we have done it that way. i think we have done it well and correctly. we have done it that way because offense and defense rotated around the same concept. that concept is vulnerability. if you mastered the vulnerability you can play offense, if you master the vulnerability you can play defense. and the life of nsa -- let's go pre-cyber. in the life of nsa, you always had a trade-off between the two squads. when you discover a vulnerability, do you want to exploit it to play offense or do you want to fix it to play defense? back in the pre-cyber world we had a pretty well-worn road as to where the line is. i am willing to enter into a debate that that line might not be in the wrong place. that the old approach to it, the old calculation -- i want to keep that vulnerability because i want to use it in the future

might actually be technically correct, operationally sound in a discrete one-off decision kind of way but the cumulative effect of the discreetly correct decisions has been a real strategic problem that industry is unaware of of vulnerabilities out there. i actually think the trend line and the more we can accelerate it, the better. it will go too far. you know how it works. and we will pick it back a little bit. but i think the trend line now is in the direction of more defense, even if it has to be at the expense of offense. the degree of what we need to do with the trendline is to accelerate it, because i think it moves it into a positive direction at the time in which we are located. how does it translate? you will have people up here talking about security clearances, the classification, sharing of information. that is how it works. it comes back to the core problem. what do you want to do with the vulnerability?

at the level of grand strategy, we have the balance point perhaps not quite in the right place. >> thank you, general. >> can i ask one more thing? when you talk about the threat of -- what is the role of mexico and canada in helping to prevent these types of attacks and providing assistance if it happens? after we know dea is receiving information from nsa how critical do you believe this information is helpful to fight the drug cartels? >> number one, regarding emp, i don't know a lot about it. i know when i touch it while in government, we would have big meetings, realize this is a really hard problem and firmly decide we need to meet again on this in two or three months. i don't mean to be so flippant, but there really aren't any facile solutions to this. i will just leave it at that. it's hard for me to, -- you asked about signals intelligence and drug cartels. it is hard for me to comment specifically about any operational activities. but i would thank you for the question and take the opportunity to say, although the snowden allegations seem to point to the americans spying on everybody, actually the

americans share intelligence with almost everybody. and to the benefit of both ourselves and our partners. i will just leave it at that. thank you.[applause] >> more on the electric grid in just a minute. and ag now overseas reuters article about 18 of the

19 u.s. embassies and consulates reopening tomorrow. worries about potential terrorist attacks are diminishing. will remainin yemen clecau of ongoing concerns. the consulate in pakistan, that will be closed because of separate threats. the you has-beens -- the u.s. has been carrying out drum strikes their. there.n strikes it is not known when the posts in yemen might reopen. travel alerts are still in effect to the end of august. the state department says, we will continue to evaluate the threats and to make subsequent decisions about the reopening of those facilities based on the information. we will continue to evaluate information about these and all of our posts and take appropriate steps to protect the safety of our personnel.

anti-- not some sort of suburb person who thinks everybody needs to live in new york city. i did this book. i understand why people like the suburbs. i get fed up with a lot of daily life in new york city. i was more drawn -- the trends were so undeniable. the fact that there is a shift in the way suburban america is perceived by the people that live there is too big a story to ignore. >> leigh gallagher on where the american dream is moving. sunday night at 9:00. >> we will go back to the bipartisan policy center where energy officials talk about the weaknesses in the electric grid

and problems getting governments and states to work together in case the cyber attack. this is about one hour and 10 minutes. >> good morning. great to be here. thank theant to bipartisan policy center for putting this together. as you know, this is the cutting-edge issue right now and when it comes to risk and how we deal with going forward, and mitigation of those risks has everything to do with our success. yes, the industry is doing a lot. the industry has done much to make sure that is true. one of the things i find humorous, normally, the industry goes from last on these panels. --r first year and i think -- you are first here. how is it listed here? it has something to do with responding.

you get to respond first. that is a great opportunity for you to share exactly what is going on in the industry, what you know, how you know it, and what you think our risks are going forward. will talk about that, we move away from some of the nationstate stuff. that is the sexy stuff and general hayden did a wonderful job covering bad. we will move to some of the not quite as sexy information about how we calculate risk, will we deal with that, how are .tandards set should we have minimum standards? do those minimum standards get in the way question mark those types of questions we will get into with this panel. one of the things we know when one of the things the bbc set up set up early on is to know we do not have all the answers. talk about the fact that

cybersecurity is, in fact, a journey and not a destination. we will not reach an end date like y2k where we say ok, we did it right. some very bright people out there, lots of it has to do with ownership, some of it has to do with bad actors. we do have to asked ourselves, when we look at compliance , does that compliance actually drive the bar down perhaps? should we be looking at another way to do this? as we look at that, understanding you have doe, department of homeland security, commissions and the municipalities who are all involved in this. as we look at that, and one of the questions for the industry, are we perhaps more prepared on the transmission side than we are on the distribution side?

