with our industry asset owners is critical to do this 585 We currently serve on a variety of and coordinator subsector 586 coordinating councils 587 We work closely with industry 588 meetings 589 those that need it 590 We coordinate We have regular We make our labs available to We train we practice and we prepare We do all that 591 and to be sure we work with our sister agencies through the 592 Energy Government Coordinating Council and work really on a 593 daily basis with as I mentioned DHS and the other agencies 594 All of that we are doing today When the system is NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 595 stressed when we have the emergencies in Puerto Rico the art 596 then is to put all that in place and respond in real time and 597 to work with our sister agencies and I have testified before 598 that the expectations that the DOE has and the technologies 599 that we have and the abilities to mobilize and to react are 600 sometimes exceeded by the authorities and the resources that 601 we have 602 It would be important -- it is important for the 603 department with the bills that you have to be clear on the 604 authorities you know that we have and if I could say too 605 it would be important to ensure that we have the authority to 606 get the resources that we have when we are working with the 607 other committees to ensure that we have the resources 608 So we thank you for your leadership on that But clear 609 direction and the resources -- the authorization to have the 610 resources would be very -- would be very helpful 611 Mr Upton So DOE works with the Department of Homeland 612 Security TSA and other agencies to ensure the protection of 613 pipelines 614 other priorities 615 616 But these agencies as we know certainly have It is my understanding that TSA despite having some 50 000 employees is only able to dedicate some -- a handful NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 617 618 of folks literally three or four -- to pipeline security So the question I might have is are you concerned by 619 that fact that a lead agency for pipeline safety is so 620 stretched that only a handful of people would be working on 621 pipelines 622 Mr Menezes Well I can't speak directly to the 623 resources and demands that they have but I can tell you from 624 the experience that we have at DOE having been over there 625 now almost four months we are -- all agencies are 626 constrained to use existing resources to respond to you 627 know new and additional obligations for example and it is 628 a constant effort to find adequate resources to do things to 629 accomplish our statutory obligations 630 I will say that with pipelines both DHS and DOT co- 631 chair you know that sector-specific pipeline industry 632 are involved through the oil and natural gas subsector 633 coordinating council 634 We And so we have -- we have regular interaction with the 635 agencies that you mentioned and other agencies but also with 636 the industry 637 638 So you know we are involved in it But again it's always a challenge to find adequate resources within the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 639 current budget -- you know to do the things that's expected 640 of you 641 Mr Upton 642 I yield for questions to the ranking member of the 643 Thank you subcommittee Mr Rush 644 Mr Rush I want to thank you Mr Chairman 645 Mr Undersecretary to date we have not experienced any 646 large-scale cyberattacks on our energy grid 647 have been minor incidences maybe even what we might call 648 probes into the system 649 However there In your professional opinion would you say that we 650 haven't experienced -- have not experienced any large-scale 651 attacks due to our defenses or is it simply because no entity 652 has as of yet really attempted to launch a full-scale attack 653 And do we really need to know -- do we really even know 654 rather what their capabilities are of some of these foreign 655 entities or rogue states that may eventually try to do us 656 some harm 657 658 659 660 Mr Menezes Thank you for the question Ranking Member Rush Yes a very important question We are at probably a historical turning point from what has been going on in the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 661 662 past I had mentioned the ever increasing level of 663 sophistication and the ever increasing number of threats 664 What has happened in the past simply is over and every day 665 presents new challenges 666 Some of the questions you asked you know would involve 667 classified material that I can't get in today but it is 668 public that we are facing threats today that we haven't seen 669 in the past 670 The Internet of Things all software all of these are 671 providing opportunities for those that are very creative to 672 try to attack our systems and it's ongoing 673 It's 24 7 674 It's daily It is around the clock Interestingly as we know that now it is machines that 675 are doing all this and they're using artificial intelligence 676 So you have machines 677 Our goal of course would be to counter their machines 678 with our machines and our artificial intelligence 679 an ever-escalating battle 680 So you're right to ask the question 681 what the future threats are 682 why we are standing up this office But it's We don't even know And this is part of the reason We want this to be NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 683 highly visible 684 agencies to the Congress so that you all have a much higher 685 visibility on what DOE is doing 686 We want this to be accountable to other So you asked the right questions We are concerned 687 about not only current but future threats and having the 688 resources 689 Pat did you want to say something 690 Ms Hoffman I just would also like to credit the 691 strong partnership we have with industry and that we are 692 keeping pace with respect to intelligence and classified 693 information sharing partnership with the ISAC for alerts and 694 getting information out to industry as soon as possible as 695 well as partnerships and looking at engineering solutions and 696 looking at technology solutions that will help mitigate some 697 of the issues 698 Mr Rush That leads me to another concern and that's 699 the -- our nation's workforce preparedness when it comes to 700 cybersecurity 701 we have a highly skilled trained workforce both presently and 702 in the future to address cybersecurity issues 703 704 Are we doing all that we can to ensure that Mr Menezes We are doing what we can I am not sure that we are doing everything that we can but we certainly are NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 705 elevating education in the realm of preparedness in addition 706 to you know response and ultimately recovery 707 But it's going to be research and development and 708 breakthrough technologies to be able to protect and defend 709 our system and to be able to respond 710 So we currently have training programs in place where we 711 deal with our -- not only our workforce but also the 712 industry's workforce because they have to have the benefit of 713 everything that we see we know and that we are developing 714 so that they can train and they can instill a culture of 715 resilience within their organizations 716 And I can testify firsthand on the past success of the 717 leadership of this committee and working with the ESCC and 718 the industry partners in DOE's role 719 I can assure you it was important for the electricity 720 sector to have their CEOs participate and when the CEOs 721 participate they return to the company and they instill a 722 culture of compliance and resilience and that they make many 723 changes and they make sure that the workforce is very 724 educated on these very technical and highly sophisticated 725 programs 726 So we are committed to ensuring that we have a dedicated NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 727 and educated workforce 728 Mr Rush 729 Mr Upton 730 731 732 733 Thank you Mr Chairman I yield back The chair recognizes the gentleman from Texas Mr Barton Mr Barton Thank you Mr Chairman It's always good to see our good friend here in such a position This is an important hearing that we are having today 734 because it addresses an issue that we really haven't done a 735 very good job of addressing -- this issue of cybersecurity 736 and emergency response 737 I am not real sure what cybersecurity is first of all 738 So I guess my first question would be does the Department of 739 Energy have a definition of cybersecurity 740 Mr Menezes Well let me go back to the days that I 741 was on that side of the dais in '05 when we decided to add 742 the word cybersecurity into the mandatory reliability 743 provisions that we put in EPAC of '05 744 That -- we thought whether we should define it back 745 then to be frank about it and we decided then that it was 746 better to have it as frankly broad as it could be because 747 we weren't sure what it would become 748 And so consequently I am not sure if we have a formal NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 749 750 751 definition I am looking over at -- Mr Barton So far you have done a very good job of dissimulating and not saying a darn thing so -- 752 Laughter 753 Mr Menezes I know that 754 Mr Barton -- but roles do change 755 Mr Menezes Yes 756 definition I don't think we have a formal But -- 757 Mr Barton 758 Mr Menezes Well do we need one -- I had mentioned that you know so 759 cyber -- again the Internet of Things and software typically 760 are ways that they seek to gain entry into systems via those 761 mechanisms 762 Mr Barton Mr Chairman let's let the record show 763 that I stumped the undersecretary of energy on the first 764 question but in a polite way because he and I are friends 765 Well would you -- would you say that cybersecurity 766 deals with the internet intercepting -- somehow making it 767 difficult for computer systems to operate hacking into a 768 controlled system or power plants or pipeline controls 769 Would that be a practical type of cybersecurity attack -- 770 something like that NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 771 Mr Menezes Yes and you mentioned those are threats 772 right 773 would include the communication systems making sure you have 774 resilient communication systems control systems that you can 775 monitor and detect and react and take you know action 776 But there's a security part of that too So it You had mentioned the threat detection and the analysis 777 and it's not limited to just one sector of the energy 778 industry for example 779 So it has to include -- you have points of potential 780 entry into any systems and we are talking about supply chain 781 today but you know we have generation 782 We have all the distribution We have transmission 783 have the you know the producers the vendors 784 and down the you know every point 785 786 787 Mr Barton It's all up Well let me ask -- let me ask another simple question which you may not want to answer Which of our industries are sectors that the Department 788 of Energy has responsibility for would you consider to be 789 most vulnerable to a cybersecurity attack 790 We Mr Menezes I think any that use the internet and use 791 computers and are part of a system And so when you -- when 792 you get the briefings you know we are members NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 793 DOE is a member of the National Security Council and as 794 such we have intelligence and counterintelligence and access 795 you know to all of our sister agencies and we have eyes on 796 things 797 When you look at it those that wish to penetrate our 798 system will try all segments -- all segments 799 respect we are all vulnerable 800 vulnerable 801 Mr Barton So in that We are all constantly Let me ask my final question Have -- to 802 the department's knowledge have there been any cybersecurity 803 attacks on our energy sector that the Department of Energy is 804 responsible for 805 Mr Menezes 806 Mr Barton 807 Mr Menezes 808 -- constantly 809 system 810 Attacks Yes Have there been attempts to -- Our systems are constantly being attacked Not only the DOE system but also the energy Mr Barton Okay Well if you say constantly then 811 that would -- I would interpret that to mean that we've 812 successfully fended them off since I am not aware of any 813 breakdowns in our energy infrastructure 814 Mr Menezes Well there have been some reported NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 815 breaches if you will 816 a major consequence of attacks and thus far we have been 817 successful in identifying 818 We are fortunate that we haven't had Part of this analysis involves modelling information 819 sharing and monitoring 820 will use our experts' abilities to evaluate what we are 821 seeing and then try to figure out what is happening 822 Mr Barton You may collect data and then you My time has expired But would the 823 department be willing to have a briefing -- a bipartisan 824 briefing where we could -- you could go into some detail 825 about the attempted attacks 826 Mr Menezes 827 Mr Barton 828 Thank you Mr Chairman 829 Mr Upton 830 Mr McNerney 831 Mr McNerney 832 thank the witness 833 Yes sir Thank you Gentleman's time has expired Well I thank the chairman and again I Are you familiar with the two bills that Mr Latta and I 834 have proposed -- the Cyber Sense Act and the Enhanced Grid 835 Security Through Public-Private Partnerships Act 836 Mr Menezes Yes sir NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 837 838 839 Mr McNerney Do you think those bills serve a good purpose Mr Menezes We applaud the -- we applaud the committee 840 for the leadership you know that you have shown and I think 841 -- has one of them passed already I believe 842 past Congresses 843 Mr McNerney 844 Mr Menezes Right I mean in So -- And I will say that on the supply chain -- 845 you have already -- you have already seen action right 846 have seen action from NERC in proposing critical 847 infrastructure protection standards 848 at FERC so certainly your past efforts have generated that 849 activity 850 You So you see it pending It's also generated activity here in this administration 851 because in the fiscal year 2019 request we requested 852 additional moneys to do -- to do what your bill is proposing 853 to do 854 855 856 Mr McNerney Do you have any suggestions on improving either one of those two pieces of legislation Mr Menezes Again my suggestions would be as you 857 choose to send direction over -- and obligations over to the 858 Department of Energy if you can authorize resources we find NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 859 that that helps us because otherwise the department typically 860 would be forced to figure out where to get resources you 861 know that it's currently using for other -- 862 Mr McNerney But speaking of resources the fiscal 863 2019 budget looks like a 40 percent cut in the electricity 864 delivery and reliability account which then is split into 865 two further accounts 866 So you're saying on the one hand that you need resources 867 and on the other hand the administration is proposing 868 significant cuts in program funding 869 So how can they reconcile those notions 870 Mr Menezes I think the OE budget cut -- I believe 871 it's the case where it shows that we are pulling out almost 872 $96 million and moving it into CESER 873 office 874 875 876 So it's creating a new But we are still -- Ms Hoffman We see an increase in CESER budget line for the 2019 request to -- yes to $96 million Mr McNerney I saw that but I mean I hear that you 877 keep saying we need more resources and yet the -- some of 878 these line items are being significantly slashed 879 880 Mr Menezes Well can I point out a victory that we had -- that this office had with you know the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 881 882 administration As many of you know because of the several trips that 883 we've taken to Puerto Rico for example on the emergency 884 response okay a very critical part -- I know we've been 885 talking about cybersecurity but if you will allow me to talk 886 about that 887 Again when you got -- when we -- when we got over there 888 and looked at our resources it was surprising 889 surprising to me that all the work that DOE was doing on 890 emergency response in this hurricane season for example the 891 resources were I thought insufficient 892 It was We asked the White House and they agreed to double the 893 budget -- double the budget of the emergency response of 894 ISER -- our Infrastructure Security Energy Recovery 895 Mr McNerney So you're saying that in general terms 896 the administration is acting in a way that'll increase your 897 resources Is that -- is that what you're saying 898 Mr Menezes In this -- in this area 899 Mr McNerney 900 Mr Menezes In this area In this area Yes and they -- it's in our fiscal year 901 2019 you know to set up CESER It's all in the 902 congressional justification for it So -- NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 903 Mr McNerney So I mean are you -- 904 Mr Menezes -- so we have support in the 905 administration on the topics that we are talking about today 906 Mr McNerney 907 pay Paul for the CESER 908 Mr Menezes So in a sense are you robbing Peter to No No we are not No it's -- you 909 know we are moving some existing programs over to CESER just 910 to begin to set up the office and so that was not a -- in 911 fact that's an increase 912 That is actually an increase So again together it's going to be $96 million and 913 that is an uptick of about maybe 16 percent I think from 914 what it was in fiscal year 2018 915 916 917 918 919 Now CESER didn't exist -- I mean fiscal year 2017 it's a positive story here Mr McNerney All right Mr Chairman I am going to yield back Mr Upton I would just note that we've got Secretary 920 Perry scheduled to come next month to talk about the budget 921 as well 922 Mr Olson 923 Mr Olson 924 I thank the chair Welcome to our two witnesses NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com So This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 925 My first question will be about Hurricane Harvey 926 followed your reports on Hurricane Harvey -- the situation 927 reports very closely as the storm hit and after the storm hit 928 and the impacts on our energy sector -- the Port of Houston 929 and the petrochemical complex 930 DOE was a good responder -- a good partner I Worked hand 931 in hand with Governor Abbott with the local county judges 932 my county judge Bob Hebert Fort Bend County -- county judge 933 Matt Sebesta Brazoria County -- county judge Ed Emmett 934 Harris County 935 He helped to get waivers they needed and the assistant 936 had to ensure the permits and waivers were issued without 937 delay 938 That's very important You mentioned Mr Menezes that the budget has been 939 doubled now since lessons learned from Harvey for recovery 940 efforts 941 What are some lessons learned like that that we could 942 apply in the future going forward from Hurricane Harvey 943 Feel free both of you to make comments about that question 944 Mr Menezes Well I am aware that we did an after 945 activity report I believe I might defer to Pat 946 she's in possession of that report I think NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 947 948 I am not sure if it's finalized or not but certainly we will make it available to all members of the committee 949 Pat do you have specific comments on that 950 Ms Hoffman 951 I think I would applaud industry's effort as well in Yes thank you very much for the question 952 Hurricane Harvey and Irma and Marie and the strong work that 953 they've done 954 Some of the lessons learned is as we continue to move 955 forward the industry is on the front line so exchanging 956 coordination of information is critical and absolute for 957 having an effective recovery and restoration process and I 958 think that's where you have seen the success as well as some 959 of the lessons learned 960 From a department perspective being able to engage our 961 power marketing administrations to be continuing to use the 962 strategic petroleum reserve are all important aspects of how 963 the department can help