[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE? ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ MARCH 30, 2004 __________ Serial No. 108-196 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 95-799 WASHINGTON : 2004 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER, CANDICE S. MILLER, Michigan Maryland TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of MICHAEL R. TURNER, Ohio Columbia JOHN R. CARTER, Texas JIM COOPER, Tennessee MARSHA BLACKBURN, Tennessee ------ ------ PATRICK J. TIBERI, Ohio ------ KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont (Independent) Melissa Wojciak, Staff Director David Marin, Deputy Staff Director/Communications Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census ADAM H. PUTNAM, Florida, Chairman CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri DOUG OSE, California STEPHEN F. LYNCH, Massachusetts TIM MURPHY, Pennsylvania ------ ------ MICHAEL R. TURNER, Ohio Ex Officio TOM DAVIS, Virginia HENRY A. WAXMAN, California Bob Dix, Staff Director Dan Daly, Professional Staff Member Juliana French, Clerk Adam Bordes, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on March 30, 2004................................... 1 Statement of: Dacey, Robert F., Director, Information Security Issues, U.S. General Accounting Office; and James F. McDonnell, Director, Protective Security Division, Department of Homeland Security.......................................... 14 Weiss, Joseph, executive consultant, KEMA, Inc.; Dan Verton, senior writer, Computerworld Magazine; Gerald S. Freese, director of enterprise information security, American Electric Power; and Jeffrey H. Katz, enterprise IT consultant, PSEG Services Corp............................. 65 Letters, statements, etc., submitted for the record by: Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 8 Dacey, Robert F., Director, Information Security Issues, U.S. General Accounting Office, prepared statement of........... 16 Freese, Gerald S., director of enterprise information security, American Electric Power, prepared statement of... 90 Katz, Jeffrey H., enterprise IT consultant, PSEG Services Corp., prepared statement of............................... 97 McDonnell, James F., Director, Protective Security Division, Department of Homeland Security, prepared statement of..... 45 Miller, Hon. Candice S., a Representative in Congress from the State of Michigan, prepared statement of............... 11 Putnam, Hon. Adam. H., a Representative in Congress from the State of Florida, prepared statement of.................... 4 Verton, Dan, senior writer, Computerworld Magazine, prepared statement of............................................... 80 Weiss, Joseph, executive consultant, KEMA, Inc., prepared statement of............................................... 68 TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE? ---------- TUESDAY, MARCH 30, 2004 House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2:05 p.m., in room 2154, Rayburn House Office Building, Hon. Adam H. Putnam (chairman of the subcommittee) presiding. Present: Representatives Putnam, Miller, and Clay. Staff present: Bob Dix, staff director; John Hambel, senior counsel; Dan Daly, professional staff member and deputy counsel; Juliana French, clerk; Suzanne Lightman, fellow; Erik Glavich, legislative assistant; David McMillen and Adam Bordes, minority professional staff members; and Cecelia Morton, minority office manager. Mr. Putnam. Good afternoon. A quorum being present, this hearing of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. I want to thank everyone for joining us for another important hearing on cyber security. I want to welcome all of you to this hearing entitled, ``Telecommunications and SCADA: Secure Links or Open Portals into the Security of the Nation's Critical Infrastructure.'' Clearly, the issue of protecting the cyber element of our Nation's critical infrastructure is of paramount concern to this subcommittee and we will continue to examine these matters comprehensively. This is our second hearing dealing with the issue of SCADA or industrial control systems. Our first hearing was a closed hearing. Through our hearings and other high level briefings, it has become abundantly clear that our Nation is not protected sufficiently from cyber attack against our critical infrastructure. Given the fact that roughly 80 percent of these systems are owned or controlled by the private sector, it is important that we work collaboratively and aggressively to address this matter. The testimony today will, obviously, not reveal specific vulnerabilities; but I hope it will raise the alarm so that necessary steps will be taken to secure our critical infrastructure from the potential of cyber attack. Additionally, this hearing will focus attention on the telecommunications that connect SCADA devices to their control and monitoring networks and review the associated vulnerabilities. Industrial control systems, often referred to as SCADA, which is an acronym for Supervisory Control and Data Acquisition, underlie most of the infrastructure that makes everyday life possible in America. These systems support the processes that manage our water supply and treatment plants; control the pipeline distribution system and the electric power grid; operate nuclear and chemical power plants; and support the manufacturing of food and medicines, just to name a few. The Nation's health, wealth, and security rely on these systems, but, until recently, computer security for these systems was not a major focus. As a result, these systems on which we rely so heavily are undeniably vulnerable to cyber attack or terrorism. When I first began to inquire about this topic, I must say that I did not necessarily grasp the scope of the challenge. The more I have learned, the more concerned I have become. The critical infrastructure of our Nation lies mostly in private hands and this Nation is dependent upon their assessment of risk and, certainly, profit. Many private sector firms are not convinced of the business case to invest their resources in information security upgrades. Clearly, there is a much wider acknowledgement of potential physical threats at this point. But make no mistake, the cyber threat is real, it is 24 x 7, it could come from anywhere, and we must take this threat just as seriously. In a book just published, Thomas Reed, a former Air Force Secretary, details how our Government allowed the Soviets to steal software used to run gas pipelines. What the Soviets did not know is that the United States had sabotaged the software to cause explosions in a Siberian natural gas line. I became so concerned about the security of our SCADA systems, that I have asked the General Accounting Office to report to the Congress on the state of SCADA in America. GAO has produced an outstanding product and we are releasing the report at today's hearing. Months ago, at our first SCADA hearing, I said, ``It is also apparent to me that we have not developed a comprehensive strategy for addressing this weakness in our critical infrastructure.'' In today's GAO report they conclude: ``We are recommending that the Secretary of DHS develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security, including developing an approach for coordinating the various ongoing efforts to secure control systems. This strategy should also be addressed in the comprehensive national infrastructure plan that the department is tasked to complete by December 2004.'' I look forward to today's GAO testimony as they provide more detail on their findings. As a farmer, I rely on SCADA systems in local dams to prevent my fields from flooding and putting me out of business. It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature. I have learned that today's SCADA systems have been designed with little or no attention to computer security. Data is often sent as clear text; protocols for accepting commands are open, with no authentication required; and communications channels are often wireless, leased lines, or the Internet itself. Remote access into these systems for vendors and maintenance is common. In addition, information about SCADA systems is widely available. Not only are they increasingly based on common operating systems with well-known vulnerabilities, but also information about their vulnerabilities has been widely posted on the World Wide Web. Contributing to the security challenge is the requirement for public disclosure about the use of public airwaves. Utilities, factories, and power plants must register the frequencies that they use and provide detailed information on the location and structure of their communications networks. Sensitive information about these critical infrastructure systems is easily available. This is a special concern for communications systems that are easily interfered with, such as wireless. Finally, SCADA systems now also seem to be victims of common Internet dangers. It has been reported that the blackout this summer may have been partially exacerbated due to the widespread Blaster worm, which disrupted communications among data centers controlling the grid. The Nuclear Regulatory Agency has warned nuclear power plants about infiltration by the worms and viruses after a nuclear plant's systems were infected by a contractor's laptop. According to U.S. law enforcement and intelligence agencies, SCADA systems, specifically water supply and wastewater management systems, have been the targets of probing by Al Qaeda terrorists. Some Government experts have concluded that terrorists have existing plans to use the Internet as an instrument of bloodshed, by attacking the juncture of cyber systems and the physical systems they control. A recent National Research Council report has identified ``the potential for attack on control systems'' as requiring ``urgent attention.'' America must not be so focused on preventing physical attacks that we leave our cyber back door wide open and unattended. The tragedy of September 11 has taught us that we must imagine the unimaginable, prepare for the unthinkable, and not leave any stone unturned. To do so could mean devastating economic losses and tragic loss of life. The threat is real and the time to act has long since passed. I look forward to the testimony from today's witnesses and I thank you for your contribution to the security of our Nation. Today's hearing can be viewed live via Web cast by going to Reform.House.Gov and clicking on the link under ``Live Committee Broadcast.'' [The prepared statement of Hon. Adam. H. Putnam follows:] [GRAPHIC] [TIFF OMITTED] T5799.001 [GRAPHIC] [TIFF OMITTED] T5799.002 [GRAPHIC] [TIFF OMITTED] T5799.003 Mr. Putnam. I want to welcome the distinguished ranking member of the subcommittee from Missouri, Mr. Clay, and recognize him for his opening statement. You are recognized. Mr. Clay. Thank you, Mr. Chairman, especially for calling this hearing. I thank the witnesses for taking the time to share their thoughts with us on how we can best prepare to secure our Nation's critical infrastructure systems. As all of us remember, the electricity blackout on the East Coast during August 2003 was another warning sign of the trouble which lies ahead should we continue to fail in securing the control networks that deliver us the necessary services for our daily activity. Although the Federal Government has made considerable efforts in producing public-private partnerships to improve the cyber security of our critical infrastructure control systems, a tremendous amount of work remains in coordinating these efforts among Government agencies, private entities, and standard-setting bodies. Furthermore, if we fail to establish an enforceable public policy blueprint for adequate critical infrastructure protection, how can we expect the necessary implementation of minimal security requirements for control systems throughout the private sector. Like our hearing last Fall, today's testimony from GAO will detail several challenges inherent in security both public and private control systems against cyber threats from both foreign and domestic sources. They include: our limited technological capacities in securing such systems, the economic cost in providing such security, and indecision within many organizations about making control systems security a priority. These problems are exacerbated by the introduction of new technologies that are not always accompanied by adequate security measures, such as wireless systems. While being both economically and operationally efficient, many technology professionals still lack a detailed understanding of the vulnerabilities contained in wireless systems. As the subcommittee seeks to define the most practical public policy remedies for these problems, we must be aware of all such variables in order to find an appropriate balance for both governmental and nongovernmental organizations. As I stated during our hearing on SCADA systems last Fall, ``The solution to cyber security and control systems is similar to efforts for resolving security issues in Government computers. The efforts require sound management, skilled and committed employees, and the understanding that security involves all employees in an organization, not just the chief information officer or other designated security officials.'' I hope our witnesses today can provide some further insights on how our work should proceed in defining an adequate public policy response in this area. Thank you, Mr. Chairman. I ask that my written testimony be submitted for the record. Mr. Putnam. Without objection. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] T5799.004 [GRAPHIC] [TIFF OMITTED] T5799.005 Mr. Putnam. Thank you, Mr. Clay. The distinguished vice chair of the subcommittee, the gentlelady from Michigan is also joining us. You are recognized for your opening statement, Mrs. Miller. Mrs. Miller. Thank you, Mr. Chairman. I appreciate your holding this very important hearing today. I think as we examine the security of our Nation's critical infrastructure, we certainly are reminded, unfortunately, of our vulnerabilities and the importance of securing our Nation's control systems. These systems were developed when fears of cyber attacks were non-existent. Certainly their structure and the lack of expansive cyber security frameworks typifies the attitude of our Nation, quite frankly, pre-September 11th when we thought our Homeland was safe from the act of terrorists. But in today's world, the United States is particularly vulnerable because the terrorists look to use our freedoms against us. They look to disrupt our electrical networks, our financial systems, clearly our way of life. These are the things that we tend to take for granted. But we have to be proactive so that we can prevent future attacks from happening. So the question is, obviously, how can we secure these systems to the best of our ability. And I am hopeful that the witnesses who are testifying today can inform us of how Federal agencies are working with one another, how they are working with the private sector to provide a reasonable solution to the problems that we face. Obviously, building a fail-safe system is impossible but we must strive for what is reasonable. Time is of the essence because an attack on our critical infrastructure can happen from anywhere in the world, at any time. Security of control systems must be given the highest priority, and new technology must continue to be developed. I certainly want to thank all the witnesses for testifying here today. I am looking forward to your testimony. Thank you, Mr. Chairman. [The prepared statement of Hon. Candice S. Miller follows:] [GRAPHIC] [TIFF OMITTED] T5799.006 [GRAPHIC] [TIFF OMITTED] T5799.007 [GRAPHIC] [TIFF OMITTED] T5799.008 Mr. Putnam. Thank you, Mrs. Miller. I want to welcome our witnesses again. Mr. Dacey is a frequent flier to the committee. We gave Karen Evans the week off but brought Mr. Dacey back. And as experienced witnesses, you understand the light system so I will not rebrief you on that. As you know, the subcommittee swears in witnesses, and in addition to the seated witnesses, anyone who is joining you who will be contributing to your testimony before the subcommittee. [Witnesses sworn.] Mr. Putnam. I would note for the record that the witnesses responded in the affirmative. We will move directly into testimony. Our first witness is Mr. Dacey. Mr. Dacey is currently Director of Information Security Issues at the U.S. General Accounting Office. His responsibilities include evaluating information systems security in Federal agencies and corporations, assessing the Federal infrastructure for managing information security, evaluating the Government's efforts to protect our Nation's private and public critical infrastructure from cyber threats, and identifying best security practices at leading organizations and promoting their adoption by Federal agencies. You are recognized for 5 minutes. Welcome to the subcommittee. You may proceed. STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND JAMES F. MCDONNELL, DIRECTOR, PROTECTIVE SECURITY DIVISION, DEPARTMENT OF HOMELAND SECURITY Mr. Dacey. Mr. Chairman and members of the subcommittee, I am pleased to be here today to participate in the subcommittee's hearing on the security of control systems. As you requested, I will briefly summarize my written statement which is based on our report on control systems that you released today. For several years, security risks have been reported in control systems upon which many of the Nation's critical infrastructures rely to monitor and control sensitive processes and physical functions. In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of risks that are specific to control systems, including the adoption of standardized technologies with known vulnerabilities, connectivity of control systems with other networks, insecure remote communications, and widespread availability of technical information about control systems. Control systems can be vulnerable to a variety of attacks. These attacks could have devastating consequences--such as endangering public health and safety; damaging the environment; or causing a loss of production, generation, or distribution by public utilities. Control systems have already been subject to a number of cyber attacks, including documented attacks on a sewage treatment system in Australia in 2000 and, more recently, on a nuclear power plant in Ohio. Several challenges must be addressed to effectively secure control systems, including one, the lack of specialized security technologies for such systems; two, the perception that securing control systems may not be economically justifiable; and three, conflicting priorities within organizations regarding the security of control systems. The Department of Homeland Security, other Government agencies, and the private industry have independently initiated several efforts intended to improve the security of control systems. These initiatives include efforts to promote research and development activities, to develop requirements and standards for control systems security, to increase security awareness and information sharing, and to implement effective security management programs. Our report describes these initiatives in greater detail. Further, implementation of our recommendation for the Department of Homeland Security to develop and implement a strategy to improve control system security, including better coordination of these initiatives, can accelerate progress in securing these critical systems. The department concurred with our recommendation and reported that improving the security of control systems against cyber attack is a high priority for the department. Additionally, improvements in implementing existing IT technologies and approaches, such as those discussed in our recent report to the subcommittee on commercially available cyber technologies, can accelerate progress in securing these critical systems, including implementing more secure architectures with layered security, for example, by segmenting process control networks with robust firewalls and strong authentication; (2) establishing effective security management programs that include appropriate consideration of control systems; and (3) developing and testing continuity plans within organizations and industries to ensure safe and continued operation in the event of an interruption such as a power outage or a cyber attack, including consideration of interdependencies on other sectors. In summary, in the face of increasing cyber risks and significant challenges in securing control systems, several initiatives are in progress to improve cyber security of these systems. However, further efforts are needed to address these challenges to carry out and better coordinate such initiatives and to improve implementation of existing technologies and approaches. Mr. Chairman and members of the subcommittee, this concludes my statement. I would be pleased to answer any questions that you have. [The prepared statement of Mr. Dacey follows:] [GRAPHIC] [TIFF OMITTED] T5799.009 [GRAPHIC] [TIFF OMITTED] T5799.010 [GRAPHIC] [TIFF OMITTED] T5799.011 [GRAPHIC] [TIFF OMITTED] T5799.012 [GRAPHIC] [TIFF OMITTED] T5799.013 [GRAPHIC] [TIFF OMITTED] T5799.014 [GRAPHIC] [TIFF OMITTED] T5799.015 [GRAPHIC] [TIFF OMITTED] T5799.016 [GRAPHIC] [TIFF OMITTED] T5799.017 [GRAPHIC] [TIFF OMITTED] T5799.018 [GRAPHIC] [TIFF OMITTED] T5799.019 [GRAPHIC] [TIFF OMITTED] T5799.020 [GRAPHIC] [TIFF OMITTED] T5799.021 [GRAPHIC] [TIFF OMITTED] T5799.022 [GRAPHIC] [TIFF OMITTED] T5799.023 [GRAPHIC] [TIFF OMITTED] T5799.024 [GRAPHIC] [TIFF OMITTED] T5799.025 [GRAPHIC] [TIFF OMITTED] T5799.026 [GRAPHIC] [TIFF OMITTED] T5799.027 [GRAPHIC] [TIFF OMITTED] T5799.028 [GRAPHIC] [TIFF OMITTED] T5799.029 [GRAPHIC] [TIFF OMITTED] T5799.030 [GRAPHIC] [TIFF OMITTED] T5799.031 [GRAPHIC] [TIFF OMITTED] T5799.032 [GRAPHIC] [TIFF OMITTED] T5799.033 [GRAPHIC] [TIFF OMITTED] T5799.034 Mr. Putnam. Thank you, Mr. Dacey. Our second witness on our first panel is James McDonnell. Mr. McDonnell is the Director of the Protective Security Division at the Department of Homeland Security. Prior to this position, Mr. McDonnell was the Director of Energy Assurance at the Department of Energy, and director of national security operations at Oak Ridge associate universities. Mr. McDonnell has over 25 years of experience managing national security and homeland security activities and was a member of the leadership team assigned to craft the Department of Homeland Security in the White House Transition Planning Office. In 1995, Mr. McDonnell completed a 20 year career as an officer in special operations and special warfare in the U.S. Navy. I want to welcome you to the subcommittee. We appreciate the experience that you bring. You are recognized for 5 minutes. Mr. McDonnell. Good afternoon Chairman Putnam and distinguished members of the subcommittee. It is an honor to appear before you today to discuss activities that the Department of Homeland Security is engaged in regarding process control systems and our Nation's critical infrastructure. I am James McDonnell, Director of the Protective Security Division, part of the Information Analysis and Infrastructure Protection Directorate within the Department. Established by the Homeland Security Act, and directed by Homeland Security Presidential Directives, IAIP is responsible for reducing the Nation's vulnerability to terrorism by one, developing and coordinating plans to protect critical infrastructure and key assets; and two, denying the use of the infrastructure as a weapon. Our goal is to ensure a national capacity to detect indicators of terrorist activity, deter attacks, and devalue targets, and to defend potential targets against terrorist threats to our critical infrastructures. To meet this goal, IAIP identifies those sites and facilities that may be an attractive target for terrorists based on risk and identifies how best to reduce those vulnerabilities. Once we know what we should protect and what the vulnerabilities are, we conduct risk assessments. We map threat and vulnerability information. This information is then used to prioritize the implementation of protective measures focused on mitigating our Nation's vulnerability to attack and, more importantly, sharing in a timely manner that information with State and local officials. The complexity of the infrastructure requires a comprehensive understanding of how this ``system of systems'' operates and it is this complexity that adds another dimension of vulnerability--the use of complex process control systems. Process control systems are industrial measurement and control systems used to monitor and control plants and equipment. They are utilized in numerous industries, including energy, manufacturing, chemical production and storage, food processing, and drinking water and water treatment facilities. These systems are often referred to generically by one of the most prevalent types, SCADA, Supervisory Control and Data Acquisition, but there are many other types of these systems. The systems vary in function, size, complexity, and age. Some function in an automated fashion. Some rely on a human/ machine interface, where the system provides critical information upon which an operator bases process control decisions. Some digital controls systems can be reprogrammed from offsite through dial-up connections or through Web-based access. This cyber-physical nexus creates a complexity that requires a comprehensive approach for protection. To address the protection of these critical systems, IAIP has developed a comprehensive strategy to protect each element of process control systems. Our focus is on joint Government- industry efforts to identify key assets, discover vulnerabilities, analyze risk, implement effective protective measures, conduct joint exercises and training, disseminate information, and develop inherently safer technology. Since most process control systems reside in the private sector, our ability to always effect change is sometimes affected by business factors that we cannot control. IAIP manages this as a team effort that includes all parts of the Directorate, including the Protective Security Division, the National Cyber Security Division, the Infrastructure Coordination Division, and the National Communication System. The bulk of the remediation and protective activities are conducted by PSD and National Cyber Security Division. Immediate efforts focus on protective measures that can be implemented within the as installed/legacy environment, such as inexpensive technical or procedural changes that can be implemented at the site and in the immediate future. Near term efforts include detailed testing and assessment of vulnerabilities. In the long term, we will work with the private sector on the development of inherently safer technology. As part of PSD, we have established a Control Systems Section that will oversee the SCADA security program. The Control Systems Section will identify and reduce vulnerabilities critical to domestic security related to control systems. This section also includes the development and integration of the understanding of offensive capabilities, and providing relevant hands-on operational support during DHS heightened security events. We have identified approximately 1,700 facilities across the country that we hope to engage in a major vulnerability reduction effort during fiscal year 2004. Of those sites, we have identified 565 with process control systems. As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are. In closing, I would like to reiterate first that SCADA vulnerabilities are a fact, just like a hole in a perimeter fence. The problem is that the SCADA vulnerability is not seen by the casual observer and therefore goes easily unnoticed. SCADA vulnerabilities are seen by those who would do us harm through their manipulation and it is incumbent upon IAIP to ensure that those responsible for protecting America are seeing them and doing something about it. Finally, as earlier stated, the Department of Homeland Security views this as a national effort involving many directorates within the Department and many organizations, both public and private, outside DHS. I would be happy to answer any questions you may have. [The prepared statement of Mr. McDonnell follows:] [GRAPHIC] [TIFF OMITTED] T5799.035 [GRAPHIC] [TIFF OMITTED] T5799.036 [GRAPHIC] [TIFF OMITTED] T5799.037 [GRAPHIC] [TIFF OMITTED] T5799.038 [GRAPHIC] [TIFF OMITTED] T5799.039 Mr. Putnam. Thank you, Mr. McDonnell. Let me begin with one of the last things that you said--it is a national issue with many directorates of the Department of Homeland Security involved. What one directorate is ultimately accountable for the successful protection of this critical infrastructure? Mr. McDonnell. Sir, I am the accountable executive at the Department of Homeland Security for this effort. Mr. Putnam. OK. And how do you coordinate then with Amit Yoran and the cyber security folks? Mr. McDonnell. Well, Amit and I both work for Bob Liscouski, who is the Assistant Secretary for Infrastructure Protection. We talk daily. This is one of the many issues we deal with. We are in the process of developing a joint package to understand how we both deal with each part of cyber. When you look at SCADA, we have Amit looking at the ones and zeroes, and that is how the hacker is going to come in, some guy sitting in an Internet cafe in Paris being able to hack in there or even locally coming in and affecting the code, rewriting the code. We also have to look at what are the systems themselves, how can they be intercepted. We are moving toward wireless technology, that has already been mentioned, and that adds another dimension of an avenue into the systems. My teams when they are in the field look at all of the security considerations at a site. The vulnerability of their SCADA systems is one of the things that the teams look at. I have had teams just since the Department stood up the 226 sites around the country, as mentioned in my opening statement, we are going to be at another 1,700 during this year, at every one of those we are looking at the physical nexus for is there a control box that somebody can get into and tap into, are there wires set that use an induction system, you can get in and take over the controls. So Amit and I have to work extremely closely to make sure we understand what each arm of the organization is doing. But we are doing it from a different level. He is at a global level, looking at how people are using the Internet globally, not just the Internet, but other malicious code types of