are the stakes a little less prepared -- are the states a little less prepared than the fed's? some of the jurisdictional issues and calls. when it comes to jurisdiction, should we be looking at criticality of information versus private information? one of the people that just got up and asked a question about sharing of information, should that sharing of information, do we need to make certain between the government and the private sector, that it is floating both ways? -- flowing both ways? i would subject to you that we probably do need to do that. listen tohat, let's the industry, let's see what they have to say, a cousin we do know that electricity is the most of infrastructure we have? the gas, water,

telecommunications is dependent on what we do with electricity. if we fail at electricity, we are going to fail miserably. one of the things we can do, it does not matter if you are looking at hurricane sandy, for trina, some of the blackouts we have had, when you look at the billions of dollars involved in the losses and the cost to systems and to customers, it is easy to see why we need to go down this road. this, the oneith thing we cannot lose sight of in this, because i can tell you from my experience in this industry as a state commissioner, federal commissioner, practicing law yer, i can tell you that cost matters. if we can solve our problems through software that might be less expensive than hardware, we should look that way.

but we do have to have a focus on cost. that is one of the parameters that we need to look at. we need to understand as we go forward that we do it correctly, we mitigate the risks, and we understand the cost to consumers. there must be a balance. that, i will not read through everyone's bios. you have them in the packet, but those of you who knows chris peters, he is the vice president of critical infrastructure. ed gets his vice president of information security with exxon. doug myers is cio with pepco holdings. at this time, i will bring them up one at a time. you would probably rather, peer, but we will go through and have some quick questions. if you do not have questions, i will have a few questions.

we will see where this takes us. >> thank you. it is a pleasure to be here and talk about cybersecurity and the threat and the response that our company has taken and some changes we have made over the past three or four years as we have seen a gathering threat of cyber actors and responding to the changes we have made from a regulatory perspective. three quick areas i want to touch on so everybody has a chance to comment this morning. strong governance -- from a threat perspective, the change we have made from a paradigm thet, we have to treat cyber threat with the same respect that we give to forces of nature that impact our grid.

hurricanes, floods, ice, storms. our grid throughout the year and we are organized to deal with those threats, we are strategic about how we respond, and we have to put the same comprehensive approach and the same attention to cyber threats as we do the other threats that impact our system. the cyber threats are part of our risk profile. we have to fund it, staff it, and be prepared to respond as necessary. the other part is strong governance. we have learned as a company that cyber message needs to come from the top. it needs to be a board level and a ceo issue. they have to drive it. a a cyber leadership -- as

cyber leader, we have to give them the right information that they need to make decisions, not to blindly fund technologies or personnel. we have to give them the right information on what the threat is, what the investment is, or what the regulation is, so they can make good decisions. i can tell you that over the past three years, the where and is level of the ceo and the board level has risen dramatically. they all read the wall street journal, the washington post, and they asked hard questions. questions about what we are doing to combat the threats. they also asked about regulation . they are asking the right questions. lastly, command and control. it is critical from a utility perspective that we need to have

control over assets, ,eople, processes, investments and how those all are integrated together and how they impact our cyber regulatory perspective. we have to maintain an accurate security and compliance -- i say that because i think the two are inextricably linked together. configurations, the basic fundamentals are boring for us that nobody likes to talk about. we need to know who is coming in and out of our secure and sensitive environments. we need to know what traffic is coming into our networks, what traffic is leaving. we have external threats and internal. we have dealt with internal threats that it had an impact on

various areas of our company. we have to be able to track those. we have to continue to evolve with technologies, with awareness that can pull all of these data points together and we can see them in one complete and comprehensive picture so we can make those decisions in real time that we need to and not wait 12 months to find out that we have a threat or nefarious actor insider network. let me turn it over to add. >> -- ed. >> thank you very much, chris. after 9/11, the united states government moved very quickly to close the information sharing cap within the intelligence community. i would assert that the cap we now have to close is the information sharing between the critical infrastructure and key resource sector and the government. i would like to talk a little n's position.lo

we have a very strong commitment to securing our enterprise and we take it very seriously. our responsibility to maintain and protect the privacy of our customers and to maintain the reliability of the bulk electric system. incidents through an all hazards approach. as chris alluded to, it does not what thely matter attack that to is. it is the result that we prepare for. in the area of information sharing, we rely on the government, but not solely on the government to dress the threats to the electric sector.

