the other question i have, what type of solutions exist out there that you have under the shield or grid act the appropriate ability authority to, for want of a better word, mandate the technology and is there any conclusion on what the costs would be nationally to adopt the hardware solutions? mr. mcclelland. >> there are several aspects electro magnetic pulse. e-1 is a high energy radio frequency burst. e-3 is ground-induced currents. the ground-induced current attack will find their way on to

the bulk power transformers and destroy those transformers quickly. one tried and true method is serious compension. putting capacitors to the line. back to e-1, it's more difficult. it's more challenging. i did receive some informatio from, recently from an israeli scientt that shows promising technology for erecting a feredet cage that is a simple spray-on coating that looks very promising. there are others in the world that have deployed effective mitigations against electro magnetic cost. we have not done so. >> at what cost? >> i can get back to with you those numbers. i have those numbers, but not at my finger tips.

e-1 is most challenging. >> ms. hoffman? >> i would just add to that, joe adequately talked about some of the hardening type activities that could be done. the other thing to keep in mind is current state of heal from the transformers. you can do hardening, but if the current health of the transformer is not where it should be, there won't be vulnerabilities. assessing the current health will imct towhat level of deterrent or capabilityhey will have to withstand any geo magnetic solar flare. how much do we want to harden against? are we talking about 200 amp type thing or what is currently tested up to an 80 amp? the other thing is, do we have enough manufacturing capability of transformers in the united states? as we look at it, hardening is only one solution. there are several sets of solutions we must keep in mind.

>> let me follow up. building resilience into the system to provide for rapid return of functionality is another alternative to hardening. we need to be ale to to be sure we can, from a department of defense mechanism, to get back to conducting our core missions no matter what. sometimes hardening will be the best, most cost-effective approach. other timesuick restoration of enough power to do the bare minimum to operate those core functions. that makes better sense from a cost perspective. thanks, mr. chairman and thanks to all the witnesses being here today. i appreciate your testimony. we certaiy heard about the vulnerabilities and it suggests there does need to be better coordination between the private sector and the government. commissioner mcclelland and the rest of the panel, what are the

standard operating procedures when a credible threat is received? how does ferc communicate? does it direct rc? how are those standards communicated to users of the system and what is the protocol r nerc? >> it's mr. mcclelland. i'm not a commissioner. >> oh, yes. that's right. >> thank you. i'll answer your question saying it depends on the issue. if it's an urgent matter, it may be very appropriate. the commission has done this to bring in members of the affected utility who have security clearances, to brief them in detail on the perceived vulnerability or threat and work out a table top solution as to how they might increase their preparedness for some interim period of time.

it wouldn't be appropriate, necessarily appropriate, to try to develop a standard around the very sophisticated targeted threat that exploits a vulnerability with a handful of entities. if it's a larger issue, the commission engages in rule-making procedu. so the commission would order nerc upon filing or up its own motion, to address a specific issue, security issue. nerc would then receive the order, engage industry through industry volunteers and standards development process. that process routinely takes years. at the end of that time period, nerc would submit a standard and the commission would be in a position to approve the standard at which time it would become mandatory enforcible or remand the standard for further work which time nerc would take it back, consider the commission's comments and pick up that issue and work on the standard.

>> if i may add to that? >> please. >> with respect to a cyber event, generally we follow the national cyber security response framework. cyber events will generally be coordinated through u.s. cert. they'll go through some analysis and forensic coordinator and do risk and conseqnce analysis to determine how is that going to impact the sector, share it with the industry, the information that is available, then be able to actually move forward with the industry's help on mitigation measures. so it's really key to having that information sharing and that quick response keepability. that's very important. >> may i add one thing to that? >> please. >> the only action that is mandatory is a standard. until suchtime as the e.r. or nerc develop as standard and submits it to the commission and it's approved, there is nothing

mandatory. they do show levels of increasing urgency. nerc can convey the information to the industry and ask for a follow-up response. and then communicate to the industry the importance of those levels. outside of a standard, nothing is mandatory. >> do you believe that the current system is effective? and how could it be enhanced? >> i think that the current system can be effective for routine reliability matters. when it comes to national security issues, these are fast-moving, very sophisticated, sometimes highly targeted situations. we've come to the conclusion, no the standards development process is not adequate to address these types of issues. although it can raise the bar to narrow the universe of attackers. it is not adeqte in the case where national security is jeopardized.