attacks, where I am at the local level, looking at what is at the site, what are the vulnerabilities there that could be taken advantage of. It is an ongoing process. We talk literally all the time about this as well other issues. Mr. Putnam. Thank you. The users of SCADA seem divided by their lines of business. The electrical industry does not necessarily talk to oil and gas industries, does not necessarily talk to the chemical industry. But according to the testimony provided by Siemens at our last SCADA hearing, SCADA systems are largely the same from industry to industry. What role does the lack of coordination within the private sector play as you work to solve these problems? I will begin with Mr. McDonnell and then go to Mr. Dacey. Mr. McDonnell. Thank you, Mr. Chairman. When PD No. 63 was written back in 1997, infrastructure protection was stovepiped, so to speak. It was a Federal agency overseeing the care and feeding of all the different business sectors out there. So, for example, prior to the Department of Homeland Security, I was the Director of Energy Assurance. My responsibility was the energy sector, there was another department that had the chemical sector, Treasury had banking and finance, etc. What has happened now with the President signing HSPD No. 7 several months ago and the creation of the Department is we now at the Department of Homeland Security are responsible for the coordination across all of the sectors, with all of the Federal agencies to ensure that the good things that are happening in one get to the others. To your point, SCADA systems, there may be one manufacturer and maybe one patch that Nork found for the electric grid folks that may apply in the chemical sector. That is exactly the same in the other systems that we are dealing with out there. I may find a physical vulnerability that is common across many different business sectors. So the way we are addressing that is my office produces common vulnerability reports. When I have teams out that are looking at these things, what are common in different sectors, at different facilities, and then how do we ensure that folks that need to do something about it can track those things down and see if they have the same problem and fix them. We will be doing that--and we do that to some extent in SCADA right now but it is still, quite frankly, in its early stages of development. I have a SCADA common vulnerability report in the works that I should see before too long that will just be part of the package along side chemical site security and other types of things. The whole concept of this is the Department has to know where we have specific vulnerabilities. Then we have to pull back from where that specific vulnerability is, ask the question, where else are those vulnerabilities, and make sure that fixes that apply to a specific site in, say, New Jersey get to the guy in Florida or California that need the same information. Mr. Putnam. Mr. Dacey. Mr. Dacey. As we discussed in our report, when we were doing our work in research and talking to a lot of experts in SCADA field, the general consensus continued to come back that there needed to be more coordination. There are a lot of activities taking place. It, quite frankly, took us quite a bit of effort to try to put together all of the initiatives we described in our appendix because they were not readily available in one central place. So I think in terms of the interest in the industry, there is an interest to get together because these SCADA systems share common vulnerabilities and common problems and some of the solutions, quite frankly, are common as well. So I think that is an important area and that is what led to our recommendation that the Department, in its role as laid out in the strategy to secure cyber space, put together a strategy for developing and coordinating those activities in one central place. And I am pleased to hear today that they are taking efforts to do that of late. Again, we have not been in and looking at the Department since we did our report, and I believe your section was set up sometime in December, if I recall. So it is good that action is taking place. It is a very critical element that needs to be carried forward. The other part of that is the research and development. I think it is very critical that the folks that are affected by SCADA systems get together and try to sort out what research and development needs to be done and needs to be accomplished to help secure these systems, because, as you discussed in your opening statement and as we discussed in our report, there is some inherent insecurity in these systems and they do not have a lot of capacity to lay on encryption and things of that nature. So I think that is another area that needs to be looked at carefully, again through a coordinated effort, which the Department should be working with the private sector and other Government agencies. Mr. Putnam. Do you have a breakdown, either of you, for what percent of SCADA systems are in private sector hands versus Government? But then within the Government, what I am concerned with is municipalities versus counties versus regional governments like flood control districts, water management districts, mosquito control districts, whatever, and States. If you are talking about a small county on the banks of the Mississippi River that is managing a very important piece of the flood control structure, that maybe the Corps does not have the money to upgrade SCADA systems, certainly, in south Florida we are dealing with it around Lake Okeechobee and the Everglades, control structures that are quasi-governmental. Do they even hit your radar screen, or are you really kind of focused on the bigger, more visible ones at this point? Mr. McDonnell. Those absolutely hit our radar screen. The first part of the process in the Protective Security Division is what we call the asset identification shot. It is essentially a domestic targeting branch where we work with State and local officials, with private industry, with sector- specific agencies and say what are the things out there we should be concerned about protecting. We do that absent a vulnerability analysis initially because we need to know what are the things, the systems, the specific facilities, the systems of facilities, that, if affected, would have an impact that is unacceptable. Now we look at that in four different ways: First is public health and safety, what is the prompt effects of an attack on a facility; the second is economic impact; third is a symbolic nature; and fourth is national security, and that is the ability to support military mobilization and those types of things. We are in the process, for example, of building a new set of data for fiscal year 2005 and fiscal year 2005 activities and we have had 13,000 items already submitted to us by the States after looking at their systems. I have a team, it is the Asset Identification Section, who is sitting down with their counterpart agencies and saying, OK, for example, that levee on the Mississippi, just for the sake of argument, it gets on the list, the State says this is critically important for crop protection, or it floods the town. It is incumbent on us then to help them identify what that is vulnerable to. It may be a physical attack or it may be a cyber attack. If it is a cyber attack, then the next step in the process is what can we do about it. It sets up a process where we are actually going to operate, and we are operating now, based on if anyone thinks that something should be considered for protection, it will be considered for protection. How far down the road we go of actually implementing protective actions will depend on the analysis between that nomination of a facility for protective actions and the actual implementation of protective measures. Who does what protective measures will be a collaborative effort. We have inside the gate activities that need to take place, for example, where owners and operators have to do fixes, and we have outside the gate. A major effort underway now is to create buffer zone security plans. It is taking the operational environment away from the terrorists in the vicinity of the targets. We could build fences as high as we want and we could make a static security environment inside of a facility be impregnable or seem to be, but if we leave the area around it open for people to operate in, we leave the people vulnerable that are trying to protect our facilities. It is exactly the same in SCADA. We have to know what is there. We have to know the ways a terrorist could get in. And then we have to figure out how we plug that hole, so to speak. Mr. Putnam. Thank you very much. I would like to now recognize Mrs. Miller for 10 minutes. Mrs. Miller. Thank you, Mr. Chairman. Mr. McDonnell, if I could followup a bit. I tried to take some notes there. You were saying that the DHS had identified about 1,700 different facilities thus far. Did you actually do that work yourself? How did you coordinate and cooperate with the States? Now it is my understanding that each State was responsible to deliver to DHS a State plan, their own assessment plan of the kinds of soft targets that they might find within their respective States. So I guess my first question is, did you actually do that work, or was that done by the States? Mr. McDonnell. It was done in combination. The plan that the States had to submit was due in at the end of December of this year. For the grant process for putting funds out to the States in the fiscal year 2004 appropriations, we were required by October 15 to brief leadership on the Hill of what we were going to use for infrastructure protection grants and what strategy we went through picking facilities. So we actually this year had to pick facilities pre-dating the inputs that were coming in through the strategic planning process that the States were in the process of submitting. Now that being said, what we did is, over the last year we have collected a lot of information, we have consolidated that into a list. I then took that and I met with the Homeland Security advisors and I said here are the 1,700, what do you think? For example, there was a shopping mall that ended up on there that was in the Meadowlands in New Jersey that does not exist yet. It is licensed, you look at all the business records and it shows that it is there, but nobody got around to building it. So we decided to take that off. We are not going to pour a lot of protection into that. But it was critically important in that case because Syd Casper, in New Jersey, said, hey, Jim, we do not have that here, but there is something else there that does need to be protected. And so it is an iterative process. I think, quite frankly, it is going to be another probably two cycles before we really have a very good handle on all the different things that are out there that need to be protected. But it is going to take continuous dialog. Hearings like this are good. Any time we can get people together to talk about this and get people thinking about getting the information back and forth so we can put good plans around things, I think we win. The 1,700 sites will probably, by the time we get done with this cycle with the State, be closer to 2,000 for actions during this year. We already see a little bit of a bump up. They are not the top 2,000 critical sites in the country, per se. But a big part of it is soft targets. We are putting a lot of effort right now into those areas that do not have any protection and looking at places where people are gathering and we could have low level attacks outside of the critical infrastructures, stadiums, shopping malls, those types of things. So there is quite a bit of movement in that area as well as the traditional sites. Included on the list at the top tier are chemical facilities, the most hazardous facilities, nuclear plants, rail, bridges, those types of things. And of that 1,700, there is somewhere in the range of 560 that have digital control systems that, as we put these buffer zone plans in place, will be part of the consideration. Mrs. Miller. Have all the States complied? Where are you nationwide? Have all the States complied with the requirement to have their State plan in? And then when they were doing their State plan, did DHS actually set a criteria? I mean, if you have some State telling you you are going to have a shopping mall in 5 years and they have that on their plan as opposed to an existing nuclear facility, there should have been some criteria as the States were doing their own assessments I suppose. Mr. McDonnell. Right. I will have to get back to you on the specific number. I know we are very near everyone having submitted those. Quite frankly, the process that we used in asking the States to do the submission pre-dates the development of the division that I run and a lot of the other parts of the Department. What we did not want to do was, the States were pretty far down the road getting a strategic plan done, and so we did not to stop them and ask them to start all over again. So that process has continued. What we did in parallel is engaged with the States to say now let us start talking more specifically about what criteria we want to use for identifying critical infrastructure and then how we go forward with that. So it is an ongoing process. We have the dialog underway, we have common goals and objectives, we still have to work out details as far as what is the best reporting scheme going to be, how do I make sure that one State looks at things the same way another State does. Honestly, they are going to look at them differently. I have to understand their perspective and figure out how I support them and try to get a national picture. Mrs. Miller. There has to be a standard I think. And the States have to look to us, the Federal Government, through you, to set those standards. And I asked this because you also mentioned about grants to the States. My State of Michigan I am aware has submitted their plan, although I do not know what the plan looks like. We have been told it is not for us to see, quite frankly. So I am hoping the plan is fine. We did have Secretary Ridge in my district most recently, and we were talking about appropriations to DHS based on some of the criteria as the States were doing their assessments. I guess I would ask you if you have any comment on this. For instance, in regards to some of the grants, a big part of the criteria there is based on population, which makes sense at first blush. But we have a situation in my district. As I mentioned, Secretary Ridge came in and we took him on a helicopter tour--if you can think of Michigan as a mitten, I am talking about this area here, which is the St. Clair River. We share a very long liquid border with Canada there and we have the third busiest border crossing on the Northern tier there called the Blue Water Bridge, which is the only commercial corridor on the Northern tier that can accept hazardous material across, unlike either Buffalo or the Ambassador Bridge in the city of Detroit. We have the CN rail tunnel there. We have what we call chemical valley. Sarnia in Canada there has a number of chemical plants across there. And yet this is a county that has a very small population base but, obviously, some unique characteristics in regards to a