with the goal of ensuring the book electric system, exelon has for cybersecurity legislative priorities. but her government and private sector information sharing, increased access to security clearances, liability protections for good-faith efforts when sharing information with the government, and avoiding additional implicated of regulations. exelon has specifically byported the bill introduced chairman rogers. we believe it provides information sharing authority to the executive branch, addresses privacy concerns, and reduces a company's liability associated with good-faith efforts. on the operational side of information sharing, there is some good work going on in the industry and government.

-- i woulde to cite also like to give them recognition for stepping into the gap on working with -- working to come up with a set of processes and procedures to share information on a real-time basis. initially inncerns the information sharing process was whether the information shared would be provided to the enforcement arm. memo from doe assistant secretary hoffman, we believed that has been addressed. exelon is comfortable with

nerc's initiatives. exelon also supports the executive order. it allows good cooperation between the private sector and government. movement some positive to enhance cooperation between the electric sector and the government, but we need to increase the speed of establishing processes and procedures that will enhance our ability to protect the nations critical infrastructure. i will turn it over to doug. >> good morning, everyone. my remarks are focused primarily on cyber incident response. i would like to provide some context for those remarks. the electric utility industry is one of the world's most asset intensive. those assets are critical to society and many of them are necessarily located in harm's way. depending on the areas they

serve, utilities face different types of harm. earthquakes, wildfires, tornadoes, hurricanes. all utilities consider emergency response planning to be central to their mission. pepco holdings is no exception. utilities have considered cyber security matters in their emergency planning for some time, as the risk of a cyber event has grown, so has our elected attention. we take appropriate steps to address cyber's threats. i cannot talk about the actual steps, procedures, and systems in place, what i can speak to the four broad categories. the first to are preparedness and prevention. one way we enhance our efforts is through information sharing. in variousticipation

.ssessments this includes penetration tests that go beyond our compliance requirements. the great participants have timely access to actionable information is critical. it is not essential for industry to know how threatening information was obtained or by who. dictatee sourcing the higher levels of secrecy classification and makes actionable threat information not immediately available. the prevention of all cyber threats is beyond the capability of any company or industry, the other two broad categories are response and recovery. the actions we will take in the event of a cyber attack. our extensive experience preparing and responding to major weather events have taught us that having clear procedures and protocols is essential to a

rapid recovery. a point whether -- a point isthy of emphasis, our focus to dress what can be controlled by the utility. the vulnerabilities that threat actors might seek to exploit and response and recovery readiness. regarding the prevention of vulnerabilities, the electric utility industry is very actively engaged in the effort. utilities and the manufacturers actively participate in the development and implication of standards, requirements are ready exist for the electric sector. they can continue to address changing threats. we believe nerc should continue to lead the process. we believe there is room for the hs, doe and cyber matters as well.

dhs is best positioned to facilitate coordination across critical sectors in the case of a major event. regarding cyber response planning, it is important to bear in mind what most experts say about the likelihood of an event. it is not if, but when. take in all hazards approach to emergency preparedness. utilities think about natural disasters as when, not if, and think of a threat -- a cyber threat in the same matter. there are differences between a hurricane and a cyber event. somericane comes with degree of warning. utilities begin their preparatory work days in advance. checklists are in place across the property. cyber attacks are expected to come with no warning. situational awareness is

essential to hurricane response. systems and processes utilities haven't place can determine the extent of the damage and the restoration priorities -- had in place can determine the extent of the damage. the systems the utility relies on maybe the very targeted -- target of the attack. crime, avent can be a national security incident, or an act of war. federal and nature of and state agency coordination can vary greatly from event to event. every storm is different, in terms of the damage, the utility's response and coordination of external entities during storms is consistent. typicallysasters are state or regional events. the industry is able to come to the aid of the affected utilities through mutual assistance. scenarios that are

industry based events. the nature of the attack complicates the mutual assistance process. some key principles that should come out of this brief summary are emergency response is something utilities have an extensive experience with ant we rely upon consistent and repeatable procedures and protocols both internally and externally. there are half a dozen federal agencies with clear lines of sight into a cyber attack on the grid. what is not clear is how these federal agencies will coordinate activities amongst themselves, with state and local governments, and with the private sector. what is also not clear is what the trigger will be four direct federal engagement with the grid. which agency will lead that engagement? how deep that engagement will reach into our operations?