in a restoration process 964 The waivers and the coordination with industry were 965 always very positive and helpful to support so being 966 proactive in those areas as we continue 967 968 As we look forward on cyber as we think about that some of the needs and the issues are really being proactive NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 969 in looking at threat analysis continuing to support the 970 mutual assistance program and I think whether it's 971 hurricanes or cybers really want to be able to engage 972 stronger in the mutual assistance program in support of 973 industry 974 975 976 Mr Olson And you all read my mind Let's now talk about cyber Attacks happen on America every single day in 977 cyberspace 978 They've attacked refineries chemical plants pipelines all 979 across the spectrum 980 Bad actors have attacked our power industry You mentioned Mr Menezes about AI -- artificial 981 intelligence 982 those issues and I have a bill out to get us on board with AI 983 because that's our future to prevent some of these attacks 984 I formed a caucus here in the House to look at My bill just basically says let's partner up with the 985 private to make sure these attacks don't happen through 986 cyberspace and use AI as a weapon 987 AI is to empower people It's not to have machines run 988 our world but it's to empower people with information to make 989 sound decisions when a disaster hits like a hurricane 990 And just like you commented about the bill just NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 991 basically says let's have a true public-private partnership 992 support the private sector make them -- empower them with 993 the public sector's assistance make sure we adjust jobs 994 because there's lots of jobs being lost or jobs being 995 created have facts about jobs 996 bias can be around information that may be biased -- avoid 997 that and also privacy -- big issues 998 999 1000 1001 1002 Also bias -- there's natural But how can AI help out with the recovery from Harvey and those you're facing Mr Menezes Well thank you for that question Mr Olson You know you raise a very important point AI will be 1003 the future of how strong and resilient we can be because of 1004 the ever sophistication -- ever-growing sophistication of 1005 these attacks 1006 With respect to your bill again the administration 1007 you know doesn't have a formal view of it 1008 rule -- 1009 Mr Olson 1010 Mr Menezes It's good But as a general Trust me As a general rule all the direction and - 1011 - that you can provide to us particularly in the use of 1012 tools that we can use within industry former Chairman Barton NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1013 had asked about you know attacks on the system and we are 1014 here representing the department and to be sure the 1015 department is you know subject to attacks 1016 It is our industry however that typically would be 1017 front line because the bad actors would look for soft 1018 targets 1019 government assets that they think are going to be hard 1020 targets 1021 It might not spend a lot of effort in going after So they're developing artificial intelligence to 1022 probably identify those risk levels 1023 to be on the front line and so it's very important that we 1024 get a set of tools and resources to be able to work with 1025 industry and to help industry have the resources and the 1026 knowledge and the wherewithal to be able to anticipate 1027 predict react respond and to make their systems more 1028 secure 1029 Mr Olson 1030 over the world 1031 for this Amen Well industry is going Machines to empower people not take Thank you for your comments 1032 I yield back 1033 Mr Upton 1034 Mr Tonko We're working Thank you Chairman Gentleman's time has expired NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1035 Mr Tonko 1036 Menezes and Hoffman 1037 again 1038 Thank you Mr Chair and to Secretaries Welcome It's good to have you back I know DOE is taking its role as the sector-specific 1039 agency for cybersecurity seriously But I have a few 1040 questions on the reorganization of the Office of Electricity 1041 Delivery and Energy Reliability 1042 And for the record I am not necessarily opposed to the 1043 change but I would like to understand how it might affect DOE 1044 functions as we move into the future 1045 Last month Secretary Perry announced the creation of 1046 the Office of Cybersecurity Energy Security and Emergency 1047 Response which as I understand it will take existing 1048 programs from the Office of Electricity 1049 Can you explain the vision for this cybersecurity office 1050 moving forward and do you expect to add new programs or 1051 functions to this office over time 1052 1053 1054 Mr Menezes Thank you for that question It's a very good question When the secretary arrived over at the department you 1055 know and you have your security clearance right you get 1056 briefed and your world view changes and almost immediately NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1057 it became very apparent that one of the top priorities will 1058 be resources for cybersecurity and again and the physical 1059 security -- and we were in the hurricane seasons as well and 1060 so those three things came together very quickly 1061 just from an experience point of view 1062 You know The department of course had a history of dealing with 1063 these issues and so we began a process where we evaluated 1064 everything within the department our stakeholders 1065 We talked to members of Congress and staff We talked 1066 to the appropriators 1067 to formulate a process to bring the visibility and enhance 1068 the importance of these three topics 1069 We talked to OMB and the White House Since this is an initial creation -- not a creation but 1070 an establishment -- we had the authority -- you know the DOE 1071 Org Act has the authority -- has given us the authority to do 1072 this -- but it wouldn't surprise you to find out that our 1073 appropriators you know had -- and others had some very keen 1074 views on what assets and what could we do to begin the 1075 process 1076 So I would like to emphasize this is an initial step and 1077 so what we did was we identified within the department those 1078 programs -- successful programs to move -- to begin to NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1079 process to move them over into a new office 1080 simply begin that process 1081 So we identified those two the R D within OE and the 1082 ISER function also within OE 1083 they're both in OE 1084 So it was to It just happened to be that It doesn't diminish what we continue to expect out of OE 1085 -- the Office of Electricity -- and it's just a beginning 1086 point for this new office 1087 1088 Mr Tonko the Office of Electricity 1089 Mr Menezes 1090 Mr Tonko 1091 And what will happen to other programs from What will happen with what Other programs from the Office of Electricity 1092 Mr Menezes 1093 you know in a -- 1094 Mr Tonko 1095 Mr Menezes Well they will continue and we will -- In that realm In that given division No the Office of Electricity will of 1096 course help in seeing the transition of them 1097 Office of Electricity has other critical functions too that 1098 they will continue to do and -- 1099 1100 But the Mr Tonko Does that include the non-cyber R D portfolio focussed on grid modernization and storage NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1101 Mr Menezes Yes Yes They will continue to do that 1102 The other thing I want to point out is that one thing 1103 that we started at this department is it's a hallmark of this 1104 administration at DOE because of our backgrounds is to engage 1105 in much more of a collaborative effort between all of the 1106 programs 1107 We are about busting these silos Now we are limited 1108 to the actual offices due to revenue streams But as a 1109 practical matter we collaborate 1110 and you know that we coordinate certainly all of our labs We share responsibilities 1111 So what you're seeing over there is a coordinating 1112 effort and a collaborative effort so that we can make use of 1113 the resources that we currently have to do the things that 1114 were important 1115 Mr Tonko Will there be any split of the Office of 1116 Electricity staff -- the FTEs or full time equivalents going 1117 in another direction or will they stay intact as it is now 1118 Mr Menezes Well we are in the process of identifying 1119 which employees will ultimately report to or be part of the 1120 new office and you know there's a series of procedures and 1121 policies that we have to follow in order to do that 1122 are going to be in full compliance with all of the But we NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1123 1124 regulations that we need to do Mr Tonko Well it's important I believe that 1125 cybersecurity gets proper consideration in resources 1126 believe the work being done by the Office of Electricity on 1127 grid modernization on micro grids and on storage is also 1128 critical and I hope that these offices will be working 1129 together and not having to compete for resources 1130 that's very important 1131 Mr Menezes 1132 I also I think You have -- you have our commitment from that sir 1133 Mr Tonko Okay With that I yield back Mr Chair 1134 Mr Upton Mr Shimkus 1135 Mr Shimkus 1136 It's great to have to have you -- good to see you again Thank you Mr Chairman 1137 and welcome to the committee 1138 So I hate acronyms So CESER is the Office of 1139 Cybersecurity Energy Security and Emergency Response 1140 Management correct 1141 Mr Menezes Yes sir 1142 Mr Shimkus That's -- when you use CESER that's what 1143 you're referring to and that's a new organization within the 1144 Department of Energy to address grid resiliency which can be NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1145 defined by either concerns of attacks or cybersecurity or the 1146 like 1147 1148 1149 Is that fair Mr Menezes That is fair and it will be headed up by an assistance secretary Mr Shimkus And you want to I think -- you used a 1150 good terminology -- you want to bust the silos that occur in 1151 major bureaucracies so we have people talking to each other 1152 Mr Menezes Yes sir 1153 Mr Shimkus So so far so good 1154 I think it's needed It's something we've talked about for a long time 1155 So let me address a couple questions and former 1156 Chairman Barton had raised just the whole cybersecurity -- 1157 how do you define 1158 So that's the whole issue of what could be points of 1159 entry 1160 which kind of are developing in our -- in our country and 1161 then the question would be cybersecurity of entry through a 1162 data control system that then could make instructions to 1163 transformers through generation through the like 1164 My colleague Mr Tonko mentioned the micro grids So that's one way there could be disruption And isn't 1165 that also the reason why we want -- which we did in the last 1166 Congress talked about quite a bit -- I think you mentioned NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1167 the fact that we had moved the bill -- we do want some 1168 communication between our government agencies and the private 1169 sector 1170 Why is that important in this debate Mr Menezes They're on the front line I mean it is 1171 -- it is their -- they're A providing the service They 1172 are doing the things that we've come to expect from our 1173 energy infrastructure 1174 They own and operate the actual facilities they develop 1175 the software and they rely on the supply chain all of which 1176 could be vulnerable 1177 agency responsible for that we need to ensure that they do 1178 have the training they have the know-how 1179 And so as the government you know We share with them information upon which they can you 1180 know identify train and respond and recover ultimately 1181 So they're on that front line which is not easy It's a lot 1182 more than -- 1183 Mr Shimkus So they're seeing some front line attacks 1184 that they can then talk to you and we can address training 1185 and -- not remediation but counter measures I guess would 1186 be 1187 1188 Are we getting -- is CESER able to then also talk to our intel communities for higher level cyber concerns that could NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1189 be then passed on to the private sector and say hey watch 1190 out for this 1191 Mr Menezes Correct In fact you know we -- the 1192 information sharing and analytical center you know has 1193 developed CRISP which is the Cybersecurity Risk Information 1194 Sharing Program 1195 Mr Shimkus Thank you 1196 Mr Menezes Yes Just threw out a couple more 1197 acronyms your way And the importance of that is that while 1198 the ISAC manages that it uses information that is shared by 1199 our intelligence-counterintelligence that we receive 1200 I had mentioned previously as members of the NSC you 1201 know we have resources that some agencies do not have and 1202 with special you know protections in place for classified 1203 information we share that information to the extent that we 1204 can and it has been very helpful and useful in identifying 1205 threats that without it we still would not necessarily know 1206 that our system was even attacked 1207 Mr Shimkus You know let me go quickly My time is 1208 almost expired Talking about electromagnetic pulses either 1209 intentional or naturally occurring the hardening of systems 1210 the cost and the communication with the private sector I NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1211 mean the private sector when we talk about it they just say 1212 oh the cost is too much -- can't do that 1213 And there is some cost but I think it is a concern that 1214 I hope that you all and maybe even this CESER subsection of 1215 DOE is talking about 1216 Mr Menezes Well I would say that a hallmark of any 1217 technology that we develop any training system it has to be 1218 cost effective 1219 that imposes such a burden that -- 1220 Clearly we cannot give them information Mr Shimkus But are we talking on EMPs both naturally 1221 occurring or bad actors 1222 discussing or -- 1223 Mr Menezes Is that part of what you're Yes it's -- yes CESER is -- does have 1224 the energy security part of it so it would include the EMPs 1225 as well and the GMDs if you want another acronym 1226 Mr Shimkus Thank you 1227 Mr Upton 1228 Mr Loebsack My time has expired Mr Loebsack Thank you Mr Chairman for holding this 1229 important hearing and I do appreciate both of you being here 1230 as well -- the witnesses 1231 1232 Thank you so much I don't think that we can argue with the fact that it's absolutely critical that we do ensure the safety of our NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1233 energy infrastructure and in the 21st century we all know 1234 that a very critical emerging threat that's been talked about 1235 today is cyberattacks and we've got to just work as hard as 1236 we can to make sure that we protect you know that energy 1237 infrastructure 1238 I am very proud to work with Chairman Upton We 1239 actually can do some things on a bipartisan basis in this 1240 committee and I think we've done a lot but to make sure that 1241 we get adopted eventually and implemented H R 5175 the 1242 Pipeline and LNG Facilities Cybersecurity Preparedness Act 1243 So I want to thank the chair for working with me on that and 1244 vice versa 1245 It's great I do think it's absolutely critical that we make 1246 progress to ensure the cybersecurity and safety of our 1247 natural gas and LNG facilities and I believe that this bill 1248 is a step in the right direction 1249 Physical threats to pipelines and energy infrastructure 1250 do remain a significant threat as everyone on this committee 1251 knows and you folks know 1252 pipeline system is increasingly technologically sophisticated 1253 as we get new pipelines put in place and that does I think 1254 probably increase our vulnerability in some ways to But today -- these days our NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1255 cybersecurity attacks 1256 a little Spanish and even more Portuguese I cannot figure 1257 out yet how to pronounce your name -- why it's only two 1258 syllables 1259 Mr Menezes 1260 Mr Loebsack 1261 Mr Menezes 1262 It's Americanized Portuguese Yes I am aware of that You were right on that apparently had the middle E become silent 1263 Mr Loebsack 1264 Thank you so much 1265 And for the life of me since I speak And so we've So it's Menezes Thank you for explaining that Menezes Thanks for being here today As we mentioned DOE has to play a critical role in 1266 ensuring the safety and security of this infrastructure can 1267 you elaborate a little more about the level of vulnerability 1268 of our pipeline system to cyberattacks 1269 I mean you have spoken about that some this morning 1270 already but can you elaborate even more within the context 1271 of an open hearing at any rate 1272 Mr Menezes Right and so I will keep it general 1273 Perhaps the vulnerability on the pipelines exist because 1274 it's a transportation system you know at its sense and it - 1275 - probably the control mechanisms the communication systems 1276 and the operations systems they may not be as fully NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1277 integrated say as a fully operating electricity you know 1278 company in all sectors for example in the -- and so as a 1279 consequence it may be the assumption that because they're 1280 more simplified if you will you might not have to develop 1281 technologies to make them as resilient as any other point of 1282 entry 1283 So as they are improving their efficiencies they are 1284 bringing in new softwares you know and new devices and 1285 again the result is you see the flow of product 1286 But as they become more sophisticated we need to ensure 1287 that what they put in has the resiliency programmed in at the 1288 front end -- 1289 Mr Loebsack Right 1290 Mr Menezes -- so that it's resilient and that's 1291 1292 going to be the key Mr Loebsack So -- Because I was kind of shocked actually at 1293 an earlier hearing when I found out that there isn't a lot of 1294 federal involvement you know when it comes to pipelines in 1295 the first place 1296 There's you know sort of oversight after they're 1297 already in place but it's -- there's precious little 1298 involvement as they're going in I think that's one area NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1299 where there can be more involvement to make sure that these 1300 things are put in properly and that they are secure 1301 Mr Menezes Yes We are doing what we can in our 1302 role you know for the oil and natural gas subsector 1303 coordinating council and we do have regularly -- you know 1304 meetings -- we have monthly meetings with the group and we 1305 have quarterly meetings as well with the larger group you 1306 know that is co-led by DOT and DHS and we do bring in all 1307 those other agencies 1308 within the existing authorities to try to address that 1309 Mr Loebsack 1310 Mr Menezes So we are -- we have a structure Yes There's a lot of information sharing and 1311 it's important 1312 have got to -- you have got to be willing to participate 1313 And they are by the way 1314 You have got to be at the meetings Mr Loebsack You I mean they are And just very quickly -- my time is 1315 running short 1316 that you know that you folks are prepared as a department 1317 in the event that this legislation is passed be able to put 1318 this into effect 1319 1320 Thank you very much I do have one other question I want to make sure Maybe you could respond in writing to me if that's possible We have a lot of NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1321 existing pipelines now that may not be as subject to 1322 cybersecurity threats 1323 I don't know the answer to that and maybe you could 1324 distinguish in writing for me those that are already in the 1325 ground already exist versus the newer ones which might be 1326 more vulnerable given the technology and I would really 1327 appreciate an answer to that question perhaps in writing if 1328 that works for you 1329 1330 Mr Menezes We'll be happy to get back with you on that 1331 Mr Loebsack 1332 Mr Menezes 