tv Key Capitol Hill Hearings CSPAN April 19, 2016 9:37am-10:01am EDT
locally we are in touch with her county emergency management agencies. we advise them of outages in their countries and expected restoration times. this allows them to coordinate with other organizations like the red cross to set up services such as warming shelters but we have close relationships with local police and fire departments. along with other agencies and utilities we persist in tabletop exercises which simulate emergency scenarios and strengthen our community networks. communication with our members is important. we always provide the option to speak with a live customer service representative. we use outgoing telephone messages, informational postings on our website and social media, a jewish radio and television broadcasts which could be used even in the event the internet is down to keep members and the public informed about outages. we test our business continuity and disaster recovery plans annually, and we have plans in place so we could operate from a
remote location if necessary. cybersecurity and awareness is a critical part of our operational preparedness. though we are a small utility, we strive to follow industry best practices such as the use of network scanning and intrusion detection programs in protecting our operational data as well as our business and member information. we practice but in the pennsylvania department of homeland security's task force on cybersecurity. our preparedness in the field is tested throughout the year during localized outages caused by weather events and other conditions. lessons learned through experience, along with the coordination with our national, statewide and local networks would form the basis of our response to a national or cyber event. again i thank you for the opportunity to testify today on our emergency preparations and recovery efforts. >> thank you for your testimony. i will now begin our first round of questioning. this question is to all.
i'm going to ask you the same question i asked our first panel. what is the planning scenarios that state and local governments should be using for a cyber attack on the electric grid? will power be out out for days or weeks or months? considering both a cyber attack and a physical attack, the worst case scenario. how widespread the outage be? mr. cauley, nerc runs and exercise on the failure of the grid. what scenario do you use? i will let you begin. >> thank you mr. chairman, for the question. as i mentioned in my presentation we do probably post estimated that is 10 times beyond any sort of realistic expectation in terms of the magnitude which is to test and shake us out and see what we can do. i think the difficulty in understanding the question is that there's many kinds of
hazards that can cause outages. in fact, if you look at, we do a lot of data and analysis about what causes blackouts. that's one of our jobs. since 2011, so four years running in our data, the weather has been a top 10 causes of all major outages in north america. so we have that sort of a slowing. so the question for me, i phrase it as what kinds of things can cause outages from a few hours up to two to three days? there's a lot of things that can contribute toward that, and what kind of response capability we have. so could the storms come to be equipment failure, could be a number of things. i think as we get to the kaiser things were talking about in terms of cyber and physical attacks, i think it's reasonable to ask, and severe storms, i storms, hurricanes.
it is reasonable to ask the question how are we taking care of people in a one to two week outage? and may not be everywhere but it might be in some local areas. it might be some cities that could reasonably be facing a one to two week outage. i would hate for us to say it's a cyber event will it's a storm. really a public safety issue is very similar. the major difference would be to me the major difference would be, we know that some kind of security concern, law enforcement would be involved but still the same fundamental without electricity you need to take care people, give them fuel, food and water. the one scenario i think that is the exception i think was appropriate the committee participated in the legislation around their equipment, the one scenario i think realistically concerns me longer than the one to two week timeframe is damaged their equipment. and particularly the transformers, that could happen from bomb blasts, shootings,
other gmt storms. the question is not what caused but the question is what are you going to do if you loose transformers. >> i guess what i'm getting at, i want to get this done, connect the dots down to the local and state. i feel pretty confident that getting to that point we've got all ducks in order. i'm just concerned that there's a missing link to what should that states and local governments be preparing for or planning for any length of time? because they need to do the same thing you are doing. they need to know the scenario of worst case, what do we need to prepare for? spirit right. i've been doing reliability for 35 years. i think there are two levels. there's normal expected to see a number of times the year is the one to three days is a normal kind of scenario that everyone should be prepared for.