these questions need to be answered before an event occurs. through collaboration between industry and federal and state government, we can answer these questions in a manner that facilitates coordination record nation is needed most. scott? >> the morning, everybody. i love my iphone as well. some things that a few of the competitors might want to think about. anyway. nearly 33 hundred electric utilities and the united states, over 87% fall under the umbrella of publicly owned utilities. they typically have electric board of directors or operated by some form of local government. one other important characteristic is that many of these facilities can be classified as small businesses with limited resources.

i work for the sacramento municipal it' utility district. we cannot underscore that electricity would be a .ignificant target electricity underpins the capability of everything we do and every other critical infrastructure. threats are changing rapidly. there is no doubt we are being examined. knocking the low hanging fruit, patching, secure coding, turning on security, a demarcation line between corporate and control systems, and having a security aware workforce.

is it voluntary standards are mandatory standards? under the energy policy act of 2005, a mandatory regime created standards. the selection and implementation is based on the risk model. security andcation privacy controls. we use the high, moderate, and low classification. overly burdensome regimes can threaten our ability to respond to emerging threats and complained -- and create

complexity where it does not add value. regulations have that can -- have the potential to create a strong nature of compliance. we created two security documents. providing a systematic approach to framing, assessing, responding to and monitoring cyber risks. electricity subsector capability .odel industry is engaged in the development of the president's

executive order in the voluntary framework. our sector has invited a tremendous amount of professional capital at each of the workshops. we see this as a living voluntary framework that has evolved over time. focusing in on the cyber best practices that we all should be doing anyway. are we doing enough? -- we are seeing a rapid release of indicators and compromises. this is critical and so we get the actionable intelligence into the of owners and operators. where we have opportunities to the coalescing of security information across utilities, across regions, and across sectors. to do this successfully, we need to make sure we follow basic privacy principles. i know that we take the privacy of our customer information seriously.

we do not see that we would need to share that type of information about our customers. order, wee executive are poised to expand the use of the information sharing anyway. let's have them as our mediator. information sharing is very important, this alone is not going to increase our cyber resilience. over the past two years, we have seen systems successfully compromised. we have to rely on suppliers to build security. in many cases, they hold back details about the technology, stating intellectual property concerns. this leaves the utility with a burden. just as important as the need to develop the next-generation of our cyber cyber workforce, we need to cultivate our i.t.

brethren to understand the unique attributes of energy systems, but our engineering students to speak cybersecurity. and it seems i cannot statement and we have heard it several not if you get attacked, but when you get attacked. we cannot prevent cyber criminals from trying, but we can protect our systems, our people, our companies, and are great i building resiliency into the ecosystem. >> ok, great. tonow we are likely going have some folks in the audience come up and asked questions, but as we prepare for that, if you want to walk to the microphone and i will try to recognize you. please tell me who you are and who you are with. to jumphe things i want on right now, scott touched on something i think is very important to the industry. the privacy issue. the privacy issue in and of itself can be a real obstacle to try to solve this. one of the things we talked

about was the information sharing and how you share that and how much of that you share and who shares what with you. ofhought doug did a good job placing something out there that i think is worth discussing. if you do not -- if we do not need the name of the actor, other information that we do not scott, i have to agree with you that information sharing in and of itself does not solve the problem, but we have to admit it is the cornerstone of solving this problem. without it, you cannot solve it. what would you recommend we do from here when it comes to privacy? perspective,vacy we do not have customer phi in that data stream at all. we agree that from a privacy, we

have no concerns over the release of our security information. where we think that we have opportunity is we are seeing what might be coming -- a municipality focused on -- in the center of the state, california is a huge state and we have a lot of other utilities. wouldn't it be great if we could exchange information between us and pg&e and say, look what i am saying and look what you are seeing. we think that information is just noise. together, it is a concerted attack against our region. information sharing with the federal government, i absolutely agree. critical information. we are able to take that and put into our situational awareness systems and able to make decisions based on that. if we are just waiting for the

government to tell us about we have a lotnk of information coming at us every day that if we pull together to a more cohesive manner, we could provide much more actual information back to the government in terms of what is actually happening. there is information being shared with any industry and there is information being shared with the government. since the executive order in february, phi has seen a lot about reach from our government partners interested in sharing information with us that is potentially valuable to us and being aware of the potential threats. who, and need to know what their end game might be.