soft target. So I do not know if you are able to assist in this, but I certainly want to keep talking about that, that the criteria for the grants has to take into consideration a much more global perspective I think. And it is so important that your Department continues to work with the States. So I guess my question would be then, when you get these plans from the States, what are you doing with them? Mr. McDonnell. What we are doing now with the States is we are actually taking their inputs, we are refining what the lists are, and then we are going out and providing them support for buffer zone security planning and so on. The population and population density piece of the formula was used in the Urban Area Security Initiative which, by definition, was focused on the large cities. The selection of critical infrastructure assets for the other grant programs and the activities that my division is leading does not consider that they have to be in a city. So what I would expect in that case, and I will go back and check on the Blue Water Bridge, is I would expect the Michigan Homeland Security advisor, if that was not already on the list, would come back and say, hey, you need to add this, and we would do so. And then that would just be part of the process of my teams would be working with the State and assisting the State in developing those security plans, identifying where we can help, and just doing a better job nationally of dealing with the problem. Mrs. Miller. I just keep going on about setting the standards. I think it is so important that the Federal Government, through your agency, sets the standards, whether it is for as they are making their analysis throughout the States for their soft targets, or whether they are talking about setting up communications systems in all the various counties. The Secretary and many others have mentioned and almost everybody has agreed that is a priority in every county, right? Every municipality has such antiquated communication systems and everybody is running around trying to get grant money to put into communications systems to talk to one another. There is sort of a lack of standards, I think, on communications towers, all of these things. So I mention that to you as well. Once you have identified, and I do not know if you have gone this far, but as you have assessed where all of your soft targets are and that, how will you provide oversight for the States? How does that part of it work? Would you do that from a centralized location, from Washington? Would you do that through your proposed regional homeland security centers through the DHS? Do you have any next step there on how you would oversight that? Mr. McDonnell. Yes. I would use the term verification as opposed to oversight in that I am not directing the States or sort of telling them what to do. It is more of an assist role. And that being said, it is very effective. I do not have any real problems in dealing with the States in that area. I inherited a program from the FBI in the transition called the Key Asset Program, which was a field agent in all 56 of the field divisions who was responsible for critical infrastructure protection. I am in the process of hiring new replacement agents to be in the Secret Service offices throughout the country who would do sort of the daily care and feeding of those sites. This is very similar to the way MI-5 does it in the U.K. I went over and worked with those guys quite a bit to figure out how they handled this on a national scale. Say the person I have in Detroit will have a set number of sites, jurisdictions they have to work with. Their job will be on a daily basis to visit those places, talk to them, see how things are going, identify if vulnerabilities have been plugged, just spot checking, if you will. And those folks, prior to the regional offices being stood up, will report directly to my office at headquarters. I have a Secret Service agent detailed to me to manage that. And then over a period of time, as the Department's regional offices mature, we will have protective security detachments in each. Right now, everything is being run out of headquarters because I do not have regional and local activities yet. But as that evolves, then those local guys will work for the regional folks who will work for our headquarters policy oversight shop in Washington. But we really want the protective security activities to be community-based activities, much like the disaster recovery. The security at a site is not just the company, it is not just the local sheriff or law enforcement, it is a team effort and everybody has to be part of that team. So we are trying to push these activities to the local level. And this again gets to the difference between Amit Yoran's organization looking at global activities where there are not people necessarily local, to my shop really working at boots on the ground, talking face to face, knowing the people, having a relationship, and being able to be a reach-back capability for those local folks that need help. Mrs. Miller. Just one more question. Both of you gentlemen are trying to talk about what the necessary safeguards would be. Obviously, we are talking about dollars here, whether that be a local municipality, local sheriff's department, or whether it is a public utility, or what have you. Do you have any ideas at all about how the private sector might try to pay for some of these things? A utility, for instance, would have to go through their State's public service commission, that is what we call it in Michigan, I do not know what they call it in every State, to look for rate increases. Or do you think that some of these utilities or what have you would be looking to the Federal Government to set sort of a standard, some way of recouping some of these costs? Are you thinking about that at all or getting any feedback on that? Mr. Dacey. In terms of working on our report, again, the message we heard consistently from a variety of sources, vendors of SCADA and control systems, industry representatives, was a concern that it may not be economically feasible for them to proceed and invest the additional dollars in control systems security. And as a result of that, some of the vendors indicated they were not promoting heavily advances in that area. So we heard that a lot. Again, this is assertions that were made to us by a wide variety of people. But I think the issue becomes what level of security is appropriate. Some of the efforts that are underway to do research and development to develop standards and some kind of a basis for expectations, if you will, on what should be done to secure these technologies I think would be helpful out there. And then it becomes upon the private sector and the States to determine whether or not they are going to be financially able to afford whatever that level or standard might be. And I believe in the strategy it talks about the Department coordinating with the private sector to work on developing some type of standards. So I think that is an important area. We reported in the past, relating to CIP and general critical infrastructure protection, that the Department now needs to look at and consider the need for public policy tools to determine whether or not they are going to be necessary, whether it be grants, tax incentives, or whatever might be appropriate, to consider the need for those to provide additional incentives for the private sector to proceed. There have been a couple of situations where EPA has provided funding to do vulnerability assessments at water treatment facilities for major municipalities, for example. So there has been some activity. But what we had recommended was more of a broad based needs assessment to try to figure out what would be the best incentives for the private sector and State and local governments. But part of that I think is really setting an expectation about the level that needs to be attained and whether or not they are willing to do that without additional public policy tools. Mr. McDonnell. Just to followup on that. As I mentioned, I was at Energy Department before I started the office at Department of Homeland Security. In my 2\1/2\ years, my experience has been that corporate leadership wants to do the right thing if they are given the right information. And, quite frankly, the Federal Government becomes a holder of the information quite a bit. And a big part of what we are seeking to do at the Department of Homeland Security is build the pipes to get the information out to people so they can make intelligent decisions. We need to get the specifics of SCADA vulnerabilities, for example, out of rhetoric and into, hey, here is a specific thing that is out there. One way to do that is the development of standards. We are working with the American Society of Mechanical Engineers, for one, to help us develop industry-based standards for risk assessment in the various sectors. SCADA will be a part of that. The other is setting expectations. One thing that we can help to do, and we are exploring this right now, is something like a DHS seal of approval, an underwriters laboratory, if you will, for if somebody comes out with a new software package for digital control systems, it goes to our test bed, the guys take a look at it and they say here is an assessment of it. I think from a business model, what you end up with then is you have a vendor who says, hey, this has been vetted, they have looked at this based on knowing what the vulnerabilities are, what the adversaries might try, and I am selling you something that is secure. The corporate executive then can go to his board and say, look, we are making the right decision. It frees them up from litigation for not using due diligence. There are good ways to build this but we have to build a baseline where there is actionable information in the hands of the executives and decisionmakers in the companies and an option. If we can move toward a particular system, and we are not saying this is a better system than this one, it is just an honest assessment of its vulnerabilities versus another, then that company can say I am going to buy that one and not the other. And I think that starts driving the business case for across the board improvement in security of the systems. Mrs. Miller. Thank you. Mr. Putnam. Thank you, Mrs. Miller. Let me followup on her line of questioning about standards and assistance. I do not know that I ever got an answer on the breakdown of municipal, State, county versus private sector so that we have a handle on who is actually going to be responsible for paying the bills. But once you have this 1,700 list finalized, then presumably we would have the price tag for bringing them into a higher level of preparedness or security. So then the question is who bears the cost. And if it is the private sector, and we know that 80 percent of the critical infrastructure is in private hands, then they are expected to bear the cost, but they are not mandated to bear the cost. Is that correct? Mr. McDonnell. In most cases, yes, sir. Mr. Putnam. So if they are presented with the options, as you illustrated, of a more secure system versus a less secure system, or upgrading versus not upgrading, there is no compulsion to act in the law. Is that correct? Mr. McDonnell. I think that is fair if it is strictly a question of investment. So, say, if I come in and say you have a whole year, if you do not fix it, somebody might attack you, and they say, yeah, yeah, whatever, thank you very much, I am not going to do anything about it anyway, what my experience has been to date is that is not a real problem right now. Now it may be a problem that evolves over time, but people are very, very sensitive to being vulnerable to attack. Some of the fixes that we are talking about are literally unplugging a phone line. Not all of the fixes are very complex. The key is to make the decisionmakers aware of where they are vulnerable. That is where the nexus between the Government operations, understanding the intelligence that is out there, the threat that is out there, and the vulnerabilities of the systems, and then being able to look a corporate executive in the eye and say you have this vulnerability, I am on record for telling you you have it, that it is your choice whether you do something about it right now, but if you do not, you are liable to be dealing with regulation down the road, if you do not, you are liable to be dealing with litigation if something goes wrong. So there is a coercive element to this. Now, that being said, in the energy sector, for example, the FERC has a lot of ability to help push these types of things. There is a question about rate recovery. The FERC, for example, can put out a rule that says if you are going to operate in the interstate transmission of electricity, here are some minimum standards that you have to follow, and then can encourage the State public utility commissions to allow rate recovery for those activities. Mr. Putnam. That is true. They are a legal monopoly and they have a price fix regulated by State legislatures or FERC or whomever. But what if it is a private chemical company that does not have the benefit of all of that and they have to make decisions about their bottom line? And in the real world, as you know better than any of us, the threat matrix is changing every day. You find some scrap of paper in a cave and it has got a picture of a chemical plant. The next week you find a picture of a dam. The next week you find a picture of a bridge. And you are expecting businesses, if you go make this pitch, well, this week is chemical plant week, or next week is bridge week, and next week is tourist attraction week, then how do they really make informed decisions. And correct me if I am wrong, there is no safe harbor. You were using this liability issue as a threat, that I am on record telling you that you have a vulnerability, I am telling you this is a problem, you can act or not act. If they choose to act, is there a reward by saying we put them on notice, they made use of the best practices and technology of the day, therefore they are protected? Mr. McDonnell. I think, as you point out, it is extremely complicated in how we actually push this down the road. It really gets to what is the consequences of failure. If, in fact, a dam, for example, has a SCADA vulnerability that we identify that risks the lives of thousands of people, I think with that piece of information it is pretty easy to ensure that dam does something about it. Mr. Putnam. OK. Let's stop right there. Mr. McDonnell. Sure. Mr. Putnam. Perfect example. Who pays for it? It is a county in the Midwest or in south Florida in the middle of the glades, their total county budget is $30 million a year and it is going to cost them $5 million to fix the dam. Who pays for it? Mr. McDonnell. I have the ability to sit down with the State Homeland Security advisor and say you need to take some of that grant money and fix that problem at that dam. And we have done that. So there is a process. There is plenty of money in place to do specific things. Now where you run into a problem is when people say, well, the sector needs to be fixed. Well, not all the dams are equal. All the dams may have the exact same problem but what we have to do is say that is an unacceptable risk. It is a