"This morning's hearing is to examine the status of actions taken by the Federal Energy Regulatory Commission (or FERC), the North American Regulatory Commission (or NERC) and the states to protect the electric grid from computer attacks on their facilities and control systems.
"I do not think I need to talk much about the serious nature of this issue. Last week we experienced a week-long outage in this region. It was weather-related outage, but it demonstrates how important reliable service on the electric grid is.
"We read every day of newly discovered attacks or threats on computer systems in this country and around the world. According to the Director of National Intelligence, there is been a dramatic increase in the frequency of malicious cyber activity targeting U.S. computers and networks, including a more than tripling of the volume of malicious software since 2009.
"So, the threat is real and it is serious.
"In 2005, we gave FERC the authority to name an entity to develop and enforce standards to protect the reliability of the grid. I believe that there are two things that we can say about the system that has emerged since then.
"First, the current reliability system does have a mandatory character, so the electric grid is the only critical infrastructure in this country that has some form of an enforceable standard for cyber security.
"Second, the current reliability system that has emerged is cumbersome and overly complicated. This may be adequate to deal with reliability concerns like standards for trimming trees so that they do not fall on transmission lines. But when it comes to cyber attacks, I am concerned that the current system is not adequate.
"The process to develop standards started in earnest in 2006, when NERC filed a series of reliability standards with FERC. A number of them related to cyber security, and FERC found them wanting. In a series of filings since then, NERC has corrected some of the shortcomings that the FERC highlighted. As recently as April, Version 4 of the cyber standards was approved, with the proviso that NERC address the remaining inadequacies by the end of the first quarter of next year.
"That means that we are here today in this Committee, seven years after we passed the law, and we are still waiting for this process to produce the full set of adequately protective standards that we need. That cumbersome process has to address a threat whose nature is rapidly changing, the standards that are in place may not be flexible enough to deal with emerging threats, and we still do not have an effective system in place to require action in the face of an imminent cyber attack.
"NERC has developed a system of alerts to help the industry with newly discovered threats. I'll have some questions about how that system is working in practice.
"The concerns that have prompted this hearing are ones that have resulted in bipartisan cyber security legislation that we have reported from this committee in both this Congress and in the last Congress. In 2010, Senator Murkowski and I agreed on an expedited approach to cyber security standards, that was centered at FERC and that passed this committee unanimously. That bill was hotlined for passage in the Senate at the end of the last Congress; it ran into holds from two of our Republican colleagues, perhaps more. Last year, Senator Murkowski and I reworked the proposal into one that featured a greater role for NERC, but allowed FERC to set effective deadlines for action and also gave the Secretary of Energy emergency cyber security authority. Once again, that bill passed this committee unanimously.
"I don't believe that the cyber threat affecting the grid has gotten any less serious since last year, when we acted on a bipartisan basis to pass our legislation out of the committee. In the testimony for today's hearing, there are suggestions that there are additional cyber issues that also need focused attention, particularly with respect to the implementation of smart grid technologies.
"We need to address these vulnerabilities that are clearly before us. The bill that passed this committee unanimously would be an excellent place to start. It did a good job of balancing the need to avail ourselves of the expertise in industry on these issues with the need to act expeditiously. Nothing since then has changed the need for clear authority to deal with immediate emergencies and longer term vulnerabilities. As we all agreed last year, processes that take years to bear fruit may be sufficient for less urgent reliability issues, but not for the challenges we face in cyber security."