frankly, we need some boring stuff. addresses.p i have received some of that, i have received it typically in a non-dynamic form. one thing that would be beneficial would be a form of dynamic feed of known bad ip addresses. i am giving you some of the boring details of what i.t. people do. >> this is exactly what we need. >> if we have information like that being provided to us on a regular basis, that can supplement some of the other layers of defense we already have. if we know what the government knows, we can make sure we are aware of some threats. know them, the better your reaction can be. a threatgs to information sharing portal along with a dozen other utilities. we can begin to share information with our industry brethren. we work for an industry or the

notion of mutual assistance is baked into our dna. we come to each other's aid during storms and we're coming to each other's aid as we prepared for cyber events. if we pursue both avenues, we will be better positioned. , exelone privacy issue takes the privacy of our customers very seriously. there are ways to protect that privacy will we share information with the government. there is currently a practice in place where you can get a wiretap from a court, a criminal warrant that non-pertinent information has to be minimized by the government. i would suggest that that practice can be adopted and any information that the private industry would share with government could be minimized and personal information

redacted that was not pertinent to the investigation. , ifar as information sharing think information from the government as far as threats go, information developed by the companies themselves, is the foundation for how we position. we cannot just we cannot just say protect us against everything. we need a design based on actionable and timely intelligence. whether that is generated by the government or by companies. nrc has aggest the good model of providing information to nuclear operators about current and emerging threats.

if we could adopt a similar model, it would help companies position their defenses to address the threats rather than just try to protect against everything. i will go back to the center for strategic and international studies report in 2008. they made three points. they said seifert is a national -- cyber is a national problem that has to be dealt with. the approach needs to be comprehensive. it needs to use the full suite of american capabilities and resources to deal with it. the third point was the decisions and actions must respect privacy and civil liberties. that is true that the federal level and alan level as well. we have to have those basic protections in place. as an industry, i think we have

been pretty good at that, sharing data with the federal government, respecting privacy, and from a private to private perspective, we share information all the time. at one point, we tried to tally the information sharing forums in our industry with the government. there were 64 or 65. we're comfortable doing that. we need to make sure when we exchange information is secure, we're using protection methods, and respecting privacy and civil liberties. we continue to improve the process. program we are comfortable using. we have used in the past. we need to continue to evolve and make sure we make this a tenant of the way we go about protecting information, whether at the federal or private levels. >> the great, thank you. i know we have a question.

i see commissioner tony clark. please stand up. and did not know you would be here. we would have had to appear. we thank you for being here. i know your adviser is here as well. we appreciate both of you being here. we know the hard work you do. we know this is important to you or you would not be here. rare you see it is a commissioner in an open audience when they are not serving on the panel. i think that says a lot about the commissioner. we appreciate your attention to detail and duty. thank you for your service. let's give him a hand. [applause] the first question. "forbes.e for " my question is for doug. hear it isested to considered on the same threat level as weather events.

pepsico --nts like pepco have had to spend a lot to recover from them. how many resources will be needed to protect against cyber threats and where will those resources come from? answer might be across the entire property. security is part of everyone's job. we have security awareness efforts. i am sure the other utilities to the same things as well to make certain everyone at the company understands the potential threats and what they can do to mitigate those. in terms of the level of resources required to solve a problem, i think the key is to first define the problem you are trying to solve. i think you have heard this said a few times. it is worthy of emphasis. it is beyond the scope of the

industry or one company to stop the threats. you have heard who these potential threat actors are. it is clearly understandable why that would be beyond the capability of any company or industry. our job is to make sure we understand the vulnerabilities and do our best to mitigate those. there are many different types of investments made. i think it might be imprudent if i go into great detail on those. to this point, we have the resources required for the task at hand. we've heard the trend line mentioned and how this is a growing threat. i think a reasonable conversation about cost recovery .s useful as part of this the point i would make on that is it is important to understand the role the federal government will play and what will the individual state commissions will play. i will make a couple of key

points. i think we would agree with the following statements. i think we will agree security of the electric grid is in the national interest. prudentwe would agree and appropriate investments in cyber security and risk mitigation also in the national interest. i think we would agree in path toward recovery for prudent and appropriate recovery of those investments is part of the regulatory compaq. the question for this audience might be, are we better served if we attempt to solve that driven by the visions of 51 different regulatory commissions or driven by a consistent federal vision across the nation? i do not get to solve many regulatory issues. i am not asked to solve them.