1333 Mr Loebsack 1334 Thank you so much Thank you Thanks Thank you Mr Chair and I yield back 1335 Mr Upton Mr Latta 1336 Mr Latta Well thank you very much Mr Chairman for 1337 holding today's hearing 1338 we are talking about cybersecurity and also the emergency 1339 response 1340 This is very very important when But before I do and I know he's stepped out right now 1341 but I just want to recognize Mr McNerney from California 1342 who's been working with me and all the hard work that he's NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1343 done on the issues especially with grid security 1344 Mr Under Secretary and Ms Hoffman thank you very much 1345 for being with us today because again this is a very very 1346 important topic that we are dealing with today 1347 But if I could start with -- in your testimony you noted 1348 that securing the electric sector supply chain is critical to 1349 the security and resilience of the electrical grid and 1350 products must be tested for known vulnerabilities in order to 1351 assess risk and develop mitigations 1352 Would you explain the consequences of having a device or 1353 a component in the electric system that poses a cybersecurity 1354 vulnerability and you know are there -- more importantly 1355 do we have the adequate measures right now in place to 1356 protect that supply chain 1357 1358 Mr Menezes Great question and thank you very much for it 1359 Our supply chains probably would be our most vulnerable 1360 areas and by supply chain it could be any component part you 1361 know that any of our energy partners you know would rely 1362 on 1363 1364 That could make our entire system vulnerable If point of entry could be on a -- what you think is a routine NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1365 software program perhaps to do accounting you know for a 1366 supplier of valves for example 1367 Okay So the importance has been noted in a couple of 1368 ways 1369 infrastructure protection standards -- which is pending at 1370 FERC to address this very supply chain issue with respect to 1371 you know the agencies that's responsible for developing our 1372 mandatory reliability provisions for the electricity grid and 1373 this administration in fiscal year 2019 has requested 1374 additional money so that we with our labs and our experts 1375 can similarly test these products for -- you know for their 1376 vulnerabilities and we can mitigate those vulnerabilities 1377 So we can make the whole system stronger by really addressing 1378 those most vulnerable if you will 1379 NERC has already proposed CIPs -- the critical Mr Latta Also in your testimony you referenced the 1380 budget proposal to invest in testing supply chain components 1381 and systems and under the Cyber Sense bill seeks to authorize 1382 a related program focused on identifying and promoting 1383 cybersecure products using the bulk power system 1384 Again would you elaborate on the work that the DOE is 1385 doing to test the supply chain components and systems and 1386 also in a follow-up of that how does the quality control for NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1387 supply chains help in ensuring that cybersecurity 1388 Mr Menezes 1389 directly on this 1390 Ms Hoffman I will allow Pat has more experience So through the Electric Sector 1391 Coordinating Council and our discussions with industry the 1392 supply chain need has been highlighted as extreme importance 1393 and so I appreciate the committee's efforts in this area 1394 What we are looking at is actually partnering with 1395 industry to test and do a pilot program to test several 1396 components that are critical in the industry to do a deep 1397 dive testing of the components and subcomponents 1398 What the industry would like to understand is all the 1399 vulnerabilities so they can assess their risk and the risks 1400 that they are facing 1401 1402 1403 So part of what the NERC standards also emphasize is the disclosure of vulnerabilities and the continued testing One of the things that we want to emphasize is as we are 1404 looking at testing of components there may be a new 1405 vulnerability or a new threat vector that's discovered 1406 tomorrow 1407 for continual improvement in cybersecurity 1408 So what should be institutionalized is a process As we've talked about the definition of cybersecurity NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1409 being secure information technology secure firmware 1410 software the information side of the industry we really 1411 need to continually test product continually improve 1412 products just like we would do from a manufacturing point of 1413 view 1414 So that philosophy of continual improvement is 1415 absolutely critical and testing with the national 1416 laboratories can help identify some of the vulnerabilities 1417 and continue to advance the improvement of products 1418 Mr Latta When you're testing the products and getting 1419 that -- how do you get that information out to the industry 1420 Because just like this past Friday I spoke at one of my 1421 electric co-ops in my district -- I have the largest number 1422 of co-ops in the state of Ohio -- and not too far in the past 1423 from that I also spoke at another one 1424 But how do you get that information out especially with 1425 these products to make sure that they know that they're A 1426 available and B that they're tested and they ought to be 1427 utilized once they're approved 1428 Ms Hoffman So the goal is to get the information out 1429 through the supply chain community and I am sure the next 1430 panel will talk about that and details of having that NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1431 disclosure and that collaborative relationship with the 1432 industry with the mitigations and the solutions 1433 But the other area is through our national laboratories 1434 and through say the ISAC program to continue to really 1435 identify some of the vulnerabilities but get it out to 1436 industry and all the components and all the -- and all the 1437 sectors in the industry 1438 1439 1440 1441 Mr Latta Yes back Mr Upton Okay Mr McKinley 1443 you Mr Chairman 1445 1446 I would recognize Mr Kinzinger No I am sorry -- Mr McKinley 1442 1444 Well thank you very much and I yield Well I wasn't expecting that Thank Mr Menezes -- or Secretary Menezes a couple questions quickly if I could Almost three years ago to today -- three years ago we 1447 had Tom Siebel -- he's the CEO of C3 Energy -- testify before 1448 us about cybersecurity and the grid and he made a very 1449 revealing comment 1450 He said that there were just a group of engineers -- 1451 just a small group of engineers would be able to shut down 1452 the grid on the East Coast in four days and that would shut NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1453 -- it would shut down the grid between Boston and New York 1454 Did you -- did you -- did you ever see his testimony or 1455 respond back to him on that 1456 Mr Menezes I did not see it 1457 Mr McKinley It just -- the fact that a lot of things 1458 have happened and I appreciate your remarks -- your answers 1459 back to Barton where you said that we are constantly under 1460 attack 1461 And maybe it's worked but I am saying there are groups 1462 saying the engineers can do this 1463 your system if they want to do that 1464 They can still get past So the other thing and just maybe it was coincidence in 1465 2015 Ukraine was faced with a cyberattack 1466 apparently are the ones that contributed to that 1467 What have we learned from that The Russians Did we interact with 1468 the Ukraine and find out how that was shut down so we could 1469 prevent that from happening here 1470 1471 Mr Menezes Since that occurred before I arrived I will just -- 1472 Mr McKinley Just quickly because I've got a series 1473 of more questions Have we -- yes or no have we worked -- 1474 interacted with them NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1475 Ms Hoffman The answer is yes 1476 worked closely with them 1477 of the attack 1478 and analyzing so lots of -- We actually gained some knowledge We have had training sessions with industry 1479 Mr McKinley 1480 something from it 1481 We participated -- we Okay But we've learned -- we've learned But then let me go also now go back even further in 1482 history Back in 2007 there was an Aurora generator test 1483 that was maybe controversial 1484 Secretary 1485 Ms Hoffman 1486 Mr McKinley Are you familiar with it Yes I am very familiar with it Okay you are Okay What have we -- 1487 because they are -- it was -- they were able to display that 1488 just by entering 21 codes they could blow up a generator and 1489 thereby set in motion a blackout in the United States 1490 1491 1492 What have we done to prevent those 21 codes from being introduced Ms Hoffman So we worked with industry in analysing 1493 that -- the Aurora attack and looking at the focus on relays 1494 and the vulnerabilities in that 1495 mitigation solutions 1496 industry The industry has looked at We've done information sharing with NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1497 So it's been an active engagement with the industry 1498 Mr McKinley 1499 1500 1501 1502 Have we taken -- have they taken action implemented things to prevent that from happening with that Ms Hoffman The industry has implemented and has taken action per some of the requests from NERC in doing that Mr McKinley Okay The third question or second 1503 question has to do with vulnerability because you talk about 1504 emergency and we have a report here from New England saying 1505 that they're not going to have enough gas if there's an 1506 emergency situation that's coming up and they say that 1507 because during the cold weather they're having to divert 1508 those -- that gas to homes and so there's not going to be gas 1509 for power plants 1510 We've experienced that in West Virginia We had a black 1511 start plant that had to shut down during the Polar Vortex and 1512 just this last winter was told that they were on day to day - 1513 - they may have to shut down as well 1514 So I am wondering about in an emergency how are we going 1515 to make sure that we have gas available for our power 1516 generation let alone cyberattack 1517 that 1518 Mr Menezes Is there a solution to Well we need more infrastructure to be NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1519 sure both what you referenced The New England ISO 1520 together with NERC has identified areas in the country where 1521 we rely heavily on natural gas for our power generation to 1522 ensure our resilient and the reliability of our grid 1523 It's in those constrained areas where it's important 1524 that we try to increase the infrastructure so that we can 1525 have adequate supply 1526 That has been the hallmark of this administration so 1527 that we have you know a sufficient diversity of fuels 1528 including natural gas 1529 Mr McKinley If I could Mr Secretary but we are 1530 relying on Russia for bringing in LNG to New England and just 1531 -- and this is -- now they've unloaded their second tanker on 1532 this 1533 So if we are going to be energy dominant how are we 1534 energy dominant if in an emergency if we are going to rely on 1535 a foreign government to provide us a natural resource to be 1536 able to provide electricity in New England 1537 Mr Menezes Well good question Well the president 1538 you know has announced his efforts to -- for the 1539 infrastructure bill and contained therein or recommendations 1540 on how we can help to you know site and build construct NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1541 and permit these -- in this case natural gas pipelines you 1542 know to address the issue that you raised 1543 Mr McKinley 1544 Mr Menezes Right It's not limited to that but it is a 1545 component part of that 1546 with the states because you know under federalism the 1547 states have a big role to play as to any interstate gas 1548 pipelines 1549 1550 -- Mr McKinley Mr Menezes 1552 Mr McKinley 1554 I understand There's so much we can do I don't want the heavy hand of the federal government stepping in But there is a concern Just in closing quickly could you tell me what keeps 1555 you up at night 1556 concern from your position 1557 I don't want a heavy hand -- 1551 1553 So it's also a function of working Mr Menezes What is your biggest worry biggest Well in the cybersecurity clearly I 1558 mean this is -- your worldview changes as you get a security 1559 clearance and you get briefed in on what's happening 1560 I mean I think you all have been read into a lot of 1561 this stuff But yes that causes me to stay awake and 1562 frankly as we have seen what are becoming you know common NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1563 winter events when our system is stressed it seems as though 1564 you know we may be faced with an inadequate supply of what 1565 used to be baseload 1566 So the closure -- premature closing of what 1567 historically you know has been -- whether it's nuclear or 1568 clean coal these facilities are going offline 1569 We are becoming more reliant on natural gas which is 1570 not a bad thing But it does have to get through pipelines 1571 and we've seen in the cyclone bomb if you will on the East 1572 Coast we see natural gas actually having price spikes which 1573 forces the operators to go to nuclear coal and believe it 1574 or not oil 1575 night 1576 1577 1578 1579 1580 So those are the things that keep me up at Mr McKinley Okay Thank you very much I yield back Mr Kinzinger Thank you Mr Chairman Thank you all for being here I know we all recognize the very serious threat we face 1581 with cyberattacks 1582 threats we face are constantly evolving and can vary 1583 significantly 1584 It can be especially difficult as the Individual bad actors are constantly attempting to NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1585 obtain data -- bank routing numbers or medical records from 1586 everyday Americans -- while state actors for example North 1587 Korea's attack on Sony Pictures or China's break of the OPM 1588 files represent a very different kind of threat 1589 lot of these nonstate actors a very low barrier of entry 1590 And for a In the energy sector we have to prepare for any level 1591 of attack given the innerconnectedness of the grid 1592 relatively small scale attack on a single asset could have 1593 serious consequences 1594 Even a I will ask both of you just whatever you can do with 1595 this If you can elaborate on how the work the DOE does 1596 like R D industry information sharing and physical 1597 hardening of assets to combat cyberattacks is flexible and 1598 able to evolve as the threats change 1599 You might have addressed this to some extent 1600 Ms Hoffman Sure I appreciate the question We've 1601 been actively engaged with industry and we know that the core 1602 components of a strong cybersecurity program really looks at 1603 building capabilities 1604 And so our goal is to help industry build as much 1605 capabilities as possible so our R D program is focussed on 1606 supporting that capability development NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1607 So from an information sharing program let's look at a 1608 continuous monitoring or an ability for intrusion detection 1609 It's a capability that the industry needs to have and a 1610 support that we've been providing through the risk 1611 information sharing program that we've developed with 1612 industry 1613 Other activities is really trying to get ahead of the 1614 game and looking at threat analytics but engineering some 1615 cyber solutions to prevent and mitigate some of the events 1616 that are occurring or the events that could cause damage to 1617 the equipment 1618 One of the things that we want to do is look at 1619 continued sharing of programs but also incident response and 1620 I think that is the next phase of which we must advance in is 1621 supporting the development of incident response capabilities 1622 so those tools and capabilities to identify where actors are 1623 on the system but also to prevent them from continuing to 1624 progress from a cyberattack point of view 1625 So our R D program we also have two strong university 1626 programs one with the University of Illinois and one with 1627 the University of Arkansas to develop the next generation 1628 solutions as well as partnerships with the national NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1629 laboratories looking at a moving target type activity to 1630 think about how could we make the system more dynamic 1631 Mr Kinzinger And to drill down a little bit it was 1632 mentioned sir in your testimony that the cyberattack on 1633 Ukraine which the CIA attributes to Russian military 1634 hackers we've experienced a number of attacks by state 1635 actors here 1636 Does DOE plan for these kinds of coordinated attacks 1637 differently and what systems are in place to ensure that the 1638 DOE is receiving the most pertinent and up to date threat 1639 information from our intelligence agencies 1640 Mr Menezes Right I mean as Pat Hoffman had 1641 testified earlier the lessons that we learned with respect 1642 to the Ukraine 1643 But I would like to point out that we work with NERC on 1644 the GridEx exercises where we have these kinds of situations 1645 and we bring industry in government in all the stakeholders 1646 in and they participate in a real live situation if you 1647 will that brings to bear the most sophisticated approaches 1648 that we have seen to date 1649 So it's been ongoing 1650 all measures It had been a success story by We gain a lot from that The industry gains a NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1651 lot from that 1652 take those lessons learned and you implement them 1653 I can -- I can vouch from industry that you And they could be as simple as revealing for example 1654 that you might need satellite phones for example because 1655 when you lose your power you need to be able to communicate 1656 and you need to have enough satellite phones 1657 So it can be something as simple as that to something 1658 much more sophisticated to developing you know a more 1659 resilient software program for example 1660 Mr Kinzinger Thank you 1661 And DOE has a long history of promoting a strong energy 1662 workforce and I think we all recognize the need for well- 1663 trained cybersecurity professionals in both the private and 1664 public sector 1665 As part of the new announced Office of Cybersecurity 1666 Energy Security and Emergency Response does DOE plan to 1667 engage in cybersecurity workforce development 1668 wants to answer that 1669 Mr Menezes For whoever Right and that -- to repeat what we had 1670 previously said the short answer is yes We currently have 1671 in place training programs throughout the process whether it 1672 be at the front end on you know on preparedness NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1673 We make sure that you have training to anticipate 1674 identify you know the new threat vectors how to respond -- 1675 you know how do you recover 1676 And of course the -- what's most important is to have 1677 the innovative R D in place 1678 our labs together with industry it's important that we train 1679 the workforce and the workforce is not just in the 1680 departments you know or the governments 1681 So while driven primarily by It's in the industries themselves and it's not limited 1682 to just the big player in the industries but it's all the 1683 participants which we have in place right now to cover you 1684 know the large utilities of all sizes whether you're a muni 1685 or a co-op 1686 1687 1688 So we are trying to develop and implement and train and maintain and enhance these programs Mr Kinzinger Thank you all and thanks for your 1689 service to the country 1690 I yield back 1691 Mr Upton 1692 Mr Griffith Mr Griffith Thank you very much Mr Chairman and 1693 thank you Mr Undersecretary for being here I appreciate 1694 all your work on emergency response and Puerto Rico and I NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1695 1696 know you're passionate about trying to make everything safer I am going to shift