risk-based decision, it may be a public health and safety decision, but we can find a way to fix it when we get to that specificity. And that is the challenge for our organization is to get to that specificity. Mr. Putnam. Here is my couple of concerns, and then I need to move to a few other questions that we need to get down for the record. But human nature being what it is, and the threat being as complicated as it is--and it is far more complicated than us just saying we are going to go make everything prepared for any threat. It just does not work that way. You have basically identified 1,700 sites. You and your colleagues around the country and in the States have basically said there is a top 1,700 list. My thinking, being a little bit cynical, is that the people who did not make the list are going to say, oh, but wait, we are vulnerable too. Look at all these things that we have that we need grant moneys to fix. Just like every police department in America wants to have first responder equipment equal to and greater than New York and L.A. and Washington. I mean, you see it. It is a feeding frenzy. I see there are certain sites particularly that meet Category III of your rubric, which are symbolic sites, that probably would just as soon not be there. But I can see a lot of sites saying, hey, this is the spot we need to be in, we cannot even afford to meet EPA water quality standards now because we have a plant that was built in the 1940's, but if we say that we are at risk of poisoning a half a million people, we will get a brand new sewer treatment plant, or we are going to get a brand new weir, or we are going to get a brand new whatever. So that is my concern in the real world process of how all this stuff works. And it is never ending because you cannot be more prepared than the terrorists' imagination. And I commend you for making a first step by saying these are the top 1,700, 560 of them have process control systems. At some point I hope you will be able to say the price of bringing these to an acceptable level is X amount. You, Congress, can decide whether you want to do it all in 1 year, whether you want to put it on a 5-year phase-in, but that is our call to make. And put it on sort of a milestone and task-oriented funding plan. But those are my concerns. The other issue is that GAO says in their report that these are the folks involved in SCADA security--DHS, Energy, Defense, 5 different national labs, EPA, FDA, NIST, 2 multiagency working groups, the NSF, 11 private sector groups, and 1 government-private partnership, for a total of 26 players. How does all that work, Mr. Dacey? Mr. Dacey. That gets back to our recommendation again. Sorry to get back to that, but the bottom line is that is what we recognized is that a lot of these efforts were initiated independently of each other. It was a need recognized by that particular group or sector to deal with a specific issue. DOD did work on determining what the effect of weaknesses in SCADA had on their ability to carry out military operations. And each one had its own genesis. That is why there is a need to coordinate these efforts so that we are getting the most leverage out of the activities and resources that are being put into this to get to the best answer as quickly as possible. I think that is a key issue in coordinating these efforts, again, something we heard consistently throughout discussions with those. Mr. Putnam. We wrestle with this on corporate information security and we put together a working group and we spent several months working through all those issues. It came about as a result of industry saying there is not any one law that you can pass that is going to solve this, it has to be collaborative and it has to be voluntary, and we need to have this underwriter's laboratory type model, very similar to what you are talking about for SCADA. But at the end of the day, there has to be some compelling reason for everybody to work and play well with others. I do not know what the proper formula there is, whether it is a safe harbor in the liability issues, whether it is tax credits, or whether it is just a cold hard law, but these are the issues we have to deal with to make these systems more secure. Mr. McDonnell, both the Science and Technology Directorate and the National Cyber Security Directorate at DHS have initiated several activities in the area of SCADA security. How are you coordinating their efforts? We talked about the 26 outside of there. Even within DHS you have all this going on. Do you expect there to be one overriding plan that comes out in this SCADA vulnerability report that you referred to earlier? Mr. McDonnell. Yes, sir. We are in the process of taking the President's Directive on Infrastructure Protection, HSPD No. 7, and putting in place now how we operationalize that across all the sectors, across all the departments, and truly build a national plan. It is our intent that SCADA activity will be working to a common goal through a common process. Now, there will always be outside of government competitive folks out there that want to be doing their own thing. That being said, we absolutely are starting to pull all that stuff together and we will have a single national effort led by the Federal Government for SCADA. It is going to take some time to pull all this in. As my colleague mentioned, there are some equities in there, Defense, for example, has very specific reasons for looking at SCADA, the Department of Energy has a totally separate shop that is looking at SCADA and the processes in the nuclear control systems at the laboratories, the nuclear weapons processes, and they are never going to just kick that into a big interagency collaborative effort. But what we do have to make sure is that we understand what is going on in these sort of compartmented areas and we are not duplicating effort, that I am not paying for an R&D program that kicks out something that has already been invented over at the Defense Department but I just did not know about it. So that is absolutely part of the plan, sir. Mr. Putnam. As you know, we have a very open records policy in this country and even more openness depending on the States that involve the availability of design and blueprints, specific site locations, wiring configurations, frequencies. Could each of you speak to the risk or the lack of risk that is associated with public access to this type of information. Mr. Dacey. Certainly, there is definitely increased risk when there is more information about the security of specific systems that people could use. If you look at some of the stuff that is on the Internet, there are operations manuals, there is just a lot of information out there that is publicly available to understand how these systems operate and what is being done with them. There are even many other sites, vendor sites which even tell you where their equipment is installed and how it is installed, or at least a general idea of how it is installed. So there is a lot of information out there that could be used by someone if they wanted to do some damage to learn and prepare themselves for a potential cyber attack on SCADA systems. I think that combined with some of the other risks we talked about, such as the combination of these networks with other enterprise networks, exposes a real threat for hackers using just general purpose hacking tools to get into a network that is in one of these companies and use that opportunity to then get access to the SCADA systems if they are not compartmentalized and secured. That is where we saw in the Davis-Bessey plant where, as you mentioned in your opening statement, there a worm, the slammer worm migrated apparently from a vendor system through a trusted VPN, if I recall, right on into the nuclear power plant's main enterprise system and interfered with the traffic running in the control systems. So you have real issues there. So you combine the two with the fact that you can go in, there is clear text going across these things, it does not take a lot of imagination to think someone who is really studying and intent on doing something could not start to get a pretty good understanding of how these systems work, how the messages flowed, what they look like, and so forth and so on, if they could get into these systems. So I think there is a real risk. But it is not just the fact that the data is out there and available, that it is the other things which are really compounding that risk I think. Mr. Putnam. Does the access to information present a risk such that we should consider policy changes to public access to those plans and designs and operations and sites? Mr. Dacey. A lot of these systems, particularly newer ones which are moving to some of the common protocols, communication protocols and networks that we see out there and using the Internet as well, I think a lot of that information is public knowledge now. I think the bigger key is to better secure these networks and systems so that people cannot get to them through defense in-depth and other means. In other words, if a lot of these systems are adopting these current technologies, it does not take a lot to imagine getting in. Even if the information was not out there, one could still get in and gain a lot of insights if you could break into these systems. So I think the real key gets back to protecting the systems adequately so people cannot get in and start looking at traffic, you know, so-called sniffer software you can put in if you break into a system that looks at all the traffic going through, and you can use those to identify a lot of information on specific traffic that the control systems are using. So, again, it would help if that were not there, but I think there are a lot of other issues that need to be addressed that are just as important, if not more important. Mr. Putnam. Mr. McDonnell. Mr. McDonnell. Yes, sir. You asked specifically about change of public policy. Within the Homeland Security Act was the Critical Infrastructure Information Act, and that does provide an avenue for a company to submit information to the Department of Homeland Security, have it stamped as critical infrastructure information, and it is exempt from FOIA. And it is preemptive legislation and it is therefore exempt from State sunshine laws and so on. So there is an avenue for newly submitted information. Mr. Putnam. Prospective. Mr. McDonnell. Yes, sir. But once a barn door is open, it is open. There is an unbelievable amount of information that is available out there. You cannot get it back. The best thing that we can hope for is more discipline in what gets put on Web sites and controlled. And over time, a good operational security program will have better and better controls on those critical information. Quite frankly, if someone has information out there already and they have to go back and do something to change it, they have to physically change the system, they are not going to get the information back. The only way to mitigate that. My worst nightmare is somebody doing all of their planning from an Internet cafe in Paris. They can sit overseas and look at the floor plan of a chemical site, see what kind of control system it has, see what defenses look like, see what the local response capabilities are by going to the city's Web site. We have to influence that and we have to do that by the originator stopping posting public records, management, those types of things. So we have to identify the information we want to protect, and we do have a way to protect it now, but it is going to take some time to get people to sort of turn that and start putting it into the system. Mr. Putnam. When I was a kid, which was not all that long ago, but you would go to the encyclopedias. And you can go to the Internet and you get the encyclopedia and learn how to build a bomb. That does not mean you could actually build an atomic bomb just because it showed you how to do it. But today, you are talking about not just the chemical plant or the nuclear power plant's blueprints, which I think, frankly, are inherently fairly secure by their nature, people knew when they built a nuclear power plant long before Al Qaeda that it was something that needed to be protected, but rather the isolated valve 12 miles away, or switching station, or router, or whatever that is in the middle of nowhere with maybe nothing but a chain link fence around it, if that. That is the kind of stuff that concerns me, not a $50 million factory or facility or whatever. Anyway, that is what bothers me about the access. And I appreciate your input on that. According to your testimony in October 2003, the Science and Technology Directorate began a study of the current security state. When do you expect that study to be completed, Mr. Dacey? Mr. Dacey. Let me check my notes. I do not recall if we have a date for when that statement of work was supposed to be concluded. Mr. Putnam. And Mr. McDonnell, are you aware of the study? Mr. McDonnell. Not specifically, no, sir. Mr. Dacey. The statement of work called for delivery on about 90 days after beginning performance with an interim draft report, with a final draft report about 150 days after beginning performance. So that is kind of a general timeframe. So you are talking about 5 months. And I am not sure exactly when the study began. Mr. Putnam. Mr. McDonnell, are you more concerned about, with regard to SCADA system threats, not everything else that is on your plate, do you worry more about an international threat, as you put it, from an Internet cafe in Paris, or do you worry more about domestic home-grown type threats? Mr. McDonnell. I think international. Mr. Putnam. Mr. Dacey, do you have an opinion on that? Mr. Dacey. I think they are a significant threat. The thing I would add to my prior statement too is that there are not that many types of different control systems out there and they are used throughout the world. So it would not take much for someone potentially to get access to someone who had significant knowledge of operating systems in other countries that might be available to assist in some kind of attacks that might occur. But it could be virtually anywhere. If you look at some of these SCADA systems for some of the large institutions that carry them out, you will see that for operational purposes and better management a lot of these SCADA screens can be pulled up from virtually anywhere in the world. Now several of the institutions we talked to have implemented stringent controls to authenticate everybody going in there. But, quite frankly, it is conceivable that if it was not secured and you broke into the system, you could literally see right in front of you the operator's screen for the SCADA system. It is a frightening thought. Mr. Putnam. The DOE has not adequately funded the SCADA test bed. Is this something that DHS plans to fund, or is it still limping along in Energy? Mr. McDonnell. That is something DHS intends to do. Mr. Putnam. OK. Mrs. Miller, do you have additional questions? Mrs. Miller. I do not. Mr. Putnam. We are expecting votes between 3:30 and 3:45. So at this point, I would like to excuse our first panel and seat the second one as quickly as possible and at least begin testimony before we have to leave to vote. Gentlemen, I want to thank you for your responses and your candor and your interest