i would simply ask that question of the group. i think it is an important question to be answered. onanyone else have anything that? let's go to the next question. >> i am a reporter with "smart grids today." i have heard the suggestion ed made as being a model for the industry. iswondered if nerc considering it or have put forward proposals to that effect. >> i have not seen anything along those lines at this time from nerc or ferc. >> what would that look like? maybe you can now -- elaborate on the analogy with the nuclear industry and what that would

look like in practice. >> if we're going to take the esi as the clearing house for information, they would be the focal point for intelligence information from the entire intelligence community. cia,would pull in from the nsa, fbi, all of the difference thenligence agencies and put together a suggestion about how to protect yourself against these threats. that is similar to the wavy nrc -- way the nrc does it. in practical terms, that is the way i would envision it. we are a nuclear company. we have brought in a lot of talent from our nuclear business to help mature parts of our i.t. and compliance programs.

we have brought their discipline, practices, and processes into our program. it has helped us richer and evolve to a very disciplined -- mature and evolve to a very disciplined state. they have a lot of practices we have been able to bring in. it is a model we have looked at of our us in other parts company. esi sac issay the well-positioned to be the mediator with us. the assurances we now have on the separation between information sharing and enforcement, it would be a great way for us to be able to share information and have a body that understands the information we

are sharing. that is one of the big keys. we can open up. the security event system in every company. but unless you have an understanding of how those operate, it will be difficult to make any action out of that. nerc has the institutional knowledge of our industry. up an interesting question. i will follow-up and submit to this group that the nuclear industry is a good example when you look at things like risk assessments, things we have learned from the industry which mitigate risk and make us arerstand what the risks and what actions we should take. having said that, if you look at the nuclear model at the nrc, you have an organization where the nrc gives great deference

to the understanding it is a private organization that does a good job of self-regulating the industry to make sure they are safe and secure, understanding they are vital to the economy. having said that, do you foresee anything like that within the industry where there is something that steps into that role? do you see that for the electric and transmission sector? buehler? [laughter] one of the challenges is there is data and information. i think we all agree those are different things. in data but not understand how to connect the dots to make sure you understand the key threat you are looking to address.

a role forrtainly data to flow into the industry through various means. we talked about a number of those. another key point we want to make sure is emphasized is there need to be mechanisms to turn that data into actionable information. the role government can play or other agencies can play to help provide data and start connecting dots is key. i think it is also worth noting in the industry, the ability to take the data and understand how it can be turned into information is helpful and necessary as well. >> i am with itf international and a former colleague of chris. i want to go back to who pays and regulatory compaq. he said resiliency is not free

or cheap. in my discussions with regulators are looking for some sort of regulatory construct in which to be able to understand the cost and benefits of the investments necessary to make the grid more resilience to cyber assault and recover it. yet regulators are facing conflicting pressures, rate increases, affordability, etc.. we talk to regulators at the state and federal level? how do we deliver some sort of model or regulatory construct against which regulators can make some sort of cost benefit decisions regarding what is necessary to protect the grid in a cyber situation?

>> it is clearly a difficult issue or it would have been solved already. a point worthy of emphasis is when we are trying to solve this at 51 different commissions, we need to also understand the nature of the grid is such that it is one large system connected. the actions or inactions in one state can have effects on other states. if you study the history of the industry, there are specific examples that can be cited such as the 2003 buyout. -- black out. it is difficult to build a business case for cyber security. i have never been announced to build a case for it. it is recognized it is a risk that needs to be mitigated, but onone has ever challenged me

it because it does not lend itself to that type of discussion. we do what we need to do to make sure the system is reliable and secure. conversation, the at the state level, if it could be informed by clear and compelling federal vision about what they would like to see each utility's across the country do and what they would like to see each state commission it clear guidance on a path to recovery for those investments, i think it would be very helpful. a little different. we have three little ones. we have a different issue when it comes to cost recovery. our rate cases do not go in front of the public utilities commission. they go in front of our customer owners. they are expecting us to be

taking care of them. we are very much a community organization. we are an insurance policy. we buy insurance for a lot of things. you rented a car and paid for insurance in case of an accident. we need to be mindful that not every vulnerability has to be mitigated. if there is no bad actor or means of exploitation, i challenge us to think about whether that needs to be mitigated or not. is that the right investment to make at that point in time? if we have a threat after with an means to carry out exploit and a vulnerability to exploit, that will cause a catastrophic event, those are the vulnerabilities we need to invest on. i can stand in front of our board of directors and customer- owners and clearly tell them the best of can happen if we do not