>> if i may add, there is room for improvement. from the perspective we need to do a better job with respect to informatn sharing, and that goes back to what is in the administration's comprehensive bill as well as looking at protection of information, that information sharing is a key criticalomponent t getting to an effective response in mitigation measures whether, done by the industry, by themselves or it's actually looked at from a different action point of view. >> thank you, everyone. >> thank you. you're recognized for fe minutes. >> thank you, mr. chair. i would like to welcome the witnesses and thank you all for coming and giving us your expertise and your time. i've got a couple questions for you, mr. mcclelland and you, miss hoffman. specifically, if the ferc and d.o.e. had to order a generated unit to operate for reliability purposes or emergency situation,

and doing resulted in that unit receiving an environmental permit, would they indemnify the operator from any private citizen action? >> it is my understanding we do not have jurisdiction over another agency's fines, penalties, regulations. >> the commission has acted in conjunction with d.o.e. on one other occasion, to my memory. it was the first time section 207 had been invoked. dod invoked section 202. in that particular case there were generating units serving the washington, d.c., region, and transmission upgrades that needed to be performed. in that case, however, both d.o.e. and ferc did not need to

conflict or clash with the environmental regulations. i know of no case where that's already occurre we can certainly, i can certainly posit that back to our general counsel and get that information to you. >> what could happen? at is the possibility of a company that obeys orders from you, but in doing so exceeds some environmental limitations from somether agency? this is a serious problem. if they ask, if you tell them to do this because of those liability issues and emergency situations, by gosh, they are going to do that and that's the right thing to do. we certainly don't want to have exposure to do what wore arm of the government says to do and the other arm says you exceeded permitting process and we will punish you for doing that. i would gradually appreciate answers to your question. i had operator backs home in texas ask me these questions. we have many disasters, hurricanes, tornados, freezes,

all the above, that's impacted the reliability of our grid. we do have people out there who are very concerned about this. i would appreciate an answer to those questions. that's all i have. yield back my time. thank you. >> play, mr. olson. thank you all very much for taking time to come and testify. we appreciate your input. >> mr. chairman, if i may, this is something that kind of gnawing at me. i heard and i tried to get to this issue in my line of questioning. is there administration bill and has that bill been filed and here in the senate? is it in the sena? i know it's not in the house. >> maybe they'll be able to answer you. it is my understanding. i may be wrong that mr. rockefeller introduced abill similar to the administration's request.

maybe they can answer it. >> is that the bill, ms. hoffman? >> i don't have explicit knowledge. all i have right now is the discussion draft. i'm not aware. >> do you know, mr. stockton? >> the same. discussion. >> do you know, mr. mcclelland? >> sorry, it's the same. >> the white house doesn't talk to you all any more than it talks to us, right? we'll find out. >> may i have additional time to ask another question? >> without objection, i'll give 2000 additional minutes. >> thank you very much. this is a serious threat to our country. we know al qaeda and other countries are targeting us. there are many ph.d.s targeting

us. we know there were those nine in my district plotting to hijack those two planes. they were well-educated people. very smt. they tried to find the aperture and they found it in the aviation system. they are very technically sophisticated people. that's the one thing we did learn about al qaeda. that's why i have such a passion for this issue. back in 2006, the north american elecic reliability corporation proposed some grid security standards that seemed to be fairly limited. one of them even allows utilities to decide for themselves which of their assets are critical, and thus, suect to the standards in the first place. only 29% of the power-generating owners self-reported thathey owned a single critical asset. isn't that right, mr. mcclelland? >> yes. >> none of them, 70% of the electric facility industries felt they had no critical

assets. >> i was going to say critical cyber assets. >> yeah. and i just think that's a mentality that we have to be realistic about. we move to a new era. we are potentially under assault in this sector in the same way you mentioned, mr. chairman. the attack on the iranian nuclear facility. that was just a very smart way of very smart people figuring out how to disable a nuclear power plant in iran from a distance. thank goodness however those people a were able to disable it and not cause a nuclear disruption. there may be others that are not so benign in their, in what their objectives are and the harm they can do. i just think this isn't something where you self-identify yourself as potentially being a problem. i think we have to decide is there a oblem and al qaeda is out there.

