Committee Chair, Sen. Lisa Murkowski (R-AK), opened the hearing by noting the importance of cybersecurity and observing that cyberattacks on the power grid are “near-constant and only growing more sophisticated.” Nor are such attacks confined to the power grid; the Senator mentioned recent attacks on both the DOE’s Hanford Site and on a facility working on a COVID-19 vaccine. Ranking Member Sen. Joe Manchin (D-WV) observed in his opening remarks that the issue is particularly pressing, as the prevalence of remote work due to COVID-19 has increased the opportunities for cyberattacks in both the power industry and elsewhere.
Questions from the Committee to the witnesses reflected the multifaceted nature of cybersecurity and the wide range of interests involved, addressing, among other things, the need for penetration and “red-team” exercises to test cyber preparedness, the resiliency of utility communications infrastructure, the need to protect natural gas infrastructure as well as the electric grid, the benefits and drawbacks of distributed generation from a cybersecurity perspective, and the simultaneous need for both increased transparency and increased security when dealing with critical infrastructure. Sen. Murkowski also expressed particular concern for the “soft underbelly” of the grid, namely the smaller utilities, such as municipals and cooperatives, which may not have the resources to devote to cybersecurity.
The Committee also asked the witnesses about the implementation of Executive Order 13920. Mr. Gates noted that the DOE has been actively engaging with the industry, and has held more than 90 calls with asset owners and manufacturers. Mr. Gates touted CESER’s Cybersecurity Testing for Resilient Industrial Control Systems (CyTRICS) program as a key part of the implementation of the Executive Order. CyTRICS will be used to test components in electric grid control systems to identify supply chain and systemic risks. Mr. Gates also outlined the four “pillars” of the DOE’s implementation of the Executive Order:
- Prohibiting particular foreign adversaries from supplying particular BPS electric equipment.
- Establishing a list of pre-qualified vendors of BPS electric equipment.
- Developing advisory recommendations for the identification, isolation, monitoring and replacement of at-risk equipment currently on the BPS.
- Presiding over the new Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security.
Speaking for PJM, Mr. O’Brien noted that the biggest cybersecurity risk to the nation’s largest grid operator is its members. Although PJM itself has devoted considerable resources to cybersecurity, it cannot ensure the integrity of the data it receives from its membership, nor protect the communications infrastructure that provides that data. He observed that the North American Electric Reliability Corporation (NERC) Cybersecurity Supply Chain Risk Management standard, which PJM supports, is set to take effect in PJM and all other North American Independent System Operators and Regional Transmission Organizations (ISOs/RTOs) on October 1, 2020. He emphasized, however, the need for supply chain standards and practices to evolve constantly. With regard to the Executive Order, he urged caution, noting that although ISOs/RTOs own few electric assets, the Executive Order could have significant impacts on operations, markets and planning. PJM therefore agrees that a “surgical approach must be utilized.”
Mr. Conner of Siemens Energy responded to questions from Sen. Bill Cassidy (R-LA) about his company’s supply chain protection measures. Sen. Cassidy was particularly concerned with counterfeit goods and/or the possibility of tiny microchips being inserted in goods originating in or even passing through China. Mr. Conner responded that Siemens Energy’s U.S. operations use a preapproved vendor list and rigorous testing to counter such threats. Mr. Conner’s written testimony detailed the company’s supply chain security measures.
Mr. McClelland discussed FERC’s two-pronged approach to cybersecurity, with one side being NERC’s Critical Infrastructure Protection standards and the other being the creation of OEIS. Mr. McClelland also discussed the issue of critical infrastructure information with the Committee at some length. There appears to be momentum building to support more restricted access to Critical Energy Infrastructure Information, though there has never been a documented deliberate leak of such information under the current rules.