in this very important issue. The subcommittee is grateful for your testimony. Mr. McDonnell. Thank you, Mr. Chairman. Mr. Putnam. With that, the committee will stand in recess. The first panel is excused. We will seat the second panel as quickly as possible. [Recess.] Mr. Putnam. The subcommittee will reconvene. We will seat the second panel of witnesses and move immediately into the administration of the oath and then we will get into your testimony. [Witnesses sworn.] Mr. Putnam. Note for the record that all of the witnesses responded in the affirmative. I will precede my introduction of our witnesses by saying that we are expecting votes very shortly. We would like to ask you to keep your remarks to 5 minutes. We will undoubtedly be interrupted for votes. I believe we have two votes, so we should be away for approximately 30 minutes and will return immediately. So we apologize beforehand. We will keep things going as quickly as possible. Our first witness for the second panel is Joseph Weiss. Mr. Weiss is an industry expert on control systems and electronic security of control systems, with more than 30 years of experience in the energy industry. He serves as KEMA's leading expert on control systems cyber security. He spent more than 14 years at the Electric Power Research Institute where he led a variety of programs, the last of which was cyber security for digital control systems. Welcome to the subcommittee. You are recognized for 5 minutes. STATEMENTS OF JOSEPH WEISS, EXECUTIVE CONSULTANT, KEMA, INC.; DAN VERTON, SENIOR WRITER, COMPUTERWORLD MAGAZINE; GERALD S. FREESE, DIRECTOR OF ENTERPRISE INFORMATION SECURITY, AMERICAN ELECTRIC POWER; AND JEFFREY H. KATZ, ENTERPRISE IT CONSULTANT, PSEG SERVICES CORP. Mr. Weiss. Thank you very much. Good afternoon Mr. Chairman, Ranking Member Clay, and members of the committee. I would like to thank the subcommittee for your commitment to a comprehensive examination of cyber security of the control systems utilized in our Nation's critical infrastructure. I also want to thank you for the opportunity to be here today to discuss this very important topic. My remarks will provide details on one, control systems design considerations and cultural issues; two, control systems cyber vulnerabilities; and three, key activities that need to be addressed and funded to secure control systems. Control systems form the backbone of our critical infrastructures. A control system controls a process such as regulating the flow of water in a power plant or opening a breaker in a substation. I have been working with the key organizations that have a role to play in this area, including the Government, end-users, equipment suppliers, standards organizations, and others, none of which have been adequately coordinated. My formal testimony has been reviewed by representatives of DOE's Office of Energy Assurance and the National Energy Technology Lab, DHS' Cyber Security and Protective Security Divisions, the Idaho National Lab, the Sandia National Lab, the General Accounting Office, Carnegie Mellon Software Engineering Institute, the United Telecom Council, and a utility member of the NERC Critical Infrastructure Protection Committee which is responsible for issuing the utility industry cyber security standard. Cyber security has been viewed as an information and IT, or Internet, concern. The basic design assumptions inherent in control systems are they would be stand alone and all control system users would be trusted users. However, competitive pressures have forced businesses to interconnect office and electronic commerce systems with control systems. This has exposed control systems directly to the Internet, Intranets, and remote dial-ups. Additionally, there is also a tradeoff between security and control system performance. There are only a handful of control systems suppliers and they supply industrial applications worldwide. The control systems architectures and default passwords are common to each vendor. Consequently, if one industry is vulnerable, they all could be. Additionally, utilities in North America and elsewhere are able to obtain the source code for electric industry SCADA systems. There have been more than 40 cases where control systems have been impacted by electronic means. These events have occurred in electric power transmission and distribution systems, power generation including fossil, hydro, gas turbine, and nuclear, there have been three commercial nuclear plants with denial of service events, water, oil, gas, chemicals, paper, and agribusiness. Some of these events have actually resulted in damage. Actual damage from cyber intrusions have included opening valves resulting in discharge of millions of liters of sewage, opening electric distribution breaker switches, tampering with boiler control settings resulting in shutdown of utility boilers, shutdown of combustion turbine power plants, and shutdown of industrial facilities. The traditional Internet vulnerability tracking organization, such as the Computer Emergency Response Team [CERT], SANS, and the Computer Security Institute, are focused on traditional Internet and business system exploits and damage. The events and statistics quoted by these organizations do not specifically address control systems. Additionally, none of the control system impacts have been identified by these organizations. This lack of awareness is keeping executives from identifying cyber security as a business imperative. This also results in a quandary, as you brought up earlier. Control systems suppliers are not building secure control systems because they do not believe there is a market, and end- users are not specifying secure control systems because they do not exist and would be more expensive. This lack of awareness concerning control system vulnerabilities and impacts is a gap that needs to be addressed. Consequently, DOE's OEA tasked KEMA and Carnegie Mellon's CERT/CC to perform a scoping study for establishing a CERT for control systems, which we called e-CERT. The funding for establishing and conducting the e-CERT function would be approximately $3 million a year. The investment would substantially improve the reliability and availability of the critical infrastructure as well as providing the awareness necessary. Existing cyber security technology has been developed for business functions and the Internet. Control systems require a degree of timing and reliability not critical for business systems. Because of this, employing existing IT security technology in a control system can range from lack of protection to creating a denial of service condition in and of itself. This has actually occurred in attempting to employ encryption in control systems. We do not know the true vulnerabilities of control systems. Penetration testing of business and control systems can lead to system interruption or require the system to be rebooted. Consequently, this testing must stop at confirming control systems can be accessed. The National SCADA Test Bed allows vulnerability testing of control systems to help identify the actual vulnerabilities. This testing will also enable test bed personnel to identify the necessary technologies to mitigate the vulnerabilities. Several suppliers of SCADA systems have already provided systems to the test bed. Adequate funding is lacking, however, to enable the test bed to function in a complete and timely manner. A significant multiyear investment is required, and you will hear from others as to what those estimates are. In summary, there are two key areas that require modest funding to help secure control systems throughout the industrial infrastructure--e-CERT and the National SCADA Test Bed. If these two activities are adequately funded, they can address awareness, minimize vulnerabilities, and evaluate and develop technology to secure control systems. This will minimize the threat of extended blackouts, like what happened on August 14th, and impacts on industrial production which will have a positive impact on the quality of life and security of the American population. Thank you for your time and interest. I would be happy to answer any questions, including about industry coordination. [The prepared statement of Mr. Weiss follows:] [GRAPHIC] [TIFF OMITTED] T5799.040 [GRAPHIC] [TIFF OMITTED] T5799.041 [GRAPHIC] [TIFF OMITTED] T5799.042 [GRAPHIC] [TIFF OMITTED] T5799.043 [GRAPHIC] [TIFF OMITTED] T5799.044 [GRAPHIC] [TIFF OMITTED] T5799.045 [GRAPHIC] [TIFF OMITTED] T5799.046 [GRAPHIC] [TIFF OMITTED] T5799.047 [GRAPHIC] [TIFF OMITTED] T5799.048 [GRAPHIC] [TIFF OMITTED] T5799.049 Mr. Putnam. Thank you, Mr. Weiss. You will undoubtedly get some questions on that. Our next witness is Dan Verton. Mr. Verton is a senior writer and investigative reporter with ComputerWold Magazine based in Washington, DC, where he covers homeland security, critical infrastructure protection, and Government. Prior to joining ComputerWorld, Mr. Verton was the associate editor for defense at Federal Computer Week. He entered the journalism field after 7 years in the military intelligence community as an intelligence officer in the U.S. Marine Corps. He has a master's degree in journalism from American University in Washington. You are recognized for 5 minutes. Welcome to the subcommittee. Mr. Verton. Thank you, Mr. Chairman. In the interest of time, obviously, I am going to summarize my remarks today, but actually I am going to diverge a little bit from what I had planned to say based on what I have already heard from the previous panel. I think what I have heard so far has been quite instructive for your work in this area. This hearing is supposed to be about SCADA systems security and telecommunications. But, surprisingly, what I heard from the first panel was that we are, in fact, at this current time erecting fences and digging moats around physical facilities that house SCADA systems. So where does this disconnect come from? I have a feeling it comes from the one individual from the Government that I do not see here that I think you would very much benefit from hearing from, which is Amit Yoran. I sat behind Mr. Yoran a few weeks ago in the Senate and listened as we were discussing the National Intelligence Estimate that was recently released or was supposed to have been released on the cyber threat to the United States stemming from, specifically, terrorist organizations around the world. And I was a little bit surprised that our director of national cyber security could not answer any general questions about the terrorist threat to the United States in the cyber realm. So I do not think it is necessarily doing anything for us to be creating layered defense in depth in a physical sense when the electronic infrastructure that powers these systems knows no borders. This also I think stems from what I think is a very dangerous approach to countering terrorism in cyberspace, which is the threat independent model. DHS takes a threat independent approach to threats in cyberspace. And what does that mean? That means that we approach terrorist incidents the same way we might approach a hurricane or a flood or an earthquake. And I think the danger that lies in this is that it presents us with a possibility of having the lowest common denominator for security when in fact you are talking about, for example, a hurricane which is very indiscriminate and random, whereas terrorist incidents are very much a highly targeted, very specific incident that might be indiscriminate in the killing and destruction, but it is very much a highly, well-planned incident that we are talking about. And I think we need to take that into consideration when we talk about these critical facilities. Finally, just briefly, I think there is some questions that should be asked about the funding for cyber security in the grant process. We were talking in the first panel about the money that has been made available to the States and localities. But I think there has been some questions raised out there about how that money can be used. So while the money may be used to build fences and dig moats around these facilities, I think there is some question out there about how much of it, if any of it, can be used to fund cyber security improvements for the SCADA systems. Basically, I think our challenge today stems from two perspectives. I think we need to try to reverse the intellectual rigidity that surrounds the issues of cyber terrorism. We already knew from evidence prior to August 14th that Al Qaeda had been studying SCADA systems from some of the evidence that we had picked up on the battlefield in the war on terrorism. If there was any doubt in the minds of the terrorists who are also trying to kill us that they should be studying SCADA systems, the international demonstration effective August 14th pretty much eliminated that doubt in their minds. Second, I think if we insist on continuing to refer to these facilities, as we have here today, as critical to national security, we should treat them as such. I am aware of anecdotal evidence from people who are very much involved on the inside of the energy industry that not all people with authorized access to critical control systems are necessarily subjected to background investigations, and this is across the board, it is not just the energy industry. These are individuals with authorized access to the systems that both touch SCADA systems and to SCADA systems themselves. That is a vastly different picture from any national security infrastructure that I have been aware of in my time as an intelligence officer. And just one final point on the Web content, which you were asking about earlier. I wrote an entire book on the fact that the information we make available to the people who are trying to do us harm is really, as was mentioned, beyond the pale. It is unbelievable what you can find on the Internet. Now the genie may be out of the bottle already. But let me give you an example of just what I was able to dig up during my research. There are Web sites that provide interactive maps of the entire natural gas pipeline system in the United States. And they are not flat files. They give you latitude and longitude for every critical interconnection point in the United States, including the most critical interconnection point for the natural gas industry in the country. Some 40-plus percent of the entire GDP of natural gas passes through this one interconnection point. And you can not only find the latitude and longitude, but you can find the terrain features surrounding the particular point. And you can do this for the entire United States. I found that on the Internet during my research, including long-haul telecommunications termination points along the entire Eastern Seaboard, so on and so forth. So I think there is an argument to be made for a public policy approach to what we provide on the Internet, who we provide it to, and whether or not there is a business case for any of this information being out there. So with that, Mr. Chairman, I will be happy to answer any questions. [The prepared statement of Mr. Verton follows:] [GRAPHIC] [TIFF OMITTED] T5799.050 [GRAPHIC] [TIFF OMITTED] T5799.051 [GRAPHIC] [TIFF OMITTED] T5799.052 [GRAPHIC] [TIFF OMITTED] T5799.053 [GRAPHIC] [TIFF OMITTED] T5799.054 [GRAPHIC] [TIFF OMITTED] T5799.055 [GRAPHIC] [TIFF OMITTED] T5799.056 [GRAPHIC] [TIFF OMITTED] T5799.057 Mr. Putnam. Thank you very much. Our next witness is Gerald Freese. Mr. Freese is the director of enterprise information security at American Electric Power. In this capacity, he is responsible for defining, developing, and executing all information security programs to effectively protect AEP data and systems. He is responsible for regulatory compliance and critical infrastructure protection for cyber security, and has been instrumental in the development of the NERC cyber security standards for the energy industry. He is a recognized security and infrastructure protection expert. He is American Electric Power's primary data security architect. You are recognized for 5 minutes. Welcome to the subcommittee. Mr. Freese. Good afternoon, Chairman Putnam, and members of the subcommittee. Thank you for offering me the opportunity to speak with you today. I am testifying as a representative of American Electric Power, as the director of enterprise information security of one of the largest utilities in the United States with over 11 States of operation and 5 million customers. Today I will be discussing issues of supervisory control and data acquisition, telecom interdependencies, and critical infrastructure protection. Energy utilities use a number of communications media to connect various SCADA system components, from private microwave to fiber networks and public networks. Each of these transport methods enables the data flow to and from SCADA networks and also creates the potential pathways of attacks. In telecom network interface roles, there are a number of device exploits of instances of malicious code that can effectively disable SCADA information flow. The point to take away from this is basically that SCADA and telecom vulnerabilities are not mutually exclusive. The growth of open systems is compounding the SCADA/telecom vulnerability issue. By use of common technology sets, public telecom providers are increasing the susceptibility of SCADA and telecom resources to multiple attacks from anywhere in the world. The open systems, with lower cost, ease of use, provide attackers with the same benefits as legitimate users enjoy. While we cannot effectively halt the move toward open system, we can work to establish best practices in security to counteract potential exploitation. Availability of engineering and data system expertise is another factor. In Pakistan, American energy companies and vendors helped design the Pakistani infrastructure based on the U.S. model. In Afghanistan, analysis of recovered computers, as Mr. Verton mentioned, show that terrorists were engaged in research on software and programming instructions for distributed control and SCADA systems. This and the vast amount of data on energy SCADA and telecommunications available through open sources, such as the electric industry publications, FERC filings, and on the Internet strongly support the assumption that there are few, if any, SCADA or telecom system unknowns and no boundaries on accessibility to the information. The growth of open systems technology and increasing ranks of the computer skilled show us that there is no logical basis for discounting the possibility of cyber attacks against targeted telecommunications and SCADA systems or components. The U.S.-Canadian task force investigation following the August 14, 2003 blackout concluded in its interim report that the outage across a large portion of the United States and Canada was not caused by malicious cyber events. If we substitute some well-known forms of intentional attack as the cause of the initial line malfunction, we can see that many forms of internal or external intrusion could bring the same net result. If we take that concept one step further, coordinated attacks against multiple vulnerable systems and networks over the Internet and other telecom resources could redirect processes, manipulate data and equipment, and eventually disrupt service across entire regions. The foundation of critical infrastructure protection lies, first of all, in awareness that it is a responsibility across both private and Government domains. It must be a priority in industry backed by executive support and viewed as an incentive to investment, not a roadblock. For example, at AEP security implementation is listed in the third paragraph of the annual report, which is quite an accomplishment. Industry, with government support, must take the lead in information sharing. This is one of the critical aspects of critical infrastructure protection. To that end, there must be a greater protection of information from public disclosure. The ISACs, the Information Sharing and Analysis Centers, through public and private collaboration, must work toward consolidating information on risk-based vulnerability assessments and remediation and extending security best practices across all critical infrastructure sectors. Cost recovery initiatives with similar information protection must be supported at the State level with the possibility of Federal tax incentives for industry to defray the significant cost of current and future security. All of these activities will provide the necessary backdrop for the diverse U.S. critical infrastructure to comply with voluntary industry standards and eliminate the need for Federal regulation. Mr. Chairman, that concludes my statement. I would be happy to answer any questions. [The prepared statement of Mr. Freese follows:] [GRAPHIC] [TIFF OMITTED] T5799.058 [GRAPHIC] [TIFF OMITTED] T5799.059 [GRAPHIC] [TIFF OMITTED] T5799.060 [GRAPHIC] [TIFF OMITTED] T5799.061 Mr. Putnam. Thank you, Mr. Freese. Our fourth, and final, witness for the second panel is Jeffrey Katz. Mr. Katz is the enterprise IT consultant for PSEG Services Corp., a subsidiary of Public Service Enterprise Group, Inc., in Newark, NJ, which, among other things, serves 77 percent of New Jersey's population and is the State's largest utility. Mr. Katz has held a number of management positions within PSEG and PSEG Services Corp. in his 34 years with the companies. For the last 7, Mr. Katz has concentrated exclusively on wireless telecommunications projects and systems. Mr. Katz is also the former two-term mayor of his community. Welcome to the subcommittee. You are recognized for 5 minutes. Mr. Katz. Thank you, Mr. Chairman, and members of the committee. I am here today testifying on behalf of the United Telecom Council as the Chair of its Public Policy Division. I will discuss the impact of Federal and State policies on critical infrastructures [CI] SCADA systems. UTC is the association that represents the telecom interests of America's CI entities. UTC and its association partners represent virtually every electric, gas, and water utility, and every communications network used to operate, control, and maintain our Nation's critical infrastructure. Today our Nation depends upon reliable and available services provided by CI SCADA supported systems. They are critical and essential to the health, safety, and welfare of our Nation and our people. Just as our Nation depends upon CI services, every CI entity depends upon telecommunication systems for SCADA, telemetry, command and control, remote actuation, and protective relaying operations. In addition, for both routine communications and during disasters and outages, CI entities depend upon private internal data and voice networks to direct the work force and to restore service. From a broad policy perspective, we ask the committee and Congress to consider this question. What Federal or State policies, laws, or regulations impact negatively upon CI's ability to avoid service interruptions, to reduce their duration and scope, and to make CI, including SCADA systems, less vulnerable to attack by non-physical intrusion? For a detailed discussion on that issue, I would refer the committee to my written testimony. However, in a nutshell, UTC asks the committee to consider these five points. First, public access to sensitive radio frequency data provides information useful to those who would do us harm. The Federal system of record, the FCC's universal licensing system, is available to the general public through the Internet. Wireless CI, SCADA, telemetry, command and control, voice and data systems can be compromised using information contained within the FCC's public data bases. This information must be made less public, either through creation of a confidential licensing category, or by providing the FCC with other authorities, such as that enjoyed by NTIA, to make confidential certain CI spectrum use data. UTC also encourages providing NTIA with authority to share spectrum with non-Federal CI entities to assure greater confidentiality of spectrum use data. Second, CI data is made public unnecessarily through the FCC's pole attachment regulations with little regard to infrastructure safety. Pursuant to FCC rules, maps of utility infrastructure must be made available to potential attachers upon the most minimal of showings. Moreover, those who would attach fiber optic cable or other equipment to utility infrastructure are permitted to employ third party contractors rather than personnel trained to observe strict safety regulations. The FCC's original limited jurisdiction over utility infrastructure is being stretched to the point of endangering worker and public safety. That authority should be balanced by safety-based jurisdiction elsewhere in the Federal Government. Third, CI investment to improve and better secure communications systems is discouraged because such investments often are not immediately recoverable in rates and because the spectrum in which SCADA systems operate is not exclusive. Regulated entities recover capital investment costs through rate relief. Rate cases are time consuming, tedious, costly, and must be filed in each State in which the utility serves customers. However, most utilities have a multistate presence that would require consistent cost recovery schemes between and among the States involved. SCADA systems are system-wide and not limited to the borders of a single State. Prudent and necessary investments in enhanced security, reliability, and functionality should be recoverable immediately in rates, without the need to file a rate case in each State, and the specifics of the investment should be privileged and confidential. Furthermore, the investment must be protected. CI entities are reluctant to invest in new wireless SCADA systems because the spectrum is not exclusive. This subjects SCADA systems to interference that can compromise effectiveness. Fourth, State and local governments should receive guidance from the Federal Government as to what security expenditures and investments should be considered reasonable. UTC does not advocate that additional mandates be imposed on CI to ensure SCADA and/or telecommunications system security. This panel has heard my colleague's testimony about industry efforts already underway and the ideal role that the Federal Government should play. However, in an area as complex as homeland security, State and local governments and regulators look to the Federal Government for guidance on what constitutes reasonable investment. CI entities that invest in security measures meeting defined guidelines should expect to win cost recovery approval from State regulators. Federal guidance would facilitate investments not only by larger investor-owned utilities, but also by co-ops and municipals, all of which are faced with severe budget constraints and are under constant pressure to control rates. Fifth, and finally---- Mr. Putnam. If you could just summarize. Mr. Katz. The plain fact, there is also a push on the part of many Federal agencies who believe that commercial wireless services can substitute for private internal networks. Quite frankly, they are even more vulnerable than anything that we could build ourselves. When power fails, it is commercial networks that go down first. Plus, they do not have a ubiquitous presence throughout an operating territory for any particular critical infrastructure entity, and they just cannot be relied upon. There is no exclusivity, no reliability, and no availability that is guaranteed to us. This basically summarizes my comments, Mr. Chairman. I would be happy to answer any questions that you may have. [The prepared statement of Mr. Katz follows:] [GRAPHIC] [TIFF OMITTED] T5799.062 [GRAPHIC] [TIFF OMITTED] T5799.063 [GRAPHIC] [TIFF OMITTED] T5799.064 [GRAPHIC] [TIFF OMITTED] T5799.065 [GRAPHIC] [TIFF OMITTED] T5799.066 Mr. Putnam. Thank you very much, and I appreciate your patience with the bells. And I appreciate all of your patience with the fact that we have three votes pending which will take about 30 minutes to handle. So with that, the subcommittee will recess. Feel free to get something cold to drink or hang loose and we will be back in approximately 30 minutes. The subcommittee is in recess. [Recess.] Mr. Putnam. The subcommittee will reconvene. I want to thank the witnesses for their patience and tolerance of the congressional voting schedule. We will go right into questions since we did complete the opening testimony before we recessed. Let me begin with Mr. Weiss. When communication systems are installed in SCADA systems, how much consideration is given to security, in your opinion? Mr. Weiss. Let me respond to the question with a question. What do you mean by ``communication systems?'' Mr. Putnam. The method of transmission of instructions, the network connections. Mr. Weiss. OK. In general, and I am going to give you a general statement that may not apply to everybody, and I am also phrasing it as a control system, not just a specific SCADA, usually security is not a critical aspect in a design of a control system. The implementation is usually most concerned with meeting performance specs. And the other thing that it is usually very much concerned with is the ability to communicate with the different systems that are being identified in that specification. There are very few specifications that include security. Mr. Putnam. So very few considerations then are given to eavesdropping, disruption, issues like that? Mr. Weiss. Correct. Mr. Putnam. Mr. Freese, Mr. Katz, or Mr. Verton, would you like to add anything to that question? Mr. Freese. Mr. Freese. Yes, Mr. Chairman, I would. Although it is true historically that when it came to developing SCADA digital control systems, there was not security planned up front. But I know, speaking for AEP and a lot of other companies, we have since integrated security into all of those applications, as many SCADA systems as we possibly can because we do understand the need to secure those resources. So it has become now commonplace for a lot of companies to introduce security up front in the planning process, and then retrofitting on those areas that we did not have security prior to this. Mr. Putnam. Mr. Katz. Mr. Katz. Thank you, Mr. Chairman. I think what we need to do is delineate a difference between then and now. A lot of legacy systems that are installed and still in place probably do not have a lot of security on them. To upgrade them would either mean replacing them or redesigning them and investing considerable dollars to do so. Newer systems that are being implemented take into account security concerns. They are generally taken into account