gears a little bit My colleagues 1697 have asked some great questions on what we already have and I 1698 appreciate that and my colleague on the other side of the 1699 aisle Congressman Loebsack touched on this earlier and 1700 asked you all to get back with him on whether the new 1701 pipelines with more technologies are more vulnerable than 1702 older ones already in the ground 1703 1704 I would hope that you would include me in whatever response you give him because I am interested in that 1705 And we have a new pipeline that's being built in my 1706 district and a lot of my constituents are concerned about all 1707 kinds of issues 1708 And so I would also ask and not expecting you to have 1709 an answer today but also ask that you take a look at what 1710 can we do as far as making sure that the new pipelines have 1711 technology in them that lets us know if there's an earthquake 1712 in the area a collapse somewhere 1713 The faster that people know about it the faster we can 1714 respond 1715 breaches 1716 Folks are very concerned about you know possible I've mentioned natural disasters but it could also be NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1717 bad actors from outside 1718 look and would like your help in figuring out if we need to 1719 draft legislation that would get DOE in on the front end as 1720 Mr Loebsack pointed out because you know I am not sure 1721 that FERC is looking at okay how can we make this pipeline 1722 less vulnerable -- should we move it away from the more 1723 occupied area of a particular -- let's say we have a farm 1724 Should we move it away from where the house and the barn are 1725 and -- to an area that's less likely both to be attacked by 1726 bad actors or to create a problem should there be some kind 1727 of an issue 1728 And also I think maybe we need to Likewise on that same vein -- I am going to give you a 1729 second here but I just want to get it all out before I forget 1730 something -- it would also seem to me that DOE would want to 1731 know who had extra capacity and a new pipeline with the right 1732 kind of technology could tell you instantly whether or not 1733 they had the ability to take on more natural gas at a 1734 particular moment should there be a failure in some other 1735 area so that we can get that natural gas to where it needs to 1736 go by rerouting it possibly 1737 1738 And we've got two coming through Virginia one through my district one going through Bob Goodlatte's and other NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1739 1740 districts While we are laying this pipe is the time to put in any 1741 new innovations and new thoughts into that and I am just 1742 hoping that DOE has some thoughts and plans 1743 And I will give you an opportunity to respond to that 1744 now but also ask that you get back to me on all those 1745 thoughts that are important to me intellectually but also 1746 important to the constituents in my district -- that they 1747 want to feel a little bit safer about this pipeline coming 1748 through their back yard 1749 Mr Menezes Well thank you for the series of 1750 questions and the commentary Of course we -- you know we 1751 agree with the issues that you have identified 1752 just take a quick crack at it if you will Pat and then I 1753 will defer to you If I can 1754 But first of all with respect to developing the 1755 technology on the -- on the resiliency side of it first of 1756 all you hit on a key point 1757 As you know our system is becoming more and more open 1758 We are actually excited about all the possibilities of 1759 getting more inputs on either side of the meter 1760 will -- to be able to gain input Individuals NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1761 We are -- we are increasing the flexibility of our grid 1762 for a variety of good reasons -- make it more resilient more 1763 reliable 1764 entry -- it's a potentially new entry 1765 However every time we make it smarter it's a new So in my conversations with the lab directors for 1766 example whom we meet with regularly on this as they're 1767 developing ways to make things more efficient or greater 1768 access more individuals who can get electrons -- you know 1769 produce whatever they want when they want it as an example 1770 I make sure that my message to them is as you develop that 1771 new technology please at the front end design it in such a 1772 way that it is resilient and it is secure 1773 message is out and they are -- they are doing that 1774 that's on that question And so that So 1775 With respect to the question on the extra capacity to 1776 take on more natural gas I will say that we work with our 1777 other partners 1778 NERC 1779 I mean we work with FERC We work with We are aware of the interoperability issues there We 1780 are also aware of other potential issues that might give 1781 rise when you're talking about sharing market information 1782 and that kind of thing So those things have to be looked at NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1783 1784 and considered carefully But the short answer is yes to the extent that as we 1785 are making these improvements and we are spending these 1786 resources and we are developing these programs and we are 1787 improving technologies I think you can look at it 1788 holistically if I can use that word to describe what you 1789 were discussing 1790 1791 1792 And with that I will pass it to Pat if she wishes to say something Ms Hoffman Just really quick adding the resiliency 1793 looks at -- looking at four and minus one contingency or 1794 single point of failures 1795 I think also another point that I would like to bring up 1796 is you're absolutely right having the ability to increase 1797 the amount of sensors in the system to be able to predict and 1798 get ahead of the game as we look at failures as a critical 1799 component that we think is an important part of our program 1800 in improving resilience 1801 1802 Mr Griffith I appreciate it and I yield back Mr Chairman 1803 Mr Upton 1804 Mr Johnson Mr Johnson Thank you Mr Chairman and I want to NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1805 thank both of you for being here today Such a -- such an 1806 important topic cybersecurity particularly as it relates to 1807 energy and our energy infrastructure 1808 I dare say that most people don't really think about the 1809 implications of cybersecurity when it comes to infrastructure 1810 and the importance of it 1811 So when looking at emerging cybersecurity risk and 1812 particularly threats of the highest consequence to energy 1813 infrastructure it seems critical to me that DOE have full 1814 visibility on the greatest infrastructure risks and 1815 consequences 1816 Do you believe Mr Undersecretary at this point that 1817 DOE has sufficient visibility to day on what those risks and 1818 vulnerabilities are 1819 Mr Menezes Well we are doing -- we have -- currently 1820 we have sufficient visibility but it is the future that we 1821 need to anticipate 1822 is that these increasing threats will require us to have 1823 greater visibility in the resources which is why we've set up 1824 this office that we affectionately refer to as CESER And so today's hearing is about how it 1825 Mr Johnson Yes 1826 Mr Menezes So it is -- we are looking -- we are doing NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1827 okay today as several members have identified 1828 though while we have the constant threats we've been able to 1829 you know avoid a major catastrophe 1830 It seems as But we want to make sure that going forward we have the 1831 visibility and the resources I think Ms Hoffman would like 1832 to say something 1833 Mr Johnson Sure 1834 Ms Hoffman I think it's important to continue to 1835 support the information sharing between industry and the 1836 Department of Energy in understanding the number of events 1837 that are going out 1838 The critical need as the undersecretary has talked 1839 about is moving forward -- that we want to get ahead we 1840 want to see what the next generation threats are 1841 And so that close public-private partnership and 1842 information sharing and the flexibility and the freedom for 1843 the industry to voluntarily share information with the 1844 department is absolutely important 1845 Mr Johnson Okay I am encouraged by that answer 1846 because I've long held the belief and I still do that this is 1847 not -- this is not an issue that has an ending to it 1848 I mean this is not a race that we are going to run and NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1849 cross the finish line 1850 the bad guys from getting into our networks especially in 1851 the digital world where everything is connected as soon as 1852 we figure that out we've got another problem right on the 1853 tail end of that 1854 As soon as we figure out how to keep So I appreciate that there's a forward look and an 1855 understanding that that's the case 1856 take to increase visibility of security threats today 1857 Now you mentioned some of them 1858 office 1859 future look areas are 1860 Mr Menezes 1861 1862 So what measures can you You have created this Can you give us some examples of what some of the I will take the -- you know the larger view and I will defer then to Ms Hoffman on the specifics But the creation of the CESER or the establishment of 1863 the CESER program is just an initial step and we are taking 1864 existing programs and putting it in 1865 Our vision though is much greater and so we want to 1866 work with this committee and other members of Congress -- you 1867 know the White House our other agencies -- to actually put 1868 in place other programs projects and the resources to 1869 anticipate the increasing threat 1870 And so that's the big picture and that's why it's NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1871 important we think to set this up and have it under an 1872 assistant secretary 1873 Mr Johnson Okay 1874 Ms Hoffman So I would just add three things It's 1875 really active threat investigations so going after and 1876 looking at future threats and tactics and techniques that a 1877 bad actor would utilize against the system 1878 being proactive moving forward 1879 So it's really It's continuing to support the threat analysis programs 1880 such as the CRISP program where we are actively looking at 1881 indicators and looking at sharing of information whether 1882 it's an indicator that's discovered by industry or by the 1883 federal government and allowing that to be shared with 1884 industry as quickly as possible 1885 And then it's really getting to the point that we can 1886 get to machine-to-machine sharing and we can get proactive 1887 whether it's with our official intelligence whether it's 1888 with other capabilities 1889 But it's very -- I would say going from the current 1890 understanding mode to more of a proactive mode are the areas 1891 that we want to move forward on 1892 Mr Johnson You know one of the things that -- when I NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1893 -- when I was on active duty in the Air Force even as far 1894 back as the -- as the mid-'90s as the world began to be 1895 interconnected and we started talking about things like 1896 network-centric warfare and the digital age and what that 1897 meant to national security risk management and risk 1898 assessment was -- began to be pushed down in the Department 1899 of Defense as part of our overall culture 1900 to have our leaders talking about it 1901 I know I am over my time So it's one thing Can you give us 30 seconds on 1902 what you're doing to make risk assessment and risk management 1903 where cybersecurity is part of the culture in DOE 1904 Ms Hoffman Just really quick -- we have a risk 1905 management tool that we've provided and work with industry 1906 on 1907 also a risk assessment tool 1908 We have a cyber capabilities maturity model which is The industry is looking at the NIST risk assessment 1909 capabilities 1910 continual process that we want to show in advance 1911 there are tools and best practices that the legislation has 1912 recognized and it's very important -- a success in industry 1913 for advancing those capabilities 1914 So that is being filtered down Mr Johnson Okay But it is a And so Well thank you very much NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1915 1916 Mr Chairman thanks for the indulgence and I yield back 1917 Mr Upton 1918 Mr Long Mr Long Thank you Mr Chairman and Mr Menezes 1919 when you opened this morning you mentioned I believe that the 1920 cyber threat from the bad actors sometimes it boils down to 1921 their artificial intelligence attacking our systems and our 1922 defense is our artificial intelligence trying to prevent 1923 their artificial -- can you speak to that for just 30 seconds 1924 and kind of -- I mean that's a -- 1925 Mr Menezes I will let -- 1926 Mr Long 1927 Mr Menezes I will let Ms Hoffman answer that one 1928 Ms Hoffman So when -- so when we talk about -- can of very severe worms I think 1929 cybersecurity it's really looking at information 1930 technology and control system technology 1931 But a lot of it is layering computer protections against 1932 computer attacks and computer protections and so you keep 1933 layering on you know different information technology 1934 solutions to thwart information-based attacks on the system 1935 1936 So it becomes an information and a controlled system but a capability of an actor to use that information technology NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1937 against the industry and so it becomes a very broad attack 1938 surface 1939 And so what we need to do is think about what is the 1940 right information technology placement in industry that 1941 provides the capability industry requires but doesn't provide 1942 that broader attack surface 1943 Mr Long Kind of reminds me of a friend of mine 40 1944 years ago that had a restaurant and he said that he laid 1945 awake half the night trying to figure out how to keep his 1946 employees from stealing from him 1947 1948 1949 But the problem was that his employees laid awake the other half of the night trying to circumvent his new system So Mr Menezes as we live in an increasingly digitized 1950 world with the ever-growing threat of cybersecurity attacks 1951 I think it would be important for the Department of Energy to 1952 identify the greatest security risk in order to mitigate 1953 potential damage 1954 How does the Department of Energy prioritize any 1955 security risk and how are you working with private energy 1956 asset owners to plan for the possibility of cyberattacks 1957 1958 Mr Menezes Well our priorities are typically a result of what we are seeing and what we are anticipating NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1959 So it's in real time because information that we gathered -- 1960 both you and Congressman Johnson mentioned the digitalization 1961 of our systems and indeed we are producing not only more 1962 data but more access points as all of our systems become more 1963 digitized 1964 So when we prioritize those things that we are 1965 addressing it is -- obviously we have to address those 1966 threats that we know as those threats are evolving 1967 that's the first thing 1968 I mean We have to continue everything we've done in the past 1969 because they can always revert to prior technology so we 1970 can't ignore that 1971 and then we try to anticipate where we think the next threats 1972 are coming from We build on -- we build on what we know 1973 So we have to -- we have to make sure that we can 1974 respond to what we know and we have to be able to identify 1975 those threats 1976 As I mentioned earlier we have a lot of hits on our 1977 systems They could appear random Because of our modelling 1978 techniques it could be that we are -- we are witnessing ways 1979 -- new ways that they are trying to figure out ways to gain 1980 access to the system NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 1981 So we need to make sure that we have that priority in 1982 place so we can almost see into the future if you will to 1983 make our current system resilient to those -- to those 1984 threats 1985 Mr Long Okay And you also talk a lot in your 1986 testimony about the Department of Energy working with the 1987 Department of Homeland Security Department of Justice and 1988 the FBI on energy sector cybersecurity 1989 As the sector-specific agency for cybersecurity in the 1990 energy sector what is the Department of Energy's role during 1991 a potential cyberattack on the energy infrastructure 1992 Mr Menezes I will defer to Pat 1993 Ms Hoffman So in the event of a cyberattack I mean 1994 first of all we coordinate very closely with industry in 1995 looking at what is the event -- what is happening on the 1996 system 1997 We coordinate the primary function through the National 1998 Cybersecurity and Communications Integration Center -- the 1999 NCCIC at DHS which is the focal point for cyber coordination 2000 in the federal government 2001 will work with the FBI as well 2002 So we will work with them We We will look at the capabilities that industry has for NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2003 dealing with this attack trying to understand what is the 2004 cause -- the root cause of the attack but then also work with 2005 industry on providing mitigation measures and any support 2006 that's needed 2007 We would utilize NERC and the ISAC for getting 2008 information out to the rest of industry from a prevention and 2009 preparedness point of view and that capability is very strong 2010 and used is aware across the -- all the sectors of the 2011 industry to pay attention 2012 Mr Long Okay Thank you 2013 I have run out of time so Mr Chairman I yield back 2014 Mr Upton 2015 Mr Walberg Mr Walberg Thank you Mr Chairman and thank you for 2016 highlighting my legislation H R 5174 as part of this 2017 hearing and I appreciate the panel being here Mr Menezes 2018 and Ms Hoffman and your attention to these concerns 2019 Back when the Department of Energy was organized as a 2020 Cabinet agency back when I was in graduate school in 1977 2021 the largest energy security concern was fuel supply 2022 disruptions not electricity disruptions or cybersecurity as 2023 we are talking about now 2024 As you would expect the department's Organization Act NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2025 reflected those concerns Times have changed and we should 2026 be thinking differently now about energy security and 2027 emergency preparedness 2028 today So I am glad we are doing that here 2029 Mr Menezes the secretary's efforts to elevate the 2030 agency's leadership on emergency and cybersecurity functions 2031 are commendable 2032 continue under future administrations 2033 catch can 2034 2035 2036 But I would like to see DOE leadership It can't be catch as We need that continuity Do you think it would help to codify DOE's assistant secretary functions into DOE Organization Act Mr Menezes Well thank you for that question 2037 Congressman and let me take a minute to express our 2038 appreciation for working with the committee and its efforts 2039 to review our DOE structure and its authorizing statutes 2040 Your staff and members -- other members have been very - 2041 - work in a very collaborative way to try to identify ways to 2042 -- as we seek to realign and modernize the department that 2043 you seek to modernize the enabling statutes 2044 So we support the effort We appreciate the 2045 collaboration and exchange of information and we continue to 2046 look forward with you as you move legislation through the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2047 2048 process Mr Walberg In H R 5174 we specify functions to 2049 include emergency planning coordination response 2050 talk about your work to elevate these functions in the new 2051 office 2052 Mr Menezes Right Can you Well and the secretary announced 2053 the setting up of CESER 2054 clear demonstration of his commitment and his organizational 2055 vision for the department to highlight it to increase the 2056 visibility to coordinate efforts and to be a source of 2057 additional guidance from Congress the White House and