Expressing concern over the bulk power system’s preparedness for a cyberattack, members of the Senate Energy and Natural Resources Committee on Wednesday pressed representatives from industry and the federal government to strengthen their cooperation.

King Focuses on Testing Gap

Testing utilities’ cybersecurity preparations was a major theme of the hearing, with Sen. Angus King (I-Maine) asking witnesses what work their organizations had done to verify the readiness of utilities’ systems.

“I was very disturbed a year or two ago when we had a hearing on this subject, and I asked the fellow from NERC, ‘Do you red-team, do you [penetration] test,’ and the answer was, ‘I don’t think so,’ or something to that effect,” King said, referring to testing practices where organizations hire professional hackers to try to break into their systems.

While Thomas O’Brien, senior vice president and CIO of PJM, assured King that the RTO frequently conducts penetration testing and red-team exercises, the senator was not so happy with the response of Alexander Gates, who earlier this year was picked to head the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER). (See DOE Names Gates to Head CESER.) Gates said that while DOE conducts red-team exercises on federal property, the office serves a consulting role with regard to private sector organizations.

“Wasn’t CESER designed to protect the grid?” King asked.

“It’s designed to protect the grid, yes sir, but —”

“Isn’t [part of] protecting the grid determining whether it’s safe?” King broke in.

“We could do more, perhaps we should do more,” Gates admitted. “I don’t know if it gets to the level of pen-testing or red-teaming … but again, right now … with the responsibilities and authorities that we have, and the partnerships, it’s an advisory service that we’re providing at this point.”

King asked Gates to inform the committee if additional authorities would help DOE and CESER to strengthen their testing capability, reiterating that he “[didn’t] see how you can carry out a mission of protecting the grid without testing the grid’s vulnerability.”

Manchin Probes Communication Resiliency

Sen. Joe Manchin (D-W.Va.) also grilled Gates and O’Brien on testing. The ranking member’s questions focused on utilities’ ability to maintain communications during cyber incidents.

Manchin first asked O’Brien whether PJM had any procedures in place for testing whether members have robust mechanisms for keeping essential data flowing to the RTO. Told by O’Brien that “we don’t feel [that] is in our jurisdiction,” Manchin asked Gates if DOE had made any effort to check on communications resiliency.

“If they’re actually not really hardening the systems to protect against the cyberattacks, how are you able to detect that?” Manchin asked. “Do you wait until something happens, or are you all checking to see if they’re doing it?”

“We’re not — there is a reporting mechanism in place —” Gates began.

“No one’s checking, I can tell right now, no one’s testing to make sure,” Manchin interrupted. “If I wanted to find out if you did what you told me you did, I’d have one of my smart people try to hack in … and see if I showed a fallacy there. So we’re not doing those types of testing.”

Gates observed that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with FERC and NERC, do have “mechanisms to engage” with private utilities, but DOE is limited in its ability to oversee implementation of security guidelines. O’Brien concurred, telling Manchin that “we rely on … NERC compliance” and audits to ensure members are dealing with their vulnerabilities properly.

“Well, we’ll have to check with NERC, then, or check with somebody to see if somebody’s checking anything,” Manchin replied.

No one from NERC participated in the hearing.

Murkowski Urges Aid for Small Utilities

Chair Lisa Murkowski (R-Alaska) reminded participants of the role that municipal utilities and rural electric cooperatives play in large parts of the U.S. grid. She asked Gates for an update on CESER’s efforts to help strengthen these smaller entities’ cybersecurity preparedness through grants and information sharing.

Gates did not provide any specific funding figures in response but reassured the committee that CESER is “working very hard” to ensure that small utilities and co-ops have the resources they need.

“The small utilities are … in some respects, the soft underbelly of the grid, and we take great pride in certain research and development programs … that we think are going to be valuable in providing those entities the same level of protection as some of the larger utilities,” Gates said.