do that. those are the cases that make more sense to the american population. just putting that out there. issueould add i agree the has to be addressed at the federal would have -- federal level. it cannot be every utility in the country trying to recover rates of the state level. i think the president's executive order open the door to this possibility because it discusses incentives for cyberies that comply with security. that may be a way for the federal government to incentivize companies to comply with cyber security. a let me approach it from

different angle and then i will come back to you. one thing we deal with in the industry is we do have regulators that look over our shoulders. , if we make mistakes something bad happens, we're going to have regulators asking us why did you not -- right? in this economy, it is a difficult time for the industry. for those of us who have had to look at the balance sheet and see how we are performing, when it comes to cost cutting, this may be some of the areas that get the knife. are you confronted with that? is that a real issue for the industry? if so, hell are you dealing with that. you dealingw are with that? >> i am expected to make prudent and appropriate investments to mitigate a number of risks and performance and

stabilities of the systems that enable all of our business processes. to this point, i can tell you matters of cyber security, given the ceo focus on it, have been the ones easiest to spare from the knife at present. that speaks to the level of commitment the industry has and the level of ceo and board involvement in the issue. my concern and one of lot of us share is as the trend line continues and the risk grows, the path to recovery for prudent and appropriate investments is key. having some sort of federal consistency around what utilities should be able to recover, i believe is in the national interest. we are only as good is our weakest link. we want to make certain the companies supporting the connected.

grid, the we're all approaching the same way and making reasonable investments and not worrying about how we will have to argue for the funding of them. >> i would add we have a lot of support from the board of directors, the ceo at excelon, for security as a whole but more specifically for cyber security. we have quadrupled our staff for server security over the last four years -- for cyber security over the last four years. i do not see cuts looming on on the rise and even as we cut back in other areas. >> i would echo those comments. security compliance, we do not compromise on. we have a five-year plan in place to bolster our differences making investments around security technologies and compliance for those areas that

are important to our company and their strategic priority. to make one comment. a lot of time in the past five years telling people is not if you get attacked, it is when you get attacked. the question is not, why did you not do something? the question is, what was the resiliency you had? a lot of the things i do are about resiliency. they are about being able to be aware and respond. i know somebody is coming. at some point, somebody is coming at me. we have a very good engagement because of the mantra of "is going to happen and i am an insurance policy." timeard is asked all the if scott okayed this. they want to make sure the risk is mitigated. they want to make sure it is the

right risk and not just some checklist or requirement that is not going to add value to our security posture. >> i am with the public service commission. been a lot of talk so far about what is going on at strongeral level having standards. to what extent are you using those lessons to fill in the gaps where states have not taken action to protect the local distribution system? >> that is a good question. a lot of munis are provided. we treat our distribution system the same way we treat our transmission system. we have the exact same control systems. the controls are applied to those. we classify them as assets that need to be protected.

they may not fall under designation under a standard, but we treat them the same. we recognize it is fantastic to transmit power and generate power, but our customers expect us to deliver it. we have taken that burden on of starting to protect our distribution. ,rom a smart grid perspective it went through our entire security posture. we look at where the gaps were and looked at compensating measures. when we applied for our grant, we built in cyprus security requirements into the grant and our smart grid. we are treating it the same. dna ofrity is in the approach to engineering systems. we have worked with vendors we did not feel have sufficient

security features on something of critical importance, along with other industry and utility partners. help him shapeto the future direction of their product so they have the appropriate features to keep the grid secure. we have chosen not to do business and have communicated to vendors that if they did not have certain features on their products would not do business with them. as more utilities deliver that message in the marketplace, i think you will see more vendors realizing seat belts and car safety is not an annoying thing that are supposed to do. it is the basis for a competitive advantage. it is something customers need and want. relyve not necessarily first and foremost on what the government is telling us we need to do to secure our system.

we're very compliance focus. in tod the requirements meet the requirements and take them seriously. we go above the requirements and conduct penetration test that go beyond what they are requiring us to do. we take a system wide approach to these potential threats and vulnerabilities. we do our best to make certain we are making the appropriate security and functionality trade-off decisions. when you look at the people who have made the most money in the i.t. marketplace, for the most part they have led with functionality and not necessarily security. what we have done and what you will hear from the others is within the utility industry, we take that trade off very seriously. if we have to do something slower. we will dosecure,

that because security and .eliability go hand in hand >> for anyone to put something on our network they have to go through a review process by security. we created a security architecture team specifically dedicated to reviewing all proposals. the way we view it and get by -- country --ss the company is that if it is not secure, it is not reliable. when you are dealing with engineers who have looked at things through the reliability eye, that rings true with them.