other 2058 agencies 2059 2060 2061 That's going to be -- that is a So he's committed to that and he's showing it in a very real and measurable way So that's what we are proposing and that's what we are 2062 doing 2063 appropriators others you know to ensure that it has the 2064 adequate resources it needs to accomplish the goals that we 2065 hope it accomplishes 2066 Mr Walberg Ms Hoffman 2067 Ms Hoffman I would just like to add to what the 2068 And then we look forward to working with you the undersecretary said -- that any sort of event that occurs the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2069 effective response really is built off of information sharing 2070 and coordination 2071 So in the preparedness when we are conducting exercises 2072 when we are sharing classified threat briefings when we are 2073 coordinating with the intelligence community it's all 2074 critical components of how we support preparedness and so 2075 that we are actively coordinating ahead of any event that may 2076 occur and that will be -- allow the federal government and 2077 industry to be very efficient in making sure that we 2078 understand the cause -- the root causes but also the 2079 opportunities for mitigations and restoration 2080 Mr Walberg Good So clearly you will work with us 2081 to identify any gaps with -- of authority or ambiguities -- 2082 maybe I should have left that word out -- in the system so we 2083 can make sure it continues to work 2084 Mr Menezes Yes sir 2085 Mr Walberg Let me ask one more question Mr Menezes 2086 Do you believe that elevating cybersecurity functions to a 2087 Senate-confirmed assistant secretary level will help 2088 intergovernmental and interagency communication as well as 2089 multidirectional information sharing with DOE's ability to 2090 appropriately and quickly address cyber-related emergencies NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2091 Mr Menezes I do The key point -- the key part about 2092 being a Senate-confirmed appointee is the accountability that 2093 you have to maintain with the two branches of government 2094 You're in the executive branch and you're confirmed by 2095 the Senate and so it forces you to work with Congress and to 2096 fully explain yourself to the executive branch 2097 Secondly it increases the visibility and the 2098 accountability 2099 testify and so it's a way that we can ensure that we have -- 2100 we are doing what we said we were going to do and we are 2101 doing what you think that we told you that we were going to 2102 do and you can give us instructions as to you know how we 2103 can better do what we need to do 2104 2105 So as of today we come up here regularly to Mr Walberg Thank you and you can review the acronyms too as you come up 2106 I yield back 2107 Mr Upton 2108 Mr Duncan 2109 2110 Mr Duncan Mr Chairman thank you best for last I guess You saved the Maybe There's been a lot of talk today about electromagnetic 2111 pulse and grid hardening You know solar flares coronal 2112 mass ejections CMEs resulting geomagnetic storm effects are NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2113 2114 real So EMPs could be manmade and be a natural event and we 2115 sort of discount the natural event but just did a little 2116 research -- 1989 we had a huge CME event that knocked out 2117 power to 6 million people in northeastern Canada and we just 2118 missed another one this year in 2017 where a huge solar flare 2119 happened and the Earth just was not in its path thank 2120 goodness and thank God we weren't 2121 But we are not immune to that happening in the future 2122 So too many times when we talk about EMPs people look at us 2123 like we have on a tinfoil hat -- that we are talking about 2124 some rogue state possibly launching a nuclear weapon in to 2125 the atmosphere above the Earth and creating an EMP and 2126 knocking out our power grid 2127 when rogue states have nuclear weapons 2128 That's a real possibility too So whether it's a natural EMP or whether it's manmade 2129 we've got to be prepared for it and one thing that I talk 2130 about a lot in this committee is my alma mater Clemson 2131 University and they partner with Savannah River site -- the 2132 Savannah River National Laboratory rather -- DOE regional 2133 utilities and stakeholders to develop the nation's largest 2134 grid emulator the 20 MVA Duke Energy e-grid and are working NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2135 on the next phase a high-voltage transmission scale user 2136 facility that can be used to test large-power transformers 2137 and other critical transmission assets to develop protection 2138 schemes from cyber and EMP attacks -- both cyber and EMP 2139 attacks 2140 It's a prime example of enhancing grid security through 2141 public-private partnerships which is the title of one of the 2142 bills we are reviewing today 2143 So I encourage DOE to continue looking for these 2144 opportunities especially since the new Office of 2145 Cybersecurity Energy Security and Emergency Response 2146 guess you're going to pronounce that as CESER 2147 government has an acronym right 2148 2149 Everything in Can you further discuss what CESER's plans to harden the grid and protect the EMPs are Either one 2150 Ms Hoffman 2151 As you are well aware the department takes an all- So thank you for the question 2152 hazard approach 2153 that face the electric grid and the energy industry 2154 I So we are looking at a multitude of threats The national laboratories have important testing 2155 capabilities You mentioned one of them There are several 2156 capabilities that we are utilizing from an EMP perspective NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2157 We have partnership with the -- we have partnered with the 2158 industry in looking at an EMP strategy 2159 We have also worked with EPRI as they're looking at 2160 their mitigation and testing plan 2161 the department can do to support EMP testing 2162 know it's a very expensive process to do EMP testing 2163 2164 2165 2166 2167 Mr Duncan We are looking at what As you You mentioned the cost but were you familiar with what Clemson is doing before today Ms Hoffman Yes I am familiar with Clemson several other activities in the labs Mr Duncan Have you visited the research facility in 2168 Charleston South Carolina or has anybody from DOE done 2169 that 2170 2171 2172 Ms Hoffman I don't know if visited that facility but I've visited the -Mr Duncan Can I invite you on behalf of my alma mater 2173 to visit the drivetrain and test facility in Charleston 2174 South Carolina 2175 Ms Hoffman 2176 Mr Duncan 2177 Mr Menezes 2178 Mr Duncan Yes sir Both of you Yes sir Okay NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2179 Let me shift gears real quick President Trump has 2180 talked about a huge infrastructure package and we are talking 2181 about within Congress and I guess TNI is working on this 2182 package 2183 When people think about infrastructure they think about 2184 roads bridges water sewer airports port deepening et 2185 cetera 2186 But grid hardening and our transmission of power 2187 supplies so talking about -- I think Morgan Griffith talked 2188 about natural gas pipelines and other things 2189 elements within DOE discussing with the White House and 2190 members of Congress specifically probably TNI Committee -- 2191 transportation and infrastructure -- plans to include grid 2192 hardening and cybersecurity as part of the infrastructure 2193 package or elements within the DOE having those 2194 conversations 2195 Mr Menezes But are Well thank you for the question and 2196 pointing out the importance of the issue and the 2197 opportunities to work with everyone who's working on the 2198 infrastructure bill and who will be working on the 2199 infrastructure bill 2200 To be sure you know a resilient strong operating NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2201 energy system relies on infrastructure and so those component 2202 parts should be part of an infrastructure bill to the extent 2203 that it's necessary 2204 2205 The secretary in fact is testifying today in the Senate -- in the other body excuse me 2206 Mr Duncan 2207 Mr Menezes On this subject Excuse me -- on the other body -- on the 2208 infrastructure -- on the president's infrastructure bill 2209 And so -- 2210 2211 Mr Duncan So let me just -- because my time is running out -- 2212 Mr Menezes So energy is a -- 2213 Mr Duncan -- is this a priority for the White House 2214 with regard to an infrastructure package -- grid hardening 2215 and cyber security as part of the infrastructure package and 2216 should it be 2217 Mr Menezes I know that energy components are a part 2218 I am not sure if they -- if the phrase hardening would be in 2219 -- 2220 Mr Duncan Let me encourage you to go back to 2221 Secretary Perry and go back to your bosses and others in the 2222 White House you have conversations with and let's make this a NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2223 2224 2225 priority in the upcoming infrastructure package But I can tell you it's going to be a priority of a number of people here in Congress 2226 Mr Chairman I appreciate it 2227 Mr Walberg 2228 Presiding With that I yield back I thank the gentleman Seeing that there are no further members wishing to -- 2229 Mr Rush Mr Chairman 2230 Mr Walberg 2231 Mr Rush Mr Chairman Mr Rush Before we adjourn I want to ask unanimous 2232 consent to allow me to ask the Secretary a couple of 2233 questions 2234 Mr Walberg 2235 Mr Rush Without objection Mr Secretary I understand that the 2236 Secretary will be appearing before the committee in the near 2237 future to discuss the Department's fiscal year 2019 budget 2238 request 2239 The Department routinely provides detailed budget 2240 justification to Congress 2241 ins of the fiscal year 2019 request are not available 2242 the Department plan to release Volumes II III V and VI 2243 prior to the Secretary's appearance before the committee 2244 Mr Menezes But a number of the detailed buy- We plan to release it when it's complete NEAL R GROSS 202 234-4433 Does COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2245 Yes sir 2246 Mr Rush Thank you Mr Chairman 2247 Mr Walberg 2248 Again seeing that there are no further members wishing I thank the gentleman 2249 to ask questions I would like to thank the panel for being 2250 with us today and providing us the answers and probably 2251 further questions that we'll have down the road 2252 2253 Mr Menezes record Happy to answer any questions for the Thank you 2254 Mr Walberg 2255 We'll change panels here now and move on with the 2256 Thank you sir continuation of the hearing 2257 Pause 2258 We appreciate the quick changeover here and we want to 2259 thank all of our witnesses for being here today and taking 2260 the time to testify before our subcommittee 2261 Today's witnesses will have the opportunity to give 2262 opening statements followed by a round of questions from 2263 members 2264 Our second witness panel for today's hearing includes 2265 Tristan Vance director -- chief energy officer Indiana 2266 Office of Energy Development -- welcome Zachary Tudor NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2267 associate laboratory director for National and Homeland 2268 Security Idaho National Laboratory -- welcome Mark Engel 2269 senior enterprise security advisor Dominion Energy -- 2270 welcome to you Kyle Pitsor vice president government 2271 relations National Electrical Manufacturers Association -- 2272 welcome you and Scott Aaronson vice president security and 2273 preparedness Edison Electric Institute 2274 Welcome We appreciate you all being here today We'll begin 2275 the panel with Mr Tristan Vance and you are now recognized 2276 for five minutes to give an opening statement and I am sure 2277 you're well aware of the lighting format 2278 Welcome We recognize you NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2279 STATEMENTS OF TRISTAN VANCE DIRECTOR CHIEF ENERGY OFFICER 2280 INDIANA OFFICE OF ENERGY DEVELOPMENT ZACHARY TUDOR 2281 ASSOCIATE LABORATORY DIRECTOR FOR NATIONAL AND HOMELAND 2282 SECURITY IDAHO NATIONAL LABORATORY MARK ENGELS SENIOR 2283 ENTERPRISE SECURITY ADVISOR DOMINION ENERGY KYLE PITSOR 2284 VICE PRESIDENT GOVERNMENT RELATIONS NATIONAL ELECTRICAL 2285 MANUFACTURERS ASSOCIATION SCOTT AARONSON VICE PRESIDENT 2286 SECURITY AND PREPAREDNESS EDISON ELECTRIC INSTITUTE 2287 2288 2289 2290 2291 STATEMENT OF MR VANCE Mr Vance Thank you Thank you Mr Chairman Ranking Member Rush and members of the subcommittee I am Tristan Vance the director of the Indiana Office 2292 of Energy Development 2293 officer for the state of Indiana and I am testifying on 2294 behalf of the National Association of State Energy Officials 2295 -- NASEO 2296 I also serve as the chief energy Our testimony is in support of H R 5174 the Energy 2297 Emergency Leadership Act H R 5175 Pipeline and LNG 2298 Facilities cybersecurity Preparedness Act H R 5239 the 2299 Cyber Sense Act and H R 5240 the Enhancing Grid Security 2300 Through Public-Private Partnership Act NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2301 We appreciate the subcommittee's actions on energy 2302 emergency preparedness as demonstrated by the passage of H R 2303 3050 which reauthorized appropriations for the U S State 2304 Energy Program -- SEP -- and strengthened its emergency and 2305 cybersecurity provisions 2306 Mr Chairman Ranking Member Rush Full Committee 2307 Chairman Walden Ranking Member Pallone and the original 2308 sponsored of the SEP legislation and sponsors of the Dear 2309 Colleague letter calling for $70 million for the SEP program 2310 Mr Tonko and Mr McKinley you all deserve special praise 2311 for your leadership 2312 My state energy director colleagues from across the 2313 country visited Washington D C in February and strongly 2314 encouraged many of your Senate colleagues to act on H R 2315 3050 2316 First NASEO would like to note the U S Department of 2317 Energy's exceptional response to last year's hurricanes 2318 support for energy -- the support for energy emergency 2319 response from DOE combined with SEP resources collaboration 2320 among states tribal and local governments and industry 2321 worked to save lives and lessen economic losses 2322 In particular the electric and petroleum industries' NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com The This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2323 efforts to restore services were exceptional 2324 Perry's call for the cybersecurity Energy Security and 2325 Emergency Response Office or CESER would further improve 2326 both states' and the nation's ability to respond to and 2327 mitigate the risks of energy supply disruption from all 2328 hazards 2329 Secretary NASEO's 2017 bipartisan recommendation to the Trump 2330 administration called for such action 2331 NASEO board member I co-chaired the NASEO transition task 2332 force which developed this important recommendation 2333 2334 2335 In my capacity as a We believe such action will save lives and protect the economy of communities in every region of the country The Energy Emergency Leadership Act will elevate this 2336 core DOE function and we strongly support the bill 2337 want to stress the importance of CESER having a well-defined 2338 state energy security program and robust program management 2339 resources 2340 I also A strong DOE state energy emergency partnership such as 2341 the one that exists today in the DOE Office of Infrastructure 2342 Security and Energy Restoration is critical to respond to 2343 emergencies effectively 2344 Joint state-federal coordination and data sharing is the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2345 heart of emergency response In Indiana for example the 2346 propane crisis in 2014 needed a rapid response and 2347 government's ability to connect stakeholders from three 2348 sources in order to keep Hoosiers safe and protect our local 2349 economy from potentially devastating poultry industry losses 2350 While our nation has not faced a cybersecurity event 2351 with significant energy supply impacts we should adopt the 2352 lessons learned from recent natural disasters for our cyber 2353 preparedness 2354 We share the subcommittee's concerns and the threat 2355 cybersecurity presents to the energy system -- electricity 2356 natural gas and petroleum 2357 A cyberattack to the energy system during a natural 2358 disaster is a horrific scenario 2359 such possibilities However we must address 2360 For example the DOE-NASEO-NARUC Liberty Eclipse 2361 emergency exercise in 2016 focused on a combined cyber and 2362 natural disaster event 2363 These low-cost regional exercises are essential We 2364 also strongly support H R 5239 and H R 5240 and believe 2365 states can leverage these activities 2366 work of utilities DOE and the states They build upon the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2367 For example in Indiana we created the Indiana Executive 2368 Council on Cybersecurity to lead a public-private partnership 2369 and have created a state-led exercise series focused on SCADA 2370 systems for electric and water utilities 2371 Equally important is mitigating energy system risks 2372 For example states using public-private partnerships such as 2373 the energy -- such as energy savings performance contracting 2374 to upgrade energy systems at mission critical facilities and 2375 we are working with DOE's Clean Cities program to add natural 2376 gas propane and electric vehicles in first responder fleets 2377 to enhance resiliency 2378 NASEO believes the four bills discussed today are a 2379 significant step forward on an urgent nonpartisan national 2380 security issue 2381 continued leadership on these issues We greatly appreciate the subcommittee's 2382 Thank you 2383 The prepared statement of Mr Vance follows 2384 2385 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2386 Mr Walberg 2387 I recognize Mr Tudor for your five minutes of 2388 Thank you testimony NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2389 STATEMENT OF MR TUDOR 2390 2391 Mr Tudor Thank you Chairman Upton Ranking Member 2392 Rush Mr Walberg and distinguished members of the committee 2393 for holding this hearing and inviting Idaho National 2394 Laboratory's testimony on the energy sector's cybersecurity 2395 and emergency response 2396 be made part of the record 2397 I request that my written testimony In my role at Idaho National Laboratory also known as 2398 INL I lead an organization that conducts research for the 2399 cyber and physical protection of critical infrastructure with 2400 an emphasis on the energy sector 2401 INL has capabilities that will support the Department of 2402 Energy's Office of Cybersecurity Energy Security and 2403 Emergency Response or CESER in achieving the new leadership 2404 role for critical infrastructure protection consistent with 2405 the authorities directed in the FAST Act for assuring the 2406 energy sector's capabilities and coordination for cyber and 2407 physical protection of emergency response 2408 Persistent capable well-resourced and highly 2409 motivated cyber adversaries are a threat to our nation's 2410 energy sector These adversaries continue to develop the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2411 skills capabilities and opportunities for potential 2412 compromise of the nation's energy infrastructure 2413 The potential consequences of a sophisticated 2414 cyberattack create an imperative that federal agencies labs 2415 and industries collaborate to build capabilities and develop 2416 innovations that reduce the unacceptable risks associated 2417 with a cyberattack 2418 DOE INL and our other national laboratory partners are 2419 providing leadership and resources to assure that the nation 2420 has detective capabilities to reduce these risks 2421 These capabilities include a broad array of science and 2422 engineering programs extensive teams of multidisciplinary 2423 national laboratory researches unique user facilities and 2424 test beds for experimentation at scale and a breadth of 2425 collaborative relationships with industry universities and 2426 federal agencies 2427 With regard to reducing cyber risks INL's Cybercore 2428 Integration