i think they wanted to make scenario is a scenario that if you are prudent, i would be talking with the mayors and city councils about what you can do to be ready for one to two week outage in the extreme case of hurricanes and earthquakes in those kinds of things. my only exception is spare equipment and damage may be more challenging. it really is independent of the cost, whether it's cyber attack, i can't imagine a cyber attack that is going to damaged equipment to the outage within hours or days. >> i would agree with mr. cauley. i think the prudent thing would be the same as what we are doing today for devastating storms which is will a one to two week outage preparation. there are a lot of resources that are currently available to local communities, both at the state and local community level that are really great resources that afford to i don't think all the towns and communities take
full advantage of. a lot of really good best practices that have been used by towns and cities that have been more experience with devastating storms. so, for example, the state of florida has a lot of experiences and lessons learned that are available to towns and communities. i think the other thing and this was mentioned by the representative of fema earlier, it really boils down to in many cases the probability of the event happening that risk of the event and willingness to put in place and spend the money for backup generation or other backstops that would be necessary for one to two week events. i think that's where i would direct the towns and communities to be aware of what is available. utilize that fold and then make the critical investments that they need to survive a one to two week period. >> i'm going to connect the dots. do you think it's the federal government's responsibility or
the state government's responsibility to make sure that the local government is doing all that? iges consumer going to everybody pointing fingers where i thought you said, i think you did, nobody did. whose responsibility should it be that we make sure that the local governments are prepared? today is the first time i'm hearing a length of time, and in my own mind again i'm going to put the mayors back on, i'm beginning to think, if it's a week or two weeks, there's a lot of things i need to be prepared for and we're probably not. which means that most cities are probably not prepared and i think that's what this is about is really to raise a red flag today that we are not prepared in the event of something drastic, major, unlikely but could be spent a couple comments. first i would say, and you
probably would not want it is necessary but i think it is the shared responsibility between local government and the federal government. and i really do believe that because you are just not going to have federal boots on the ground in all these local communities to get the committees back up and running. secondly, i would say there's things the local utilities do have at their disposal to up with local communities in terms of communication and even backup generators that we can deploy to high priority areas to make sure that when we need to restore the system and we can't do it in a timely fashion, at least for some basic level of service we can provide. i think in an extended period of outage you will still have power to certain areas, have a backbone the power to him in a big discount or that down by the think collectively there will be ways to get resources able to the local towns and communities. to be quite frank i was skeptical when they started this electric subsector core dating council and whether the cub was
going to get help us as an industry to store power quicker but i think presently surprised the last level of cooperation and collaboration that has gone on in the last three to four years. there are simple things like providing fuel that we needed during hurricane sandy to restore towns and communities in new jersey and pennsylvania. there's other things like providing dads for crews were coming from out of state. we were able to access a barracks at the department of defense facilities, access portable generators. would able to access experts in emergency response. so the are some things the federal government can be very, very helpful for, and i think now that we have a playbook that dictates who does what when, which was always my concern in a major event, who do i call? are they going to be ready for that call? i can say that from what i've seen so far i believe we are more ready than we've ever been
in the past and we have a very good system and a playbook that we can go right down the light and have access, in this case, we are talking about with this committee to cyber resources at the highest level of the federal government. >> thank you. >> i agree with my fellow panelists on the shared responsibility. i would also like to emphasize to the subcommittee the importance of communications during crisis periods. my experience has been sometimes it's not the length of the outage but simply knowing how long it's going to be a with the expectation is. it can help both residential consumers as well as townships and towns understand how they need to plan. i would also like to add one thing we've seen in our rural areas of, especially since hurricane sandy, and that is a focus on individual preparedness. i'm seeing our local county emergency management agencies doing a great job in trying to educate the public on being
prepared. we tried to do the same thing. of course, we are in a rural area. we are subject to many weather events so i think our consumers are relatively prepared to i'm not suggesting we can't rely on that but i think that is an element in all of this. thank you. >> the chair recognizes ranking member carson. >> thank you, chairman barletta. ms. kilmer, you mentioned that copyright rural is not connected to the bulk power system but you receive services from the lack. what does it mean for cooperative in the event of a nationwide cyber attack on the grid? >> in the event that was a cyber attack that took down the grid we would be affected by that. the transmission system was perfected empower was disrupted to a substation. would also be out of power.
>> mr. spence or whoever. it was a newspaper article yesterday that indicated that the fbi and department of homeland security have been warning that our industry over the last month about a potential cyber attack. what role as electricity information sharing and analysis center, what role might they play and distribute this kind of information? >> thank you, congressman. that is exactly really what the information sharing and analysis center does. in fact, i'm not aware of that particular one. we do dozens of these a day. we get information posted industry. we have thousand participants and industry who received those notices every day. >> i yield back, mr. chairman. thank you. >> the chair recognizes mr. meadows. >> thank you, mr. chairman.