do you agree with that, mr. mcclelland? >> yes. i would add one distinction. nerc has submitted a standard where critical assets, now there are several designations for critical assets. assets that serve nuclear facilities are now deemed critical assets. the commissioner has requested additional information. critical assets are not the assets covered by the standard. there are critical cyber assets. the commissioner asked one of the lines of questions is tell us how that translates to critical cyber assets. those are self-determinations. >> right. is nerc's guidance advisory or mandatory? >> the standard that nerc proposed to the commission would be mandatory. that would be the designation, bright line designation to critical aets, which can help guide an entity to self-determine critical cyber assets. >> tha you, mr. chairman. >> thank you, all. thank you once again for testifying.

we look forward to working with you. at this time, i would like to call up the thirpanel of witnesses. that would be mr. jerry colling, president and ceo of north american electric reliability corporation. mr. franklin cramer, former assistant secretary of defense for international security affairs at the u.s. department of defense. and mr. barry lawson, associate director power delivery and reliability at the national electric cooperative association. welcome to the hearing. we look forward to your teimony. i will recognize you five minutes for the purpose of your openinstatement. >> thank you. good afternoon, chairman. >> is your microphone on? >> thank you. good afternoon, chairman wh

whitfeld. a ceo charged with reliability of securing the north american grid, i wake up every day concerned about emerging risks ka caused by intentional actions of our adversaries. the security of the bulk system is not the main pority for nerc. it is a set of nine standards we actively mitor and enforce. we made significant strides as improving our cyber standards. when i came onboard in nerc in 2010, i recognized the importance of establishing brought line criteria as we heard from the previous testimony, to identify critical assets to be protected. a new standard was developed in six months and filed with the commission fruary this year and is pending their approval. our standard process works for what it was intended to do. to establish sustained baseline requirements for the reliability and resilience of the bulk power system. however, there is no single

approa approach, not even compliance with mandatory standards, that will protect the grid against all potential threats from physical and cyber attacks. a threat environment is constantly changing and our defenses must keep pace. achieving a high degree of resilience requiring continuously adaptive measures beyond those outlined in our standards, measures we are actively pursuing today. the most important of these activities is the operation of our electricity sector information sharing and analysis center. in this role, nerc works closely with feral partners to promptly disseminatehreat indications to participants. nerc staff has the necessary clearances to work with the department of homeland security, d.o.e., federal intelligence agencies to generate unclassified recommendations and actions for industry. using this process, nerc issued 14 security-related alerts since january 2010, covering aurora, stux-net, night dragon and others. the nerc alert system is working

well. coupled with our cip standards and using a new expedited and confidential process for developing standards, nerc has a strong foundation of tools we need to protect the cyber security of the bulk power system. as outlined in my written testimony, nerc is leading number of other initiatives including joint efforts with dod, dhs and department of energy. we are preparing an industry-wide grid exercise in novemb 2011. jointly with d.o.e. labs we are initiating a program to monitor grid cyber security of the grid networks and another program to impre the training qualification of industry cyber experts. with regard to the proposed draft legislation, first and foremost, nerc has consistently suppted legislation to address cyber emergencies and to improve information sharing between government and the private sector. nerc hasonsistently supported comprehensive legislation authorizing a government entity to address cyber emergencies. which agency is a policy

decision for congress. nerc stands ready to assist responding to designated grid security threats. measures to improve information sharing between the government and private sector of critical infrastructure are needed. nerc commends the provisions directing theommission to facilitate sharing of protected information. while the focus on providing adequate security clearances is key, this alone is not enough. it is most important to develop methods for declassifying sensitive information to make it available to industry decision-makers. new authority to address grid security vulnerabilities, however, is unnecessary. nerc already has the authority under section 215 d-5 to direct ne nerc to prepare a standard. if congress decides to allow to be addressed at a minimum the ero should be given the opportunity to address the identified vulnerability.