Center known as Cybercore performs research 2429 development testing and evaluation of technologies and 2430 information products to prevent detect and respond to cyber 2431 vulnerabilities and intrusions 2432 When shared through public-private partnerships these NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2433 solutions create barriers to attack mitigate the 2434 consequences of an attack and enable rapid restoration of 2435 energy sector operations 2436 Specific examples of technology advancement that are 2437 reducing risks include with DOE and other agencies INL 2438 supported the recovery and information sharing in response to 2439 the cyberattack on Ukraine's electric grid 2440 event analysis INL developed and is conducting unique cyber 2441 strike workshops for U S asset owners and operators to learn 2442 how to protect against similar attacks 2443 After our post- INL developed and completed a pilot study of our 2444 consequence-driven cyber-informed engineering methodology or 2445 CCE with Florida Power and Light 2446 CCE leverages an organization's knowledge and 2447 experiences to engineer out the potential and highest -- for 2448 the highest consequence cyber events 2449 study's results were shared with the Section 9 electric 2450 utility partners congressional staffers and government 2451 leaders 2452 Briefings of the A second pilot is currently underway INL also is advising the National Security Council on 2453 implementing the methodology with a larger set of 2454 participants NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2455 INL is one of several national laboratories providing 2456 technical information and strategic planning guidance to 2457 assist CESER develop -- leadership to develop 2458 infrastructures capabilities and processes for reducing 2459 cyber and physical risk 2460 This includes providing principles to establish a 2461 research portfolio that delivers impactful solutions and 2462 response to cyber and all hazard threats standards for 2463 security-informed design to engineer in cyber physical 2464 protections for future grid infrastructure and next 2465 generation energy systems guidance on best practices for 2466 coordinating incident response with DHS and other federal and 2467 private organizations 2468 Some examples of INL's current partnerships that are 2469 reducing cyber risks are research collaboration with the 2470 electric industry partners at the California Energy Systems 2471 for the 21st Century Program and Lawrence Livermore National 2472 Laboratory is leading to new capabilities for machine-to- 2473 machine automated threat response 2474 DOE's pilot program cybersecurity for the operational 2475 technology environment is providing a forum for situational 2476 awareness for cyber risks among industry partners and NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2477 2478 stakeholders Examples I described demonstrate that DOE and INL are 2479 making significant progress in reducing the risks to our 2480 energy sector 2481 our adversaries and the increasing complexity of our energy 2482 system technologies we will not completely eliminate all 2483 risks 2484 However with the increasing capabilities of Hence INL will continue to prioritize initiatives that 2485 emphasize the advancement of protection and response 2486 capabilities that reduces risks 2487 understanding that the U S will continue to identify new 2488 requirements for technology and innovation expect solutions 2489 through expansive organizational leadership coordination 2490 and integration and prioritize funding and focus for 2491 research We do this with the 2492 I look forward to your questions Thank you 2493 The prepared statement of Mr Tudor follows 2494 2495 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2496 Mr Walberg Thank you 2497 Mr Engels you're recognized NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2498 STATEMENT OF MR ENGELS 2499 2500 Mr Engels Mr Chairman Ranking Member Rush and 2501 members of the subcommittee thank you for the opportunity to 2502 testify 2503 My name is Mark Engels and I am a senior enterprise 2504 security advisor at Dominion Energy Dominion Energy is one 2505 of the largest producers and transporters of energy with a 2506 portfolio of approximately 26 200 megawatts of electricity 2507 generation 6 600 miles of electric and transmission and 2508 distribution lines 15 000 miles of natural gas pipeline and 2509 the Cove Point liquefied natural gas facility in Maryland 2510 We operate one of the largest natural gas storage 2511 systems in the U S with one trillion cubic feet of capacity 2512 and serve more than 6 million utility and retail customers 2513 I've been with Dominion Energy almost 40 years and with 2514 a focus on cybersecurity for 19 of those years As a 2515 representative from Dominion Energy I appreciate the 2516 opportunity to provide comments and input to this committee 2517 and applaud the committee's focus to advance public-private 2518 partnership between the Department of Energy and the oil and 2519 natural gas sector NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2520 For Homeland Security Presidential Directive 7 both the 2521 Department of Energy the Department of Homeland Security in 2522 coordination with the Department of Transportation function 2523 as the sector-specific agencies for natural gas pipelines and 2524 LNG 2525 The fact that pipelines have two SSAs comprised of three 2526 different federal agencies cannot be understated especially 2527 when it comes to interagency coordination in advance of 2528 during and post-incident operations 2529 The key to this coordination is maintaining a productive 2530 relationships between the energy government coordination 2531 councils' two co-chairs -- DOE and DHS -- and the oil and 2532 natural gas sector coordinating council 2533 The ONG SEC is comprised of owners and operators from 2534 20-plus industry trade associations representing all aspects 2535 of the oil and natural gas sector 2536 I encourage DOE and TSA who has regulatory authority 2537 for pipeline security to develop a memo of understanding 2538 that outlines roles and responsibilities for dealing with 2539 cyber and physical security of natural gas pipelines and LNG 2540 2541 TSA already has an MOU with the Department of Transportation's Pipeline and Hazardous Materials Safety NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2542 Administration or PHMSA which has responsibility for 2543 pipeline safety 2544 The recent announcement of DOE's new Office of 2545 Cybersecurity Energy Security and Emergency Response should 2546 continue to improve the coordination for pipeline cyber and 2547 physical security 2548 The language in H R 5175 Section 22 could introduce 2549 complexity and confusion when it comes to DOE's involvements 2550 with states 2551 included already have longstanding relationships with state 2552 emergency response organizations public utility commissions 2553 and law enforcement for all hazard events 2554 Individual pipeline companies Dominion Energy H R 5175 directs DOE to focus on advanced cybersecurity 2555 applications pilot demonstrations develop workforce 2556 curricula and provide mechanisms to help the energy sector 2557 evaluate prioritize and improve physical and cybersecurity 2558 capabilities 2559 Dominion Energy has worked with DOE and several national 2560 labs on a number of efforts that align with the proposed 2561 legislation 2562 2563 They include being a peer reviewer for the Department of Energy's Cybersecurity for Energy Delivery Systems Program NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2564 participation into workforce and training efforts Cyber 2565 Strike -- a hands-on workshop communicating lessons learned 2566 associated with the Ukraine grid attacks -- and Attack an 2567 approached developed by INL to aggregate and evaluate cyber 2568 risk-related information 2569 Dominion Energy is a member of both the downstream 2570 natural gas and electricity information sharing and analysis 2571 centers both who have benefited -- both of which have 2572 benefited from intelligence provided by DOE's Cybersecurity 2573 Risk Information Sharing Program or CRISP 2574 Dominion's -- Dominion Energy and other national -- and 2575 other natural gas pipeline companies have worked very closely 2576 with TSA and DOE on cyber and physical security to build a 2577 partnership based on trust and respect 2578 The proposed legislation should make sure that roles and 2579 responsibilities are clearly defined and understandable by 2580 pipeline operators who ultimately have to face the growing 2581 threat every day 2582 2583 2584 Thank you again for the opportunity to provide comments and I will be glad to answer any of your questions The prepared statement of Mr Engels follows 2585 NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2586 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2587 Mr Walberg 2588 Mr Pitsor Thank you NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2589 STATEMENT OF MR PITSOR 2590 2591 Mr Pitsor Good afternoon Mr Chairman Ranking 2592 Member Rush members of the subcommittee 2593 opportunity to testify on such an important topic today the 2594 physical and cybersecurity of our nation's electric system 2595 Thank you for the My name is Kyle Pitsor vice president of government 2596 relations for National Electrical Manufacturers Association 2597 representing about 350 manufacturers of electrical equipment 2598 and medical imaging technologies 2599 NEMA and our member manufacturers have made 2600 cybersecurity a top priority As the manufacturers of 2601 essential grid equipment NEMA companies are a key line of 2602 defence against both physical and cyberattacks in the 2603 electricity transmission and distribution system 2604 We understand that a secure product supply chain is 2605 inherent to a secure grid and cybersecurity aspects should be 2606 built into not bolted onto manufacturers' products whenever 2607 possible 2608 Manufacturers also understand that managing 2609 cybersecurity supply chain risk requires a collaborative 2610 effort and open lines of communication among electrical NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2611 utility companies federal and state and local governments 2612 and suppliers of the full spectrum of grid systems and 2613 components both hardware and software 2614 I would like to mention briefly some of the industry 2615 wide efforts NEMA and its members have pursued to establish 2616 best practices for supply chain and manufacturer 2617 cybersecurity hygiene and then make a few comments on the 2618 Cyber Sense Act and the Enhancing Grid Security Through 2619 Public-Private Partnership Act 2620 In 2005 the electrical industry took a step towards 2621 improving supply chains' security of manufacturers' products 2622 by publishing a technical best practices document that laid 2623 out the steps for securing supply chains 2624 NEMA published a white paper on cybersecurity supply 2625 chain best practices for manufacturers that addresses supply 2626 chain integrity through four phases of a product's life cycle 2627 -- the manufacturing delivery operation and end of life of 2628 a product 2629 This month in March NEMA members have approved a new 2630 technical document detailing industry best practice cyber 2631 hygiene principles for electrical manufacturers to implement 2632 in their manufacturing and engineering processes NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2633 The document raises a manufacturer's level of 2634 cybersecurity sophistication by following seven fundamental 2635 principles that are outlined in my statement 2636 With the above-mentioned two industry developed and 2637 cybersecurity best practices documents in mind I will make a 2638 few comments about two of the bills under consideration 2639 today 2640 First of all with respect to the Cyber Sense Act NEMA 2641 member manufacturers support voluntary cyber evaluation of 2642 products used in the transmission distribution storage and 2643 end use of electricity 2644 However the specific requirements of any such program 2645 need to be carefully designed in close collaboration with 2646 manufacturers and other stakeholder groups and developed via 2647 an open and transparent process 2648 We recommend that any cybersecurity evaluation program 2649 abide by a set of principles that we've outlined in our 2650 written statement 2651 With respect to the Enhancing Grid Security Through 2652 Public-Private Partnership Act NEMA supports the concepts 2653 included in the draft legislation 2654 With respect to Section 2 NEMA agrees that voluntary NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2655 technical assistance efforts should be available to provide 2656 electric utilities with information and resources to 2657 effectively prepare for and combat both physical and 2658 cybersecurity threats 2659 We also agree that this technical assistance should be 2660 provided in close collaboration with state governments and 2661 public utility regulatory commissions as well as with 2662 equipment manufacturers 2663 Including manufacturers in the training and technical 2664 assistance efforts will ensure that products are installed 2665 and maintained as intended to limit the risk of cyberattack 2666 resulting from the proper -- possible misuse of a product 2667 NEMA also supports the recommendations included in 2668 Sections 3 and 4 of the legislation 2669 index that we recommend be included in Section 4 b of the 2670 draft legislation is the Momentary Average Interruption 2671 Frequency Index 2672 One additional outage Momentary outages cost U S electricity consumers over 2673 $60 billion in 2014 and account for more than half of all 2674 power outages 2675 improve the interrupter cost estimate information produced by 2676 the Department of Energy Inclusion of this index we believe will NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2677 In conclusion NEMA and member company manufacturers 2678 recognize that cybersecurity risks are constantly evolving 2679 and changing and requires a shared responsibility by all 2680 stakeholders 2681 NEMA looks forward to working with you as a resource to 2682 this committee as you continue your work to address 2683 cybersecurity concerns in the energy sector 2684 Thank you and I look forward to any questions 2685 The prepared statement of Mr Pitsor follows 2686 2687 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2688 Mr Walberg Thank you 2689 I now recognize Mr Aaronson NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2690 STATEMENT OF MR AARONSON 2691 2692 Mr Aaronson Thank you Mr Chairman Ranking Member 2693 Rush and members of the subcommittee 2694 opportunity to testify here today 2695 I appreciate the For EEI's member companies which includes all of the 2696 nation's investor-owned electric companies securing the 2697 energy grid is a top priority 2698 to discuss this important topic on their behalf 2699 I appreciate your invitation The electric power industry which includes investor- 2700 owned electric companies public power utilities and 2701 electric cooperatives supports more than 7 million American 2702 jobs and contributes $880 billion annually to U S gross 2703 domestic product -- about 5 percent of the total 2704 That 5 percent is truly the first 5 percent responsible 2705 for generating and delivering the energy that powers our 2706 economy and our way of life 2707 Our members own and operate some of the nation's most 2708 critical infrastructure and they take that responsibility 2709 seriously 2710 physical and cyber events naturally occurring or manmade 2711 threats and severe weather of every kind EEI's member companies prepare for all hazards -- NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2712 To address multiple threats our companies take what's 2713 known as a defense in-depth approach with several layers of 2714 security 2715 focus -- standards partnerships and response and recovery I would like to highlight three main areas of 2716 First standards -- through a process created by 2717 Congress the electric power sector is subject to mandatory 2718 enforceable critical infrastructure protection or CIP 2719 regulatory standards for cyber and physical security 2720 Through these standards the bulk power system enjoys a 2721 baseline level of security 2722 with intelligent adversaries operating in a dynamic threat 2723 environment regulations alone are insufficient and must be 2724 supplemented 2725 Standards are important but That brings me to the second area of focus which is 2726 partnerships which you have heard a lot about today You 2727 heard it from DOE and you will hear it from this entire panel 2728 -- security is a shared responsibility 2729 None of us can do this alone To be successful in this 2730 environment industry and government must partner and as you 2731 heard earlier we are 2732 2733 I am here this morning in my role as EEI's vice president for security and preparedness but I am also NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2734 privileged to be a member of the secretariat for the 2735 Electricity Subsector Coordinating Council 2736 The ESCC is comprised of CEOs of 22 electric companies 2737 and nine major industry trade associations representing the 2738 full scope of electric generation transmission and 2739 distribution in the United States and Canada 2740 Through partnerships like the ESCC government and 2741 industry leverage one another's strengths 2742 manifests itself in many ways including deployment of 2743 government technologies like CRISP which you have heard 2744 about multidirectional information sharing drills and 2745 exercises and facilitating cross-sector coordination 2746 This partnership What makes the ESCC effective is CEO leadership across 2747 all segments of the industry 2748 resources sets priorities drives accountability 2749 This structure provides Furthermore CEOs serve as a draw to other senior 2750 counterparts in industry sectors and in government 2751 unity of effort driven by industry working with government 2752 has produced significant tangible results 2753 The Finally the third area of focus is response and 2754 recovery The electric power sector is proud of its record 2755 on reliability but outages do occur NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2756 The past year has made one thing abundantly clear -- we 2757 can't protect everything from everything all of the time and 2758 investments help companies restore power and be prepared 2759 Our industry invests more than $120 billion each year to 2760 make the energy grid stronger smarter cleaner more 2761 dynamic and more secure 2762 In addition the industry's culture of mutual assistance 2763 unleashes a world-class workforce amidst the toughest 2764 conditions to restore power safely and effectively 2765 Today we have supplemented that traditional response in 2766 recovery with a 21st century edition -- cyber mutual 2767 assistance 2768 in the program covering more than 80 percent of U S 2769 electricity customers 2770 So far more than 140 entities are participating That brings me to the bills before the subcommittee 2771 today 2772 administration's support of the electric power sector 2773 Just as EEI's member companies evolve to meet new 2774 threats our government partners continuously improve their 2775 posture through these new initiatives 2776 2777 We appreciate both Congress and the Trump For example we applaud DOE Secretary Perry and his team for establishing DOE's new Office of Cybersecurity Energy NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2778 2779 Security and Emergency Response or CESER Legislation passed by this committee codified DOE's role 2780 as the sector-specific agency -- thank you -- and we believe 2781 the elevation of CESER will deepen the relationship between 2782 our industry and DOE on issues of cybersecurity and energy 2783 grid response initiatives 2784 In his testimony Secretary Menezes mentioned DOE's 2785 establishment of the supply chain testing facility 2786 interested in the details of that program 2787 is also aware that through the NERC FERC process as mandatory 2788 supply chain