in the RFP stage and all the way through. But I am more concerned about the legacy systems and the fact that if we are going to upgrade, we do need to make a significant investment in that. And in the utility business every investment competes with every other one. Hierarchy is a priority. A substation transformer in danger of failure may cost $2.5 million to replace and that may end up displacing another project, because if you cannot capture the investment cost through a rate increase, then you need to do it either with cash-flow or bonds or stock and none of them is a particularly great alternative. But if it increases the reliability of the utility plant, it is something that we would rather see the ratepayers--I think any utility would rather see the ratepayers pay. But that takes a rate case and many BPUs and public utility commissions are reluctant to entertain rate cases except once every 5 or 6, or 7 or 8 years. Mr. Putnam. What is the average age of a control system? Whomever may answer that one. Mr. Weiss. The average age of a control system in a power plant is probably on the order of maybe 5 years old. SCADA systems in utilities, not in, if you will, the independent system operators because the ISOs are fairly new, but SCADAs in electric utilities are probably, again, just a rough order, probably 7 to 10 years old. Mr. Putnam. And what about non-electric utilities--water control systems, flood control structures, things of that nature? Mr. Weiss. At least in those that I have dealt with, a lot of these industries, particularly water, flood control, etc., in a sense just recently put in automation and so they have, if you will, newer systems. But here is the other thing I think that maybe is important to point out. In a control system, there are really two aspects. One is where the operator sits, that is usually a MicroSoft-based or a Unix-based operator screen. And in a spec, it is pretty straightforward, if you will, to specify that type of security. The other part of the control system is where you have the field devices, those things that actually measure temperatures, voltages, currents, and do the real-time calculations. That is where we really do not have the security technology at all yet. So putting that in a spec does not help. It does where you have the operator interface but not at the actual control. That is part of what I am hoping, and I am not speaking for anybody but myself, this is what I am hoping will come out of the National SCADA Test Bed. Mr. Putnam. That was a point that I made in panel I, that the main facility is of less concern to me than the field facilities at the weir, at the dam, at the valve or the pump or whatever. Let me followup on your point. A lot of those non-electric utility systems are only recently automated, meaning that they are newer, perhaps have more security hopefully built into them. But as a consequence, if there is a failure of those systems, have they removed the ability to manually override whatever it is, and are people adequately trained to do it the old fashioned way? Or are they out there with their palm pilots or their wireless or their computer and they are being told exactly which valve, which line, which wire, and, absent electronic assistance, they are unable to make whatever corrective actions they need to make? Mr. Freese. Mr. Chairman, if I may. In our remote substations, for example, we have a lot of them that require either an in person interface or some other type of control that can be used at a short range or short distance to be effective. Our people are trained in both the electronic means and the manual means. The problem with security, as you were mentioning at the remote substations, for example, or any of the substations that are equipped with data concentrators or RTUs are using computers. The problem with the more remote you get, the more difficult it is to keep security up to date; for example, antivirus, operating system patches, those types of things. So there is always kind of a lag between what needs to be done and what is done. And that is one of the focuses of the energy industry right now is to try to remedy that. Mr. Putnam. Mr. Verton, you were very blunt in your assessment of where we are. Walk us through a plausible scenario for a terrorist act against using one of these control systems or SCADA systems, if you would. Mr. Verton. Well, Mr. Chairman, we have already seen some examples in recent history where disgruntled insiders have done things like let loose raw sewage by hacking into sewage treatment facilities in Australia. But my biggest point, I think the best example would be the August 14th blackout which, while it was not a deliberate act of terrorism, it was most likely a self-inflicted wound, if you will. The demonstration effect of what happened afterwards and the fact that these systems are vulnerable to electronic disruption means that we cannot discount a scenario that includes a deliberate disruption of electric power throughout a major metropolitan area of the country that is quickly followed up by a preplanned series of physical traditional terrorist attacks. For example, we saw thousands of people caught in the subway systems in Manhattan who were sitting ducks for a chemical or biological attacks. We saw people coalescing by the thousands on the streets who could have been the targets of a suicide bomber or something of that nature. So these types of scenarios are by no means what you might consider a Hollywood movie script. They are very much possible. Also I might add, we started in the first panel talking about the physical vulnerabilities of these systems. The physical aspects of cyber terrorism are something that we have not paid a lot of attention to. But you can conduct the same sorts of denial of service attacks in an electronic sense by physically destroying key nodes in the electronic infrastructure. When certain nodes are taken off line, it could ripple out of control throughout other various portions of the infrastructure and other sectors of the economy. So you do not necessarily have to conduct an electronic attack sitting there with a computer, but you can, if you have access, physically destroy certain nodes and cause similar effects that you can then go ahead and take advantage of. Does that answer your question, Mr. Chairman? Mr. Putnam. Yes. The counter argument to adequate preparation has been that the economic case just is not there for a number of local governments, municipalities, States, and private sector to invest in the security upgrades. Is that a flawed economic model, or is it an accurate economic model? And what could we do to encourage those investments in those upgrades? And I will begin with Mr. Katz and then work my way back toward Mr. Weiss. Mr. Katz. Speaking on behalf of the UTC and the industry in general, I think one of the things that the industry would not encourage are specific mandates to the industry about how to proceed with regard to investments in infrastructure. Certainly, if the industry were asked to come up with specific plans and guidelines or industry standards and best practices, that ought to happen within some reasonable timeframe. But the real dichotomy here is that investment needs to be recaptured, money has to be spent, and it is real dollars. So you have to spend money and you better have the money to spend. So where do you get the money? If it is not through rate relief, or the sale of bonds, or the sale of stock, no one is going to just come over and hand us a bundle of money, and we are not asking for specific grants from the Federal Government either because we are the private sector. But if it takes that, we are certainly not going to turn it down. The thing is that nobody really wants to be subject to mandated standards because the industry itself, the entire critical infrastructure component of the Nation is so diverse. A set of standards for a water company, a set of standards for electric companies, chemical, railroad, pipelines, you cannot adopt the same exact standard across the entire industry range. It is going to take some kind of voluntary cooperative effort on the part of Government and private sector in order to come up with a set of standards. That is the first thing. The other thing is that if there is an uncertain regulatory environment with regard to the technologies that we implement, we do not want our assets or our investments to be stranded. So, for example, if there is really some good technology out there for wireless SCADA control, because we have point-to- point, end-to-end control over the infrastructure itself, as communications medium is independent of the common carrier, it is owned entirely by the critical infrastructure entity that is going to use it, so it is private wireless facilities, then the problem arises as to why was it exclusive, is it going to be subject to interference. Could some future regulation end up forcing us to compromise the security of that system simply because it is not really ours to use, it is part of some grant from a Federal agency, either the NTIA or the FCC. So it is a combination of factors and I am not really sure what the real answer is. But I think the industry itself needs to be given a chance to come up with a set of standards and best practices first, and perhaps a major investment in the INL labs is going to be very helpful that regard. Mr. Putnam. Mr. Freese. Mr. Freese. I will go back to the budget question, the economic question. There are many companies, ours is one of them, who have expended millions in the last couple of years to improve security. Of course, we are going after cost recovery options with the States on these things and, again, we are trying to get people to listen to us based on tax incentives, things like that. However, I kind of go back to this is an awareness issue, first off. A company has to first of all have executive support for security, understand its responsibilities in the critical infrastructure organization. It is also an investor-incentive. At some point we are going to be judged on how secure is our company and how safe an investment is it in the face of all of the potential threats that are out there. To that end, we are following the NERC cyber security standards, first iteration of those, industry-based standards, and hoping to get other companies on board with those standards as well so we can all work toward information sharing, collaboration on security. I think budget is an important issue but a company that is serious about infrastructure protection will allocate funds for security, for both a business case and a security case. Mr. Putnam. Does the cyber security take a backseat to physical security? Mr. Freese. It does not take a back seat. In our organization, we moved security out of IT and out of facilities, to both under risk management. So we are part of enterprise risk management right now. The budget is pretty much allocated among the two sectors and we have been doing a very comprehensive program of physical security upgrades for our substations and plants as well as cyber security upgrades of our SCADA systems. So we try to split it fairly equitably among both of those sectors. Mr. Putnam. Mr. Weiss. Mr. Weiss. I see three areas. Again, I am trying to answer more as a technologist, if you will. The first one is the business case. One of the most difficult things I have seen is that it is difficult for an executive to justify protecting a system if he does not think it is at risk. And that is such a great importance to the CERT for control systems. If an executive realizes that his system is at risk and systems like his have been compromised, there is much more of a reason that he would be willing to spend the money. The second thing is that as technology stands today, there is not technology, as I mentioned, to secure the control system itself. What there is are, as mentioned, best practices. They are policies, they are procedures, they are audit functions, if you will, the low hanging fruit. The longer term is the work with the test bed to develop the technology. The other piece, and I think this is important too because it is a big issue in the cyber world, we have a culture issue in many companies--this is not electric power, this is across the board--and the culture issue is between the IT organization and the operational organization. We need to figure out how to resolve that because many operational organizations feel that IT is more of a menace to them than somebody from the outside. And we need to be able to address that because IT has that security expertise. So it is, if you will, a multifaceted problem. Mr. Putnam. Mr. Verton, what policies can be enacted that would encourage businesses to make the investment in security? Mr. Verton. Mr. Chairman, just to answer that question directly, I think the insurance industry in other sectors of the economy is already making great strides to offer favorable insurance rates to companies that meet certain standards and guidelines. There are one or two companies now that are offering those types of incentives. That is a type of effort that would do the one thing that is not happening right now, which is the national strategy to protect cyberspace only works if all of the infrastructure sectors are moving simultaneously forward. You cannot have one sector of the economy moving ahead of the others. So that is a type of a very simple way to get companies to apply these simple standards and practices. Now if I could answer the previous question. My opinion is that the current economic model is flawed. I believe that the sellers will continue to sell what the buyers are buying. And the problem is that too much of the burden has been shifted to the end-user and the consumer of the technology as opposed to the developers. Right now the buyers are buying a lot of junk and they are being told to bear the burden to secure it after the fact. I know you are doing a lot of work on that particular type of issue, working with both the vendor and the end-user community. Standards and best practices are fine but they only work when they are applied equally across the board. You cannot have a standard or a best practice that is not mandatory for everybody involved in this particular infrastructure. Somebody is always going to be somebody else's weakest link. So if they opt out, you have not really improved security for the entire infrastructure. In that regard, suggestions that cost money go nowhere unless you have some sort of mandatory requirement to meet some sort of standard. I find it very ironic that the only thing from what I can see that has resulted in an across the board, cross industry, cross sector improvement in security has been the one thing that the software industry and the hardware industry pretty much have been dead set against, which is regulation. Sarbanes-Oxley, HIPPA, and some other regulations have been the only thing that have really driven an across the board substantive improvement in security. And I think it is very ironic that the one thing that the developers of software and other technologies are dead set against is the only thing that seems to have worked so far. Mr. Putnam. So you do not see an industry-based, volunteer, collaborative effort as being successful? Mr. Verton. No, I do not think I would go that