backstop authority if the ero fails to address the vulnerability within a prescribed period. while we appreciate the current draft which urges t consider our recommendations, if time allows, we believe more is needed. other provisions of the discussion draft are not needed. nerc has issued infortion to ensure industry undstands and mitigating the vulnerability. the provisions on geomagnetic storms also ar not needed as nerc already has the authority to address these topics today. nerc is actively working on the issue and an alert providing industry with operational and planning actions to prepare for the effects of a severe geomagnetic disturbance. in addition, a nerc task force has focused on mitigating risks associated with long lead time, transformers, and developing a secure data base for securing information on spare equipment. finally the ero should be given

authority under oversight address grid security vulnerabilities by enforcement means other than standards. congress has provided us with many tools to address security. as noted previously, we have three levels of alerts. we have strong industry participation and response to these alerts. including a provision to authorize nerc subject to oversight. it would enhance the security of the power grid. i believe legislation addressing the security of the infrastructure could be beneficial, but the framework should focus on enabling information sharing between government and industry and problem-solving between the private and government sectors. thank you for the opportunity to speak today and i look forward to your questions. >> thank you. mr. cramer, you're recognized for five minutes for an opening statement. >> thank you, mr. chairman, and mr. ranking member. appreciate the opportunity to testify. i think the proposed legislation the grid act you have in the discussion draft is excellent. but i'd like to suggest five

things that would actually make it better, at least from my perspective. now, the first is, i think, that we need mandatory federal standards. we need to turn the stem around and have the federal agency be add at ferc or have the authority to issue standards. secondly, i think we need to focus on resilience. how will we deal with the problem of how the grid will operate in the face of attack? third, i think that the elements of the federal government and including especially the dod have to be given clear authority to help protect and/or respond to an attack on the grid. because it's only the dod that has the capabilities that are necessary. fourth, i think we have to think about the issue of scale and resources and particularly issue of cost. and make sure that the industry can recover its cost. and lastly, i think there needs to be a much more expensive research and development program

to deal with the advanced threats, we need advance capalities. now, the reason i say that, mr. chairman, all these points is what you've already said. the threats increasing. we've seen, for example, last year an attack on google. we've seen more recently a attack on a company called rsa. and as you mentioned we've seen the atta. those control systems that were attacked in the controlystems that control the electric grid. the vulnerability is very substantial and has been pointed out by others already in this hearing right now with the smart id increasingly coming into play, the distribution system as well as the generation system, a transmission system are sources of vulnerability. i think we really need to focus on the entirety of the problem and recognize how much the threat has been increasing over time. the reason i say that we need mandatory standards is that frankly the current system's

just too slow. it doesn't work quickly. it hasn't satisfied the problem. in fact, if you look at nerc's own study last year, said very clearly that the grid is at risk against an adversary. if we think about other areas, clean air, water, safety standards, the federal government issues the standards. i think that's the way we ought to do it. in addition, i think that the current act that the discussion aft has what's called authority for the ferc of a so-called imminent threat. but i think imminent is too late often. what we really need is if we see a significant threat where one needs to be able to take prompt action before we get to that micro second before the attack occurs, the federal government ought to have that authority. so the issue interim standards,

but earlier than the imminent threat standard. on the resilience point, i think we all know,nd if you look at the google attack, is that cyber office beats cyber defense. in fact, the deputy secretary of defense has said publicly that plenty of others have. in the dod area, the dod doesn't just rely on passive defense. it also does what's called active defense. and if dod needs to do active defense to protect its networks, crical infrastructure. and again, we've said myself the dod relies 99.9% on commercial electricity. well, that means that that commercial electricity ought to have the same kind of protection that act of defense. i don't think that the industry should do it. i think the dod under the right kind of standards, right kind of legislative standards, regulation, guidance from the president ought to work with the sector-specific agency and also with the industry to be able to provide that.

we also need to have capabilities that we haven't heard talked about today. we need what i call gold standard integrity. integrity of data, integrity of software, integrity of hardware. we need capabilities like segmentation and isolation so that the key elements of the grid can be protected by being separated from other elements of the grid. we want to look also finally at the issue of scale and resources. it's a very large enterprise. we're going to have to work to get the private sector to get out there. it seems to me if the industry's going to occur cost, and this is a highly-regulated industry and it ought the to be able to recover those costs. that could be in the rate base, buit should be allowed in some way, shape, or form. and finally, as i said, i think we need to have a comprehensive r & d program so that when you have advance threats, we can have advance capabilities. and with that, mr. chairman, i