mr. cauley, did i hear you correctly, you said that in in e event of a cyber attack, the longest period of time that people would be without power, and our? is that what you said? >> thank you for allowing me to follow up on my, on whatever i said. my point spitters sometimes vital hit record but i wanted to give you a chance. >> the point i was trying to get to but i rushed was, it's a very difficult form of attack to go from a cyber attack. it's easier to steal information or disrupt electronics. it's technically challenging to go from an electronic cyber attack to causing physical damage to equipment. even in the ukraine attack there was no damage to equipment. the breakers were operating to basically shut down the theater still going to customers but there was no damage. so that once they realized what was happening, they basically a defeat the computers and that people go to the station manually and flip the switch and
put the power back on. so my point, and i would love to continue working on this and getting some actual data to support that come is it's very hard to transform from a cyber attack into long-term damage that would be measured in weeks. because jeff hirt equipment to do that. >> that's really my focus, is not turning a switch off your order or tripping the breaker or making the jack will out. that's minor. i guess the type of cyber attacks that we are seeing and hearing about in classified settings is not directly related to the electric utility business. so being able to come in. i assume going into a generating capacity. let's say you have a generator. there's all kinds of controls and switches to make sure that you don't run into problems with
the electrons. let's put it that way. so all of a sudden somebody coming in with nefarious, not just turning a switch off, and scramble it in such a way that it would create unbelievable damage, certainly from the standpoint of generating capacity. i don't want to talk about it in an open forum like this, but i guess my concern, are you not having those kinds of conversations which are more than just turning the power switch off as happened in the ukraine, but really causing long-term damage either to generation capacity or transmission capacity? >> yes, congressman. i had the privilege of going to similar classified briefings as well. but also 35 years of experience working in substations with equipment. i understand the threats of black energy or aurora are
stuxnet or things like that but it's difficult to transform an action that the predominant behavior we're seeing today is surveillance type behavior. to transform that into an action that destroys a piece of equipment -- >> that's comforting to know. that's a real comforting because what i'm going to do is, i will follow-up with both you and mr. spence as relates to this, because again is one of the number one questions that i get is just a real concern. it's about getting the grid, and most people don't understand the interconnectivity between utilities. a lot of that it's blown way out of proportion, but at the same time your confidence level, if there were a cyber attack on an investor owned utility somewhere in the midwest, the damage they
could cause come in your opinion, would be minimal? >> the damage on the information systems, that would be their business risk. on the grid it's very difficult. it's very unlikely to put the grid out for one to two weeks. i think -- >> what you are saying is mass outages for multiple weeks or days, in your opinion, is going to be a weather-related event? >> or the other thing is a physical attack which is shooting and explosive device at the substation, are two things i think and get into that wanted to reach and beyond. >> those are a lot easier to anticipate and plan for. >> gets very complicated g20 sites at once with a physical attack with the current law enforcement we have. i think that risk is mitigated as well. the one i worry about the most is a physical attack. >> i will follow-up with all of you. i just want to say thank you as a member of my local rea.
i have great affinity for my rea's. >> thank you very much. >> i yield back. >> i just have one more question, mr. spence. my colleague from pennsylvania highlighted that to me coal power plants have closed. are you concerned having fewer generation facilities online makes the grid as a whole more vulnerable? >> i am not. in fact, mr. cauley and his team are also responsible as part of their duties to evaluate with very detailed modeling region by region the impact of retirements of any sort on the grid of major power stations. they have evaluated this multiple times in fact and i found that we continue to maintain an adequate reserve of capacity, should we see more retirements that actually forecast.
so even with a forecast of retirements, which are many, particularly on the cold side, we have adequate capacity to meet all of our projected needs for power. >> thank you. i look forward to working with each and every one of you and welcome your input as we move forward on this initiative. i thank you all for your testimony. your comments had been helpful to today's discussion. if there are no further questions i would ask unanimous consent that the record of today's hearing remain open until such time as our witnesses have provided answers to any questions that need submitted to them in writing. unanimous consent the record remain open for 15 days for any additional comments and information submitted by members or witnesses to be included in the record of today's hearings. without objections order. i would like to thank our witnesses again for the testimony. if there are no further questions to add, the subcommittee stands adjourned. [inaudible conversations]
[inaudible conversations] [inaudible conversations] >> our live coverage of the presidential race continues tonight for the new york state primary. choice at nine eastern for election results, candidate speeches and viewer reaction. taking you on the road to the white house on c-span, c-span radio and c-span.org. >> the senate is about to start its session. they will have a final passage vote on providing just over $33 billion to fund the faa in till september 30 of next year and will recess for party lunches following the vote. back at 2:15 p.m. and work on an
energy modernization bill which would modernize the nation's electric grid and approve energy standards for buildings. senators will also debate a number of amendments with votes on those and final passage later today. the president pro tempore: the senate will come to order. the chaplain, dr. barry black, will lead the senate in prayer. the chaplain: let us pray. eternal spirit, the splendor of your presence delights us. you have been our help in ages