nerc already has the authority under section 215 d-5 to direct ne nerc to prepare a standard. if congress decides to allow to be addressed at a minimum the ero should be given the opportunity to address the identified vulnerability. backstop authority if the ero fails to address the vulnerability within a prescribed period. while we appreciate the current draft which urges t consider our recommendations, if time allows, we believe more is needed. other provisions of the discussion draft are not needed. nerc has issued infortion to ensure industry undstands and mitigating the vulnerability. the provisions on geomagnetic storms also ar not needed as nerc already has the authority to address these topics today. nerc is actively working on the issue and an alert providing industry with operational and planning actions to prepare for the effects of a severe geomagnetic disturbance. in addition, a nerc task force has focused on mitigating risks associated with long lead time, transformers, and developing a secure data base for securing information on spare equipment. finally the ero

does it direct nerc? how are those standards communicated to users of the system and what is the protocol for nerc? >> it's mr. mcclelland. i'm not a commissioner. >> oh, yes. that's right. >> thank you. i'll answer your question saying it depends on the issue. if it's an urgent matter, it may be very appropriate. the commission has done this to bring in members of the affected utility who have security clearances, to brief them in detail on the perceived vulnerability or threat and work out a table top solution as to how they might increase their preparedness for some interim period of time. it wouldn't be appropriate, necessarily appropriate, to try to develop a standard around the very sophisticated targeted threat that exploits a vulnerability with a handful of entities. if it's a larger issue, the commission engages in rule-making procedure. so the commission would order nerc upon filing or upon its own motion, to address a specific issue, security issue. nerc would then receive the order, engage ind

nerc as the ero. the ero developing and proposes cybersecurity standards or modifications for the commission's review. which it can then either approve or remand. if the commission approves the proposed cybersecurity standard, it becomes mandatory in the united states applying to the users, owners and operators of the bulk power system. if the commission remands a proposed standard, it is sent back to the ero for further conversation. puberty -- in january of 2008, ferc approved 8 cybersecurity standards known as the critical infrastructure protection or standards but directed nerc to make significant modifications to them. compliance with these eight standards first became mandatory on july 1st, 2010, although nerc has filed and the commission has approved some modification to the standards, the majority of the commissions directed modifications to the cip standards have not been addressed by nerc. it's not clear how long it will take the cip standards to be modified to take care of the gaps in them.

nerc filed modification, the modifications to the cip stanrds have not been addressed by nerc. it's not clear how lg it will take for the cip standards to be modified to protect the significant gaps in them. the smart grid technologies added to the bulk power system. greater cyber security protection will be required, given that this technology provides more access points, thereby increasing the grids' vulnerabilities. the cyber security standards will apply some, but not most smart grid applications. moreover, there are noncyber threats that also pose national secuty concerns. naturally-occurring events or physical attacks against the power grid can cause equal or greater destruction than cyber attacks and the federal government should have no less ability to protect against them. one is electric row magnetic pulse or emp. emp event could shut down a large part of the power grid. emp events are naturally generated, caused by solar flares disrupting the earth's magnetic field. such events are inevitable, can be powerful and can cause significant and long disruptions to the grid

president of the international board of security examiners and former chief of security officers at the nerc testified last year and i quote we're not only susceptible but we're not very well prepared, end quote. now, i supported the grid act as a move to the house last year because it seeks to address some of the unique political and regulatory challenges in our power industry today. currently, we live under a system that does not prioritize security, though. but actively penalizes open reporting and coordination. the legislation that's before us today aims to correct this but allowing federal regulators greater authority to protect americans during times of imminent crisis. it also provides for the issuance of orders to identify and mitigate vulnerabilities to protect the bulk power system from cyberattack. while this measure is a significant step forward, i'd also encourage the committee to consider provisions in my legislation and in senate and administration's proposals that expand this model to other sectors of critical infrastructure and enhance the ongoing efforts of dhs to quickly r