appreciate the opportunity to testy. and i look forward toour question. >> thank you. mr. lawson, you're recognized for five minutes. >> chairman whitfield, rush, and members of the subcommittee, thank you for the opportunity to testify today on cyber security and the grid act. i'm the associate director of power delivery and reliability at the national rural electric cooperative association, which represents over 900 member-owned not for profit cooperatives providing electricity to 40 million consumers and 47 states. over the last decade, i've been involved in a variety of protection and cyber security initiatives with industry, nerc, dhs, and d.o.e. based on these experiences, i know the electric power industry takes these issues seriously. in addition to my knowledge, there's not been a documented case of a successful attempt to protect through cyber means. while my testimony is offered on

behalf of electric coerative, i want to recognize a long standing partnership among all sectors of the reck rick power industry when it comes to reliability and cyber security. nreca is part of a coalition that includes major trade associations that represents the full scope as well as state regulators, large industrial consumers and canadian utilities. it's rare that we all agree on public policy issues, but we unanimously support the nerc process and narrow new authority for the federal government and the event of severe imminent cyber threats. under section 215 of the federal powe act, nerc works closely with industry experts and others to draft mandatory and enforceable reliability and cyber security standards that apply across the north american grid. the standards process can be lengthy when addressing highly technical issues. but it can also be shortened when need using nerc expedited

standards procedures as approved by ferc. also developing standards in a confidential manner when national security requires it. nerc rules a procedure also give authority to distribute alerts on topics that are important for industry to address. there are three levels of alerts and the two top have mandatory reporting requirements that typically require recipients to inform nerc what they did in response to the alert. quickly provided industry critical information on many issues including night dragon and geomagnetic disturbances. nerc is required to provide reports to ferc explaining the level of action industry has taken. to date these reports show that industry takes these very seriously.

the industry realizes that thres are possible. in some cases, even procedures and standards cant assure that industry gets time, actionable information to mitigate a threat against the bulk power system. when the federal government at the highest level determines that emergency action is necessary, it should be able to issue orders to our industry that directly address the severe and imminent cyber threat and set out mitigation actions need to protect the bulk power system. those orders should sunset when the threat has subsided or is mitigated. for example, by development of a related nerc standard. our primary concern is that the act creates new authority for ferc that largely duplicates authority and ongoing nerc activities under section 215 and could substantially undermine the existing standards regime. it should be understood that vulnerabilities alone do not adversary impact the reliability

of the grid. that being said, our instry has every incentive ranging from financial considerations to the fundamental obligations that serve our customers with reliability and affordable power to protect the grid when vulnerabilities emerge. the draft grid act -- if there's is vulnerabilities, that existing standards do not exist require to protect ainst the vulnerability. the new authority the draft seeks to give ferc is very concerning to our industry. first, we question whether ferc has the intelligence handling expertise to exercise such broad new authority. second, this new authority regarding vulnerabilities would fundamentally alter 215 by addressing vulnerabilities that nerc and indusy are managing very well through standards and alerts.

to help industry protect the grid from vulnerabilities and threats, we need timely intelligence. need higher levels of security clearances so we can plan effective responses to threats and vulnerabilities. the draft seeks to make improvements in these areas and we appreciate the subcommittee's support. in conclusion, we urge a subcommittee to focus on the immediate, narrow issues at hand. the need for very quick emergency orders if the faces an imminent attack and the need to receive timely, actionable information. thank you for the opportunity to testify today. and i look forward to your questions. >>hanks, mr. lawson. mr. kramer, you would agree, then, that the national defense and the interest in national defense for the additional federal authority is necessary? >> yes, sir, i think it's absolutely required. >> okay.

and mr. colly, you mentioned in your testimony that you didn't think it was necessary for nerc to develop standards to ensure the availability of large transformers. and i'm certainly not an expert in that area, but it's my understanding that the availability of large transformers is one of the key issues out there. and i was just curious if you would elaborate on your decision on that. >> thank you, mr. chairman. i do take the issue of spare equipment and transformers very seriously, physical attack, cyber -- it is a major issue. i think we don't have enough information yet to know what the standard should be in terms of how much equipment and where it would be located and how we would transport it. so if i said something opposing, i may have misspoken. i'll have to look at my written