they are more out to come to us at the very beginning when they are getting ready to send out a forement of work or an rfp something, they will get us and at the very beginning. >> anyone else? have time for maybe one more. list, it doesish not matter if it is a federal or state commissioner, whatever. what tools do you need that you do not have and what is in your way that you would like to have removed? if i could get everyone to answer that. sometimes what we have a commissioner in the room, we are apprehensive about what we say. now would be your opportunity to

say here is what i need and here is what is in my way. >> i will take the first stab at that. it is not a really long list. i think you have heard these things referenced throughout the morning. need for our response clears, we need very protocols and procedures around what agencies are going to be responsible for what. i laid those out in my opening remarks. clarity andly on repeatable consistency when we respond to emergencies. that would be very beneficial to us. the second ask where the information. if that information can be declassified but dynamic at the boring level of detail where it is beneficial to the i.t. group's. the third would be some degree toconsistency around a path

recovery for prudent and appropriate server security investments. -- cyber security investment. >> i agree with everything he said as long -- as far as priorities. i would like to see machine time information exchange. what i mean is something similar being done at the national labs where they have a federated model and the information from some of the intelligence community members, the national labs, is funneled and that isation pushed out by machines to all members. i would like to see something along those lines. i think it is more of a technology challenge rather than a willingness to share. that would be my ask.

ll right. i have been typing out a long list. i apologize in the advance. first and foremost, we need a trained work force. we need to invest in bringing up a generation of cyber professionals. we do not need to wait until they are in college. atdo not need to just look the i.t. field. we need to start young. kids thatve young know how to mess with their phones better than their parents. that is the age we need to start bringing them up and make them understand what security and privacy is. bi-directional information sharing. i would like to tell the government i have information that would be beneficial to you. make theelp to information they share more actionable. we need clear lines of who is in

charge. everybody wants to be in charge. we need to know. if we're going to call the bat phone, we need to know who will pick up on the other line. it cannot be a rotating set of characters. we are doing things that are good. something bad is going to happen to somebody at some point. the fact that we did due diligence does not automatically mean we should be penalized for that. it is, how did you respond? how was your resilience? , i do not not need want. script controls. that limits my ability. prescriptive retelling me everything i need to do will create complexity and a security risks for my company.

controls that respond to threats, vulnerabilities, and threat actors -- not a checklist. thank you. it if ild characterize have three priority is the need the most attention, one is the c model needs to mature. fore needs to be latitude identities to self-identify and fix their issues from a security compliance standpoint. it seems to be the approach of the nerc and i think we're moving in the right direction. i am encouraged by where that is going. ,t has already been discussed the information sharing, the public-private parip needs to mature and be more effective.

we need to leverage more of the capabilities and offerings the federal government has to offer around r&d, training, and awareness, things the federal government has been working on. i think there is a lot of benefit we delivered from the lastly,'s perspective we need to continue to mature. an evolving process. we need to improve. we need to continue to improve, make investments, train our work force. bring in talent. technologies into place. simplify the enterprise, automate. all those things go into a well- integrated and functioning cyber program. i would say those are the three areas that are important to us right now.

>> i misled them. one must question. -- one more question. i do not need to get into it. you can do that later if you like. if we had to identify risks and more oncyber risks are the distribution side or transmission side, which would you choose? which would you say is our weaker link? let's start with chris. a i do not think it is transmission or distribution issue. i think is a people issue, not having the right folks in place. it does not matter what part of the business you are in. there are vulnerabilities everywhere. if you do not have the functional program, you have risked everywhere. it could be distribution, transmission, on the corporate side, at the personal desk

level. risk is everywhere. it is the maturity of the program that is the risk. if it is in mature, you will have risk in all parts of your business. is a more complex answer then you were looking for, but i think that is where it is. >> i would agree with chris. it can be either one. i think it is a people issue. 70% of all the andses we get at exelon cleanup are caused by people clicking on things they should not. it really is an education, awareness, and people issue for the most part. but it can exist on either system, transmission or

distribution. >> i agree. awareness is job one. that is why we try to make employee and contractor understands what they can do to help keep our. secure and reliable. >> is a human and supplier issue. but it is a human issue for sure. answerd not get a single i was looking for. [laughter] is sympathetic to that, right? let me invite the panel to do this. c isously the reason the bp here to present facts and understand issues when it comes to cyber and how we deal with that going forward. we will be producing a paper. we will be writing that in the coming months.