standard will be implemented soon 2789 2790 2791 We are The subcommittee The committee should consider those efforts when adopting legislation related to supply chains Finally I would like to mention a report included in 2792 the Enhancing Grid Security Through Public-Private 2793 Partnerships Act looking at distribution cyber and physical 2794 security 2795 EEI supports this report because it could address 2796 several emerging questions that many in the industry also are 2797 asking 2798 What considerations should be made to protect a 2799 distribution system that is outside of mandatory NERC CIP NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2800 2801 standards How can we secure newer technology that is largely 2802 consumer grade but may increase the energy grid's attack 2803 surface 2804 A collaborative risk-based approach to security at the 2805 distribution level is essential 2806 that approach and consider the many different entities in the 2807 distribution grid electric companies and others 2808 Again I appreciate you holding this hearing 2809 2810 This report should drive I look forward to answering any of your questions The prepared statement of Mr Aaronson follows 2811 2812 INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2813 Mr Walberg Thank you Thanks to the panel for your 2814 very efficient use of the five minutes time 2815 be an example to myself and my colleagues 2816 2817 2818 Maybe it would Now privileged to represent the neighbor to the south who guards my border Mr Latta Mr Latta Well thank you very much Mr Chairman and 2819 I appreciate our panel for being here 2820 really important hearing that we are having today because it 2821 affects us all 2822 And again this is a Mr Pitsor if I could start with my questions with you 2823 if I may please In your testimony you state that you 2824 support a voluntary cybersecurity evaluation of products used 2825 in bulk power systems such as the program described in H R 2826 5239 Cyber Sense 2827 One point you raise is that once products are sold 2828 manufactures often don't know where or how these components 2829 are used installed or operated 2830 You suggest that asset owners should maintain a system 2831 of tracking products 2832 important to track these products 2833 2834 Mr Pitsor Would you explain in detail why it is As we look -- as we look at evaluation of cybersecurity threats of different components and how they're NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2835 assembled in the manufacturers once they have sold a 2836 product they're assembled in the field 2837 necessarily aware of who purchased them and how they were 2838 assembled 2839 They're not And so the tracking concept here is to have a database 2840 and that could be shared so would be more familiar with where 2841 products have been placed how they've been assembled how 2842 they've been installed how they've been commissioned 2843 So that if patching is necessary due to a cyber-related 2844 event or testing for that product we would then be able to 2845 contact the asset user as to what patches should be installed 2846 and how they should be installed 2847 Mr Latta Let me follow up when you're talking about 2848 the -- especially with the -- with the database because in 2849 Section 2 b 2 of the Cyber Sense bill establishes a 2850 cybersecurity vulnerability reporting process and related 2851 database for products tested and identified as cybersecure 2852 under this program 2853 Would this help address the need for a system for 2854 tracking those products by having that as you just 2855 mentioned 2856 Mr Pitsor I think a database would be very helpful in NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2857 terms of addressing that need yes 2858 Mr Latta Thank you 2859 Mr Aaronson if I could ask you and I think you 2860 mentioned about -- in your testimony about when you were out 2861 with co-ops and I know I just was at two of my co-ops 2862 represent the largest number of co-ops in the district -- in 2863 the state of Ohio 2864 I But if I could ask this question -- as the new 2865 technologies are becoming increasingly interconnected within 2866 our electric grid new vulnerabilities are emerging across 2867 the system including at the distribution level 2868 Currently the physical or cybersecurity of the bulk 2869 power system or the interstate is addressed through the 2870 Critical Infrastructure Protection Standards issued by NERC 2871 But the distribution system intrastate is outside the 2872 jurisdiction of the mandatory NERC standards and the question 2873 is are there implications for this perceived gap in oversight 2874 and protection of the cybersecurity of the distribution 2875 portion of the nation's electrical grid 2876 Mr Aaronson So a couple of things to respond to 2877 there As I mentioned in my testimony we operate one big 2878 machine right with thousands of owners and operators from NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2879 really large investor-owned electric companies that EEI 2880 represents to co-ops and municipal systems of varying sizes 2881 And so as you know the ESCC incorporates all of those and we 2882 work very closely 2883 2884 I know both APPA and NRECA provided written testimony or written statement for the record 2885 So I would refer to that With respect to gaps and I call them perceived gaps 2886 just because distribution level components are not subject to 2887 the federal CIP standards does not mean that there is not 2888 security happening at that level 2889 That said we do think that anything we can do with 2890 respect to components that make up that part of the grid -- 2891 the intrastate -- the distribution level is going to be an 2892 important approach to continue to advance security for all of 2893 us 2894 The other thing I would say about distribution security 2895 is we need to prioritize You know in security we defend -- 2896 you protect diamonds like diamonds and pencils like pencils 2897 and to be sure there are diamonds at the distribution level 2898 that we need to be aware of 2899 crown jewels at the distribution level that we need to be 2900 securing There are components that are NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2901 And so approaches like Cyber Sense may allow us to do 2902 that and some of the things that Secretary Menezes and 2903 Assistant Secretary Hoffman were discussing with respect to 2904 really looking closely at those components and drilling down 2905 on the most critical because if you have a hundred 2906 priorities you have no priorities -- but really finding those 2907 most critical components and beating the heck out of them so 2908 that we can understand if there are any vulnerabilities in 2909 them again will make us all more secure 2910 2911 Mr Latta Well thank you very much Mr Chairman My time is about to expire and I yield back 2912 Mr Walberg I thank the gentleman 2913 Now I am privileged to recognize the ranking member the 2914 gentleman from Illinois -- in fact the district I was 2915 privileged to be born in -- I quickly add long before you 2916 represented the district Mr Rush 2917 Laughter 2918 Mr Rush 2919 Mr Chairman it's still the best district in the nation 2920 Mr Vance in your written testimony you noted that DOE 2921 held a cybersecurity contest which brought together students 2922 competing to address the challenges of protecting NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2923 infrastructure and firms that might employ the same students 2924 after they graduate 2925 Do you think that on both the public and private sector 2926 that we are doing enough to ensure that we have a skilled 2927 workforce capable of meeting the challenges we will 2928 inevitably face in regards to cybersecurity 2929 2930 2931 And I will invite any of the members of the panel to weigh in on some of these issues Mr Vance I think what we've been doing in Indiana is 2932 specifically trying to bring together the public and private 2933 sides together to analyse what some of the weaknesses are 2934 what we are good at what we are not good at and as Mr 2935 Aaronson from EEI spoke about just a second ago I think we 2936 need to prioritize and figure out where those diamonds are 2937 and where those pencils are 2938 It's one thing for me and my colleagues in the private - 2939 - I am sorry the public sector to sit in a room and try to 2940 figure out what we need to focus on 2941 lot of things 2942 We are going to miss a What we need to do is sit down with the private sector 2943 and work through a collaborative process to identify where 2944 our weaknesses are and how to strengthen those NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2945 So the bills being discussed today I think are four 2946 steps in the right direction to help strengthen those 2947 partnerships 2948 Mr Rush 2949 Mr Tudor 2950 I agree that public-private partnerships are key to 2951 moving these forward and these four pieces of legislation are 2952 definitely you know great steps towards that 2953 Anybody else want to chime in Mr Rush thank you for the question At the Idaho National Lab you know we know that the 2954 partnerships are the strongest part of our operation whether 2955 it's with vendors asset owners you know with other 2956 government agencies and that's the way that we will be able 2957 to develop the structures to keep our cyber resilience in our 2958 energy systems 2959 Mr Rush And does anyone have any suggestions on how 2960 the Congress could help you to ensure that we have enough 2961 skilled workforce other than what's information in these four 2962 bills 2963 Mr Vance I will add real quick just to give a 2964 little bit more perspective on what we are doing in Indiana 2965 Our approach with our cybersecurity council has been to bring 2966 together all the potential industries involved in NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2967 2968 cybersecurity So right now I've got about 250 or so members of that 2969 council spanning about 20 different industries with industry 2970 subgroups that then things can bubble up through those 2971 subgroups into the full committee that -- to address in a 2972 cross-sector manner 2973 So I will give you an example One of the committees is 2974 focused on personal identifiable information because that's 2975 something that's not unique to any one specific industry and 2976 it really needs to be a topic in and of itself 2977 But it can't just be its own council or committee It 2978 has to be part of a bigger picture because it ties back to 2979 energy water finance -- all these other things 2980 So what we've been trying to do in Indiana is to build a 2981 large council that integrates all these different aspects so 2982 it can be addressed in a very -- in a cross-sector manner 2983 across different industries 2984 Mr Aaronson Mr Rush I would add you know I know 2985 you're very committed to workforce development in particular 2986 with respect to cyber and I think one of the things that 2987 you're hearing both from the previous panel and all of us is 2988 this is a shared responsibility NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 2989 It's a whole of community issue I referenced in my 2990 verbal testimony the cyber mutual assistance program 2991 that is a force multiplier 2992 is being attacked their counterparts come from around the 2993 country and around the nation and around North America 2994 frankly to support them 2995 To us That is when a company is in -- And so I think that's great for the electricity sector 2996 and we are very proud of that 2997 the National Guard to be able to work with other sectors to 2998 be able to prioritize restoration when cyber incidents maybe 2999 are impacting more than one sector 3000 But to be able to work with We need to look at this again far more holistically 3001 And then from a workforce perspective you know we are very 3002 proud of the development that we do within our sector through 3003 things like the CEWD 3004 -- Committee for Energy and Workforce Development is a great 3005 example of how we can find those gaps that we have in our 3006 workforce and work through education work through public- 3007 private partnerships to improve our staffing in our most 3008 critical needs 3009 Mr Rush 3010 Mr Walberg It's the Energy Workforce Development Thank you Mr Chairman I yield back I thank the gentleman NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3011 3012 I now recognize the gentleman from Virginia Mr Griffith 3013 Mr Griffith Thank you very much Mr Chairman 3014 Mr Tudor I am going to come to you first but I am 3015 going to take what's more or less a point of personal 3016 privilege and just say that I saw you sitting throughout that 3017 first panel and all those questions on that second row there 3018 with a couple of young people who are very well behaved 3019 they connected with you 3020 3021 3022 Mr Tudor niece Sydney Yes sir Are That's my son Miles and my They're getting a civics lesson today Mr Griffith Well not the most riveting of hearings 3023 but one that's very important and they have done a great job 3024 and I thought they were -- you could tell they were doing 3025 some stuff back there and I thought they were like my kids 3026 playing on an electronic device 3027 But apparently they have a numbers game that they're 3028 working on that's all done with their hands and they've been 3029 very quiet and very well behaved 3030 family are to be commended for having such well-behaved 3031 children 3032 So you're -- you and your That being said let's get down to business You made NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3033 reference to the consequence-driven cyber-informed 3034 engineering -- CCE methodology 3035 You say this is more about getting ahead of the problems 3036 of vulnerabilities and threats rather than chasing them 3037 you describe what role this approach may have in 3038 strengthening cybersecurity and critical infrastructure 3039 Mr Tudor Yes 3040 So consequence-driven cyber-informed engineering or Can Thank you for that question sir 3041 CCE kind of identifies the problem -- that we are constantly 3042 seeing new vulnerabilities new threats every day 3043 organization does a risk assessment on a Monday and by 3044 Wednesday when new vulnerabilities are discovered many of 3045 the activities described in that risk assessment may be moot 3046 So an But if we go back and look at the key consequences of 3047 any organization and we take an electric utility at this you 3048 know if keeping the lights on is their mission but maybe 3049 there's several key components that if they were lost may 3050 prevent that mission from being carried out 3051 You know looking at the engineering methods of those 3052 consequences looking at the way an adversary might go about 3053 attacking those infrastructures using a threat-based 3054 methodology and at INL we do a lot of work considering the NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3055 threat first and we use that mind set when we look at our 3056 different mitigations and then developing mitigations with 3057 the asset owner who is a key component of this 3058 So if we can engineer out those severe consequences 3059 irregardless of the threat or the current risk or a current - 3060 - or a new vulnerability then we believe that that has a 3061 chance of maintaining that resiliency over a longer period 3062 rather than just addressing new vulnerabilities as they show 3063 up 3064 Mr Griffith I appreciate that and there's a pilot 3065 program but it's had very limited deployment 3066 confident this methodology is an effective approach and if 3067 so what are you trying to examine before deciding whether 3068 this program should be expanded 3069 Mr Tudor 3070 We have conducted one pilot Are you Yes thank you again We are on a second and I 3071 think that as we've been briefing this across Congress the 3072 National Security Council and others we've been very 3073 encouraged that people do believe that this type of 3074 methodology will be able to go forward 3075 3076 So we are working with the DOE and others to develop some ways to do CCES scale In our next few pilot NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3077 engagements we'll be bringing more partners along to provide 3078 training for them and they can go out and provide training 3079 for others 3080 methodology in the next several years So we hope to be able to scale out this 3081 Mr Griffith I appreciate that 3082 Mr Engels you have got a pipeline -- a new pipeline 3083 coming near my district although not through my district 3084 and I asked before about some for lack of a better term 3085 smart pipe technology 3086 I know you're not expecting that question today and so 3087 if you could just get me an answer later as to what you all 3088 might be doing in regards to letting us know if there's some 3089 kind of a break in the line quicker using some smart 3090 technology 3091 3092 3093 Mr Engels I will be glad to follow up with you on that Mr Griffith And likewise I have a friend who's got a 3094 farm where there's going to be a pump station and whatever 3095 you all could do to reassure folks that they're being placed 3096 in the safest location and likewise if there's any smart 3097 technology in there I would appreciate having that 3098 information NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3099 3100 Mr Engels I understand We'll make sure we follow up 3101 Mr Griffith Thank you All right 3102 Mr Aaronson you mentioned in your written testimony 3103 that approximately 75 percent of U S customers are served by 3104 a company that participates in cybersecurity risk information 3105 sharing program 3106 3107 3108 Do you have any insight what's going on with the other 25 percent Mr Aaronson So CRISP is a wonderful technology and 3109 the beauty of it is it was something that was actually 3110 developed by National Labs 3111 by a small subset of companies -- did some proof of concept 3112 and that was then It was piloted for a few years 3113 We'll call it commercialized although maybe that's not 3114 a fair characterization because it is still a public-private 3115 partnership with the Department of Energy the North American 3116 Electrical Reliability Corporation through their information- 3117 sharing analysis center -- I am trying to not use acronyms -- 3118 and then the companies that deploy it 3119 3120 What we are looking to do and what the ISAC is planning to do now is to expand the program So started with five NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3121 pilots 3122 of customers being represented by a company that has deployed 3123 CRISP 3124 It has expanded to more than that to the 75 percent The other thing you should note is that information 3125 while it is gleaned from the companies that have deployed the 3126 sensors that make up CRISP the information that is gleaned 3127 is actually socialized to the entire electric utility sector 3128 So while there are sensors on 75 percent of companies 3129 we are going to get a much broader cross-section in the 3130 coming years 3131 3132 3133 3134 3135 3136 3137 3138 3139 Mr Griffith I appreciate that Thank you for the answer I thank all of you for being here today and I yield back Mr Walberg I thank the gentleman and I recognize the gentleman from California Mr McNerney Mr McNerney the witnesses I want to thank the chairman and I thank Good testimony and informative Mr Aaronson in your testimony you pointed out that the 3140 EEI members do work to prepare for hazards and cyber or 3141 natural events 3142 What are your members doing to prepare for climate NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3143 change events 3144 is there some sort of work that needs to be done that's being 3145 done 3146 Is that -- is that -- is there a standard or Mr Aaronson So again I think we look at this as all 3147 hazards and whether it is an act of war or an act of God 3148 whether it is a natural disaster whether it's an earthquake 3149 whether it's the wildfires that I know that your district has 3150 been impacted by we are looking at ways we can be more 3151 resilient and a lot of what we do kind of crosses again 3152 acts of war