testimony. but it is a key issue. and we're dealing with it today with some industry experts and a task force. they're looking at likely scenarios. what would the need be? how would we move the equipment? we're trying to find a technical solution to the problem before we tackle the issue of whether there should be a standard or not. >> are these manufactured in the u.s. today? >> the vast majority of them have been manufactured overseas and continue to be. there's some recent activity to bring some onshore, but the vast majority are manufactured overseas. >> now mr. lawson, i'm sure you heard the testimony today that in addition to the electric system that distribution should be included in this. the first rule involved in distribution. so would youisagree with that? >> well, we beeve that the legislation should focus on the

bulk power system. distribution is handled at the cal level, whether that be state or local municipality level or what the local board of cooperatives. and we don't think it needs to be extended to the federal level. >> but how do we address the potential problem in some of these large metropolitan areas that was mentioned? >> with regard to the distribution facilities in the large metropolitan area? >> yeah. >> i think there's one definition in the glossary that is being worked on today. and that's the definition of electrical systems. that definition is looking at how and what should be included under bulk electric system. and one of the issues that the commission has dirted the industry through nerc to review is how those facilities in large metropolitan areas are covered.

d i think the direction that that drafting team is going in that i'm a member of is covering more facilities than those metropolitan areas than are currently covered under the existing nerc. so i think things are changing. and a draft of that definition was recently for public comment. and it's now moving on to the second draft stage. so i think there will be changes in that area. >> so do you have any comment on that particular issue? >> just a couple, mr. chairman. the industry has a very long history of the issue of local service and distribution being dealt with with the rate payers and the local jurisdiction and obviously the states and other local juriictions. so i think any effort to encroach on that through federal legislation i think should be

taken carefully with consultation with the states. on the issue of the military bases which is part of the earlier testimony, i think there is an opportunity to have enhanced discussions between the utility company and the military bases to say, do they have what they need? do they need more backup generators? do they need more lines coming into the base? so i thinkhere's opportunity for those discussions to take place. i'll end there. >> mr. kramer? >> i would disagree with both of these gentlemen. first of all, i think we have the smart grid becoming creasingly greater part of the electric power system. means from the consumer side from the distribution side, you're going to have increasing vectors that allows for cyber security attacks. so i think those could be national security facts. so i think that we need to have an overall federal standard that

protects against that. i don't think actually think they've done enough, but at least theye done something. but i think we need to put that into play. so i would very strongly encourage the committee to expand its jurisdiction. with respect to the military basis and alike, i think he was very clear. they don't have enough. and it's not just the bases themselves. if you think about the military, for example, the entire critical infrastructure transportation infrastructure, the telecommunications infrastructure. all of these depend upon electricity. so even if the bases themselves had electricity, the dod simply couldn't operate without transportation of telecommunications and alike. ani think we really need to have something done about that. >> mr. lawson? >> just to add to that. on the military bases, the best way to affect change and improvements is at the local level between the military

installation commander and the leadership of the utility supplying that mitary installati installation. those relationships exist today. they're typically very good relationships. and if there are additional levels of reliability, securities that are needed, it's very important for the military installation leadership to let the utility know and they can work jointly toward providing that. regard tohe smart grid, the industry is not implementing smart grid facilities carelessly. doing it carefully and keeping security very much in mind in many different ways. we're also working very closely and as much as we can with the vendor community to try to explain to them what levels of security we need and what levels of security already exists in their equipment today. so it's something that we're very focused on and not doing carelessly. >> thank you, all. my time has expired. you're recognized for five

minutes. >> thank you, mr. chairman. it's been quite interesting. and i'd like to ask you about imminent threats to the grid and also long-term vulnerabilities, as well. in the -- let's say our intelligence agency learned of an imminent threat of the grid from terrorists, what would y you -- how would you character ize nerc's authority to step in on a realtime basis? >> well the ability to acquire that information through working with various intelligence agencies, which we do continuously to get the information digested into what it means, in terms ofmpact from the industry and issue

various levels of alerts. we issued one back just in april, which we turned around within a day. so depending on the urgency, we can turn them out in hours or in days. i think as i pointed out in my testimony, we have different levels. some are just informational, some are recommendations. and there are essential actions, which we've been able the to put out. the essential actions are mandatory under our rules, but they're not enforceable from a legal sense in terms o any sort of penalties and sanctions. and that's why i was suggesting in my testimony that would be one opportunity to improve the tool kit whave -- >> and would this apply -- there was imminent and severe threat also? >> this would apply to any known threat or vulnerability where there was a high degree of urgency. like we needed to get

information out either within hours, days, or weeks. and i think that's a much preferred approach. our standards were not met to solve a problem in three days or three weeks. they were meant to be long enduring around for years and years. the alert system is meant to solve these urgent actions that you're describing here. >> does ner have sufficient authority at this point? >> i'm sorry? >> does it have sufficient authority? >> i believe in the area of vulnerabilities terms of, for example, whether it's -- i believe under section 215 that congress intentionally provided ferc authority to produce a standard that would solve a problem. under my reading of the plain language of section 215, the ferc has the ability to direct us -- >> mr. kramer, do you agree with that? >> i totally disagree. and i'll give you an example.

