By Michael Brooks
WASHINGTON — House Energy and Commerce Committee members seeking details about foreign cyber threats were left wanting Friday as grid reliability officials declined to discuss specifics.
Appearing before the committee’s Subcommittee on Energy, NERC CEO Jim Robb, FERC Office of Electric Reliability Director Andy Dodge and Karen Evans — assistant secretary of the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) — all seemed hesitant to answer members’ questions directly. Instead, they often talked generally about their agencies’ efforts to protect the bulk electric system from cyberattacks. Sometimes they outright declined to answer, citing classified information.
Ranking member Fred Upton (R-Mich.) acknowledged the many security exercises the industry conducts, but he asked if any of them involved simulating cyberattacks against natural gas pipelines. Dodge said DOE held a classified security briefing, followed by a joint tabletop drill with FERC that “involved electricity industry officials, natural gas industry officials [and] all the RTOs and ISOs. And it was a rather extensive event. There were lessons learned … and the items from those we’re actively following up on.”
Neither he nor Evans said when the exercise was held. Upton followed up by asking them if their agencies were planning another exercise. Robb jumped in, speaking at length about NERC’s fifth Grid Security Exercise (GridEx), which will be held Nov. 13-14.
Rep. Scott Peters (D-Calif.) asked Evans if she knew “how many cyberattacks the electric grid sustains on … an average day.”
“It depends on how we talk about a cyberattack,” said Evans, who appeared to be choosing her words carefully. “We are in constant communications with the ISACs [information sharing and analysis centers], and we constantly monitor what is happening in the state of the sector as a whole. So beyond that, I am happy to come back in a more appropriate setting to give you more details if you’d like.”
“Well, you didn’t tell me a number,” Peters responded. “Do you know the number yourself?”
Evans repeated that it depends how you define a cyberattack. Peters followed up by asking if CESER was able to determine “how much of that activity is coming from state actors.” Evans gave a blank stare before smiling and saying, “So, again, I would be happy to talk about that more, but the way we are designing the system…”
“I’m not asking to tell me if it’s coming from state actors,” Peters interrupted. “I’m asking, do you know whether it’s coming from state actors? Is that something you don’t want to answer here?”
“I would like to answer that in a more appropriate setting.”
Similarly, Rep. Jerry McNerney (D-Calif.) asked Evans if she was “aware of any foreign governments embedding cyber weapons into our utility grid today to be used in possible future attacks.”
“I would reference back to the unclassified version of the Worldwide Threat Assessment,” Evans replied. “I think that the [director of national intelligence] has been very specific about what our adversaries’ capabilities are.” She said she has memorized the widely disseminated quotes from the report about Russia’s and China’s activities: They have “the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure…”
Rep. Ann M. Kuster (D-N.H.) asked Dodge whether FERC publicly discloses the names of utilities that have been assessed penalties for noncompliance with critical infrastructure protection (CIP) standards. Last month, Public Citizen filed a complaint with FERC requesting it release the names of two entities that violated 25 CIP standards between them (NP19-10, NP19-11). NERC issued penalties of $1 million against each of the entities.
Dodge said that over the past year, the commission has received “a number of” requests for critical energy/electric infrastructure information, including the identities of entities that have violated CIP standards, under the Freedom of Information Act. “We review them in excruciating detail, and we’ve determined which ones to release [and] which ones not to release,” he said. “We are still working through that, and we have released the names of some entities where we did not believe it would be a threat to security of that entity.”
Throughout the hearing, the panelists emphasized that interagency collaboration and information sharing between government and industry was critical to protecting the grid. Several representatives asked what Congress could do through legislation to help facilitate that.
“The most important thing from our perspective would be for government to be able to more rapidly declassify information, to get it into actionable insights that we can get out to industry,” Robb said. “Industry doesn’t need to know the origin, we don’t need to know the sources, we just need to know the what’s.”
McNerney asked Robb if “the security clearances of utility officials was an obstacle to effective data sharing of cybersecurity information.”
“I would say yes,” Robb replied. “Just the sheer number of individuals who are waiting for a clearance and don’t yet have them is problematic.”
McNerney then asked how Congress could fix that.
“I don’t have an answer to that question, but it’s a problem that needs to be resolved,” Robb said.