and acts of God and is more about consequence 3153 management 3154 Why the lights were you know turned off -- why there 3155 was a power outage becomes a little less relevant and how 3156 quickly can we get them restored 3157 And so a lot of our focus is on that response and 3158 recovery and resilience component of preparation for all 3159 manner of hazards 3160 Mr McNerney 3161 Mr Pitsor I appreciate your comments on the enhancing Okay Thank you 3162 grid security through public-private partnerships You 3163 mentioned that you wanted to see a Momentary Average 3164 Interruption Frequency Index included in the ICE calculation NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3165 How would that improve the calculation 3166 improve the results 3167 Mr Pitsor How would that Well the MAIFI index represents some 3168 nearly 50 percent of all the momentary outages that occur in 3169 the U S and these are momentary outages that are usually 3170 five minutes or less 3171 We think that the overall interrupter calculation if 3172 it's missing those 50 percent of the outages it's not 3173 capturing fully the economic costs that are associated by 3174 these smaller momentary outages 3175 For instance electric motors trip off computers don't 3176 have backup power trip off 3177 that that could be -- should be captured in the overall 3178 estimator 3179 Mr McNerney Okay There are costs associated with You mentioned the Cyber Sense Act 3180 How would your members respond to nonvoluntary requirements 3181 for -- including cybersecurity in their products 3182 Mr Pitsor We are very supportive of the evaluation 3183 testing of electrical equipment I think the key is going to 3184 be what type of equipment we are speaking of -- the scope of 3185 the testing what protocols we are testing against who's 3186 paying for that testing and the follow-on work that will be NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3187 done to address vulnerabilities that are found in terms of 3188 patching recommissioning the continuous process that goes 3189 on in addressing cyber -- 3190 Mr McNerney I mean it seems that your members would 3191 want to have a set of standards they could -- they could link 3192 their products 3193 Mr Pitsor Exactly Working on supply side standards 3194 that I mentioned a new cyber security index standard and 3195 then looking at how we test different products and different 3196 configurations against different vulnerabilities 3197 those products because some products as has been recognized 3198 are behind layers of security 3199 are less than those that have outward-facing connection to 3200 the internet 3201 be required for those products 3202 We segment So the testing of those maybe There's different levels of testing that would Mr McNerney Do you have concerns about cuts that are 3203 being proposed in the fiscal 2019 budget's impact on 3204 cybersecurity or security in general 3205 would be the right person to ask that question of 3206 Mr Aaronson I guess Mr Aaronson So we appreciate what the Department of 3207 Energy has done with respect to CESER and elevating some of 3208 these issues We've worked really closely in particular with NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3209 the Office of Electricity and their Infrastructure Security 3210 Energy Restoration Office which will ultimately matriculate 3211 over the CESER 3212 This last historic hurricane season and the nor'easters 3213 the last several weeks and with that response from Puerto 3214 Rico -- so between that our partnerships with the labs and 3215 our partnerships with the sector coordinating council we have 3216 really appreciated the ability to work closely with this 3217 administration and the previous administration 3218 been a priority for Department of Energy for several years 3219 now 3220 3221 3222 Mr McNerney This has So you don't see any sort of a drawback with the cuts that are being proposed Mr Aaronson You know at this point I think the 3223 priorities that we care about most have not been impacted in 3224 our day-to-day interactions with the department 3225 Mr McNerney Thank you I yield back 3226 Mr Walberg 3227 Now I recognize the good doctor and gentleman from I thank the gentleman 3228 Indiana Mr Bucshon 3229 Mr Bucshon 3230 Mr Vance good to have you here from Indiana Thank you Mr Chairman NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3231 Mr Vance 3232 Mr Bucshon Thank you You're welcome As you know -- this is a 3233 question for you -- as you know electric cooperatives serve 3234 more than 1 3 million customers in the state of Indiana 3235 primarily those in rural parts of the state which is 3236 southwest Indiana the Wabash Valley that I represent 3237 An additional 300 000 individuals are served by 3238 municipal electric utilities 3239 utilities are generally much smaller than their investor- 3240 owned counterparts 3241 Both cooperative and municipal What are some of the specific challenges that you see 3242 these smaller utilities face in terms of defending their 3243 assets against cybersecurity threats 3244 Mr Vance I think the challenge is that a co-op or a 3245 municipal utility face are very similar to what an investor- 3246 owned utility face because they have the same issues in that 3247 every time that you move toward a networked piece of 3248 equipment you're exposing yourself to potential cybersecurity 3249 attacks 3250 So in Indiana we've been very aware of including our co- 3251 ops and our municipal utilities in our conversations on 3252 energy security and cybersecurity They sit on our NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3253 3254 cybersecurity council established by the governor I think one of the important things we are trying to do 3255 in Indiana as we continue exercises is to build those 3256 relationships so that we know we have those personal 3257 connections and when an energy emergency hits we cannot spend 3258 hours searching through a binder of 300 pages trying to 3259 figure out what to do 3260 I think to some extent the movie Ghostbusters summed 3261 it up well when it said Who are you going to call 3262 have to know who you're going to call in those situations 3263 We can't spend hours trying to figure it out 3264 3265 3266 You So we've been including our munis and co-ops in our conversations Mr Bucshon Are there financial challenges to making 3267 sure that your networks and everything are secure that the 3268 state helps with or anything 3269 Mr Vance There's always finding constraints when it 3270 comes to infrastructure 3271 have not -- I am not aware of any specific constraints with 3272 munis and co-ops 3273 that 3274 Mr Bucshon But to the best of my knowledge I But we can get back to you on an answer to Okay One of the bills we are discussing NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3275 and somebody mentioned this a little while ago Enhancing 3276 Grid Security Through Public-Private Partnership Act 3277 specifically requires the secretary of energy to take 3278 different sizes of and regions served by electric utilities 3279 into account when administering cybersecurity programs 3280 3281 3282 Based on your experience in Indiana what might this look like Mr Vance I think that would be something that we'd be 3283 very interested to work with DOE on 3284 like I am not entirely sure off the top of my head 3285 3286 Mr Bucshon stuff What that would look Anybody have any comments on any of this No 3287 Good 3288 Mr Walberg 3289 Seeing no one else on the panel I recognize myself for 3290 3291 I yield back Mr Chairman five minutes I thank the gentleman Thanks to the panel for being here Mr Aaronson and Mr Vance I asked some questions to 3292 our DOE panel earlier and I would appreciate hearing your 3293 answers to them as well 3294 I appreciate the secretary's efforts to elevate the 3295 agency's leadership on emergency and cybersecurity functions 3296 and I believe they are commendable NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3297 But I would like to see DOE leadership continue under 3298 future administrations as I mentioned Do you think it 3299 would be -- would help to codify DOE's assistant secretary 3300 functions in the DOE organization chart 3301 Either one -- Mr Vance or Mr Aaronson 3302 Mr Vance From our perspective I would have to 3303 discuss with my other members of NASEO before I could make a 3304 statement one way or the other 3305 But I would defer to DOE on that 3306 Mr Walberg 3307 Mr Aaronson Okay Mr Aaronson I would just simply say I see no problem 3308 with that 3309 question also I think anything that provides accountability 3310 that elevates something not just within the organization but 3311 then visibility as a Senate-confirmed position and across the 3312 various verticals within the department that acknowledges 3313 these intersector relationships between electric gas and 3314 other generating capabilities and then I think anything that 3315 can get more resources 3316 I think it could be useful and to Mr McNerney's I don't want to be dismissive of your question Mr 3317 McNerney I think anything that -- you know more resources 3318 so we can do some of these partnerships more better faster NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3319 and focus on all of the things that are happening in this -- 3320 in -- with respect to security in the sector is going to be 3321 valuable 3322 supporting it are all good outcomes 3323 So I think codifying it elevating it funding it Mr Walberg Okay Let me ask do you believe that 3324 elevating the cybersecurity functions to the Senate-confirmed 3325 assistant secretary level is a positive 3326 Mr Aaronson Is it necessary You know I will leave that to policy 3327 makers on that sir I think -- I think it's a positive 3328 development though certainly 3329 Mr Walberg Okay 3330 Mr Aaronson one of the bills we are discussing today 3331 is the Enhancing Grid Security Through Public-Private 3332 Partnership Act which directs DOE to provide cybersecurity 3333 training and technical assistance for electric utilities that 3334 have fewer available resources due to size or region 3335 The legislation builds upon the existing public-private 3336 partnership between DOE the electrical cooperatives and 3337 public utilities -- power utilities 3338 Could you explain for us the challenges facing certain 3339 electric utilities in improving the cybersecurity of their 3340 assets NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3341 Mr Aaronson Sure So again I would point everybody 3342 to the statement by the American Public Power Association and 3343 the National Rural Electric Cooperative Association with whom 3344 I serve as secretaries on the sector coordinating council 3345 with 3346 So one of the benefits of the sector coordinating 3347 council is that we do all come together with common cause 3348 whether they are large investor-owns smaller investor-owns 3349 cooperatives municipals Canadians independent power 3350 generators the nuclear sector gas and on and on and on 3351 So we work really well together on these issues again 3352 of sort of mutual concern with respect to protection of our 3353 infrastructure 3354 With respect to challenges among the smaller entities 3355 there are workforce challenges 3356 ingest intelligence There are the ability to 3357 There is the ability to implement some of the good 3358 information that is coming out of the government and some of 3359 the mitigation measures that are recommended 3360 anything that we can do as a community -- again whole of 3361 community so that it is a rising tide that lifts all boats -- 3362 ultimately helps all of the infrastructure that we own and And so NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3363 3364 operate together So we are very supportive of that particular provision 3365 for our co-op and municipal brothers and sisters but also for 3366 some of other smaller entities that are going to need help 3367 implementing the things you all recommend 3368 Mr Walberg So this Section 2 of H R 5240 the 3369 Enhancing Grid Security Through Public-Private Partnerships 3370 Act does that strengthen and further these existing public- 3371 private partnerships 3372 Mr Aaronson 3373 Mr Walberg 3374 Thank you I think it does Okay The gentleman from New York is here my 3375 friend and we recognize you for five minutes for 3376 questioning 3377 3378 3379 Mr Tonko Thank you Mr Chair and thank you to our witnesses for being here this afternoon Mr Aaronson the utility industry has a long tradition 3380 and culture of mutual assistance 3381 everyone responds and I know there are still crews from New 3382 York working in Puerto Rico 3383 3384 When a disaster strikes The industry has a good idea of how to deal with supply disruptions and restorations after a natural disaster NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com But This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3385 cyber is still uncharted territory When the industry comes 3386 together to think about the future of mutual assistance does 3387 that include how you might respond to a cyber incident 3388 Mr Aaronson Very much so 3389 So the -- one of the things that we have done as a 3390 sector -- and actually I will give a little bit of a time 3391 line because in think it's instructive 3392 So you will recall the end of 2015 we had both GridEx 3393 III which is a biannual exercise that NERC puts on and then 3394 just a month later there was the attack in Ukraine that had 3395 impact on their distribution system 3396 The CEOs of the sector coordinating council got together 3397 for a meeting in January of 2016 and asked the question do 3398 we have the surge capacity to deal with either the imagined 3399 threats in the GridEx scenario or 3400 perceived from the Ukraine scenario 3401 the real ones that were And the answer was sort of which is never a good answer 3402 for chief executives And so they told us as the sector 3403 coordinating council support staff to go put something 3404 together 3405 We put together something known as cyber mutual 3406 assistance and so from that time just a little over two NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3407 years ago we scoped what cyber mutual assistance would look 3408 like 3409 We developed a legal structure around it 3410 a play book 3411 142 companies representing nearly 80 percent of all customers 3412 in North America have a company that is a member of the cyber 3413 mutual assistance program 3414 We exercised it We developed We've utilized it and now So we will be -- look it's in its very nascent stages 3415 Traditional mutual assistance has been around for more than 3416 80 years 3417 and support each other in the eventuality of a cyberattack 3418 But it is a platform that we can begin to surge Mr Tonko And in that collaboration are there any 3419 differences that you would cite that they could distinctly -- 3420 make a distinction from you know the regular emergency 3421 planning and response efforts 3422 Mr Aaronson It is in some ways very similar in that 3423 the goal is to restore power and one of the things I tell 3424 people is the best way to not have cyber vulnerabilities is 3425 to not have cyber infrastructure 3426 So another thing that we are pursuing is to actually be 3427 able to operate in a degraded state manually which is 3428 something Ukrainians were able to do and again which we NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3429 have some capacity to do but you know are going to develop 3430 even more so 3431 With respect to the differences between traditional and 3432 cyber mutual assistance the first one is the obvious one 3433 You're not going to have bucket trucks of you know cyber 3434 linemen driving down the highway to the affected area 3435 But there is the capacity to support each other 3436 remotely 3437 information sharing in the event of these attacks and the 3438 sharing of equipment and the bringing in of noncompromised 3439 equipment to support the company that may have had equipment 3440 compromised 3441 There are things that can be done to develop both Last is with storms you see them coming and they are 3442 regional 3443 descend and did certainly this last year on the affected 3444 region 3445 And so companies from all over North America will Cyber doesn't know boundaries like that and so that is a 3446 consideration for how do you respond -- do I want to send my 3447 people into a company that's been impacted when I may be 3448 next and that is something that the cyber mutual assistance 3449 program is contemplating and addressing 3450 Mr Tonko Okay Thank you very much NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3451 And Mr Vance a common theme we are hearing today is 3452 how partnerships -- those between utilities and between 3453 different levels of government -- are critical to ensuring 3454 that our electric system is reliable resilient and prepared 3455 for the worst 3456 3457 3458 Can you give us a sense of the level of cyber expertise at the state and local levels Mr Vance We have a number of folks at our Office of 3459 Technology who are the co-coordinators of our cybersecurity 3460 council who are spending their time on cybersecurity in 3461 coordination with our Department of Homeland Security our 3462 Utility Regulatory Commission and a number of folks across 3463 state government 3464 So we do have some folks who are focused specifically on 3465 the cyber issues 3466 think it started in 2016 but it's something we are trying to 3467 get up to speed on as soon as we possibly can 3468 Mr Tonko This is a relatively recent thing Thank you I And your testimony mentioned the 3469 importance of a robust state energy security program 3470 kind of services and resources can DOE provide to our given 3471 states 3472 Mr Vance What I think that's something that can be defined NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3473 as we explore this more But the first things off the top of 3474 my head are more training and exercise 3475 A lot of this planning and exercise activities -- for 3476 example the exercise we did in Rhode Island that mapped a 3477 cyberattack on top of a natural disaster -- is something that 3478 was a very useful exercise bringing people together and go 3479 through these issues and also put a face to who some of these 3480 people were at utilities at DOE at the states 3481 3482 So I think more exercise and opportunities to plan regionally are really helpful as well 3483 Mr Tonko 3484 And seeing that I have no time remaining I yield back 3485 Thank you very much Mr Chair 3486 Mr Walberg 3487 Seeing there are no further members wishing to ask 3488 questions I would like to thank all of our witnesses again 3489 for being here today and for the insights you shared with us 3490 and considering our questions 3491 I thank the gentleman Before we conclude I would like to ask for unanimous 3492 consent to submit the following documents for the record 3493 number one a statement from the American Public Power 3494 Association and the National Rural Electric Cooperative NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3495 Association a cybersecurity update letter from the American 3496 Public Power Association 3497 Secretary Perry a response letter from the Department of 3498 Energy Secretary Perry a statement from Siemens Energy 3499 a letter to Department of Energy The information follows 3500 3501 COMMITTEE INSERT NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com This is a preliminary unedited transcript The statements within may be inaccurate incomplete or misattributed to the speaker A link to the final official transcript will be posted on the Committee’s website as soon as it is available 3502 Mr Walberg And pursuant to committee rules I remind 3503 members that they have 10 business days to submit additional 3504 questions for the record and I ask that witnesses submit 3505 their response within 10 business days upon receipt of the 3506 questions 3507 Without objection the subcommittee stands adjourned 3508 Whereupon at 1 04 p m the committee was adjourned NEAL R GROSS 202 234-4433 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE N W WASHINGTON D C 20005-3701 www nealrgross com