this committee's heard about it. it is not a classified problem. a very detailed set of reports were issued on that. it's a that. it's a very, very severe thre we have to think about. and the vulnerability throughout the electric grid system because it's the same kind of control mechanisms that are the type that are involved in the electric grid. and it's sitting out there, so to speak, as a blueprint for anyone to use. now, i couldn't u it, but any capable cyber adversary. so i think thatould be an example what i would call severe threat, it's not imminent. but i think that something needs to be done about that right now. and i think it needs to be done promptly. and from my perspective -- and as i said as we do in other kinds of legislation, i would

rather have the opportunity for industry to comment, but for the federal government be it t ferc or the dhs, but some federal agency to determine what standards are necessary, what actions need to be taken promptly, and to cause those to be taken under a mandatory system. >> will you -- your opinion on this? >> well, first of all, as i said in my statement, the industry strongly supports the alert process. i am not aware of another tool out there today that can get information out to approximately 2,000 utilities within hours or a day or two with specific information about how and a threat or a vulnerability or anything specifically relates to the electric utility industry. so i think the alert process is a very critical one and one that we need to keep utilizing.

also, under the alert process there are three levels. the base level is advisory, the middle level is recommended action, and the most serious level is essential action. and i can tell you that the industry reacts very strongly to these alerts because we know that they are -- they are communicating very importa information to the industry, and that under the top two levels of alerts, you will be required to provide nerc with an update on what you've done with rard to that update. and those reporting requirements are mandatory and they are summarized and provided to ferc. so thendustry takes these very seriously and the top level alert esntial action has not yet been utilized. so only the advisory and the recommended action have been utilized. and both of those levels have been taken very seriously by the industry. and i'm sure essential action would be taken exactly the same.

>> mr. chairman, i just want to ask one other question. let me just ask you this -- anyone can respond. what i'm hearing here is in the event of an imminent, severe, catastrophic cyber attack on the electrical grid system here in this country where there can be vast harm done to the american people. are you saying -- am i correct in understanding that you're saying that the federal government -- let me ask it this way. who are the american people going to hold responsible? for their protection to solve the problem and to protect them? are they going to hold the

federal agencies or the industry responsible? in your opinion? >> congressman rush, first of all to distinguish some time horizons. first of all, if there's an imminent emergency like planes flying on 9/11 that are going to cause disaster, nerc and i think the industry supports some government agency having strong immediate authority. under those kinds of circumstances. nation is in trouble, somebody has to be in charge, i think we support that. i think the other issues where we get a little bit of difference of opinion, but it's not as bad as it sounds, actually, is on dealing with the thin we have a longer time to think about and respond to. and all we're saying is we think the ferc has for longer term issues, like spare equipment. we're not going to solve spare transformers tomorrow. it's going to take pobly years to resolve that. is that we have the authorities we have now. and think we could strengthen

the gap in the middle beten dire emergency right now and things thamight take months to solve. in the interim, we have our alert system, and all we need is a little bit more authority to make those mandatory in sme cases. when i testify here today, i'm not here testifying against authority for ferc. we work with ferc today as a partner in developing our standards and review them going forward, we continue to work with ferc, anything we can do to help the industry know what they have to do, we would do that in partnership with ferc. >> mr. terry, you're recognized. >> thank you. the follow-up on that, have you read the grid act or the oposal othe draft? >> so as it's written now, my assumption is you don't support it.

is that accurate you wouldn't support it as written? >> i applaud the committee for taking initiative. >> i've got a short time. yes or no? >> i support parts of it, not the entire -- >> the jurisdictional part you have a problem with? >> with the vulnerabilities being unnecessary, that's correct. >> mr. lawson, same question. >> we support narrow authority with the federal government with regard to imminent cyber threats. that's where we are. >> so that's a no? okay. i appreciate that. i just think we have more work to do than i anticipated before this hring. mr. cramer, i want to spend the rest of the time with you. do you keep track, was there reporting of hacking attempts to your -- to your office or any office that you know of? >> just so we're clear, i'm a

former assistant secretary, and i'm testifying in capacity here. >> all right. >> so i read there are plenty of reports on hacking that are in the open press. there are plenty of reports maintained by a lot of entities. >> electrical generation. >> including electrical. and the point was made to this committee as an example. >> yep. and i participated in a demonstration at our local generator that showed was able to track hacking attempts within the last 24 hours. d i think there was six or seven. mostly been ableo track back a certain university in china. but we won't go into that for this hearing. now, they are mostly -- how do i

say this? but for fun. it was their practice of seeing how they can enter into the system. and not for nefarious purpose, although we don't know that when they're trying to do it, when they're trying to hack the system. and that's what concerns me and this committee. is what we can do to strengthen our system against those hacks. and by the way, just two questionso you, mr. kramer, my two minutes left. generally what should electrical generation companies be doing to best ensure that their systems can't be hacked into? and then on the electrical generation itself, there's been some side discussions on

electrical generation, more critical defense bases or buildings should go off grid totally reliant. and with the small module nuclear reactors may allow them to do that. you have a minute and a half to comment on both of those questions. >> i'll make three points, sir. first of all, with respect to the issue of serious attack. one of the tngs that a serious attack would have to do is reconnaissance. won't just attack without substantial reconnaissance. so the reconnaissance or the activities you're talking about are quite consequential. and it would be part of any serious attack. and so dealing with those early on is just as important as dealing with the set of issues, you know, when the attack occurs. secondly, with respect to what the industry ought to do, there are a number of -- standards set

forth both nerc itself, ferc, d.o.e. and others have written out. one is cled 20 critical activities that was put out by one of the cyber security groups. those were what you might call very good hygiene. and one of the critical things i think needs to be done is that there has to be a greater amount of protection provided to the control system portion of the grid than to corporate portion of the grid. and i also think there need to be what i call advance capabilities developed so that you can isolate the control portion of the grid from the corporate capabilities and from vendors and others who have to send things in. there will need to be integrity communications at the demonstration level, but are not

out there throughout the grid. and i think that the critical parts of the industry -- mr. mark, you mentioned that only -- i don't have the exact figures, but roughly 29% if i remember right of the grid was considered critical. by the industry, i think it's a much larger amount than that. i think you have to have a more significant -- with respect to the bases again, even if the bases themselves have electricity and there are actions going on, i can't tell you what it's called, but it's called spiders a demonstration program. and this is non-classified. you can look it up in the -- on google. and the d.o.e. has a so-called spiders program at three or four different bases. but even if the base themselves had electricity, the d.o.e. relies on telecommunications capabilities of the country, relies on the transportation capabilities of the country relies on water, relies on gas

mps and alike. and all of those rely on electricity. so there's no possibility whatsoever that you can have an effective defense uess you have electricity beyond the bases. and in addition, i have this to be true overseas,which is a different toc that the chairm raised. but it goes beyond the question. >> mr. rush,o you have anything else you want to touch on? >> well, that concludes today's hearing. we appreciate your being here. and i'm sure we're going to continue to be in touch with you as we move forward on this legislation. and we'll keep the record open for ten days for additional materials. and thank you all very much. and that concludes today's hearing. >> mr. chairman.

[captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2011]

>> a couple of live events to tell you whether tomorrow -- the house homeland security subcommittee on counterterrorism and intelligence will take your time how the department of

homeless occurred in gathers, analyzes, and it's an innate intelligence on c-span 3 at 2:00 p.m. eastern. after that, at 2:30 p.m. eastern on c-span 2, a hearing on the u.s. transition in iraq. the house foreign affairs subcommittee will hear from representatives of the departments of state and defense. in a few moments, today's headlines and your calls live on "washington journal." the house is in session at 10:00 a.m. eastern for general speeches with alleges that the business at noon eastern. the agenda includes a bill regarding the war powers act and military action in libya. in about 45 minutes, we will talk about the federal budget and deficit and yesterday's vote rejecting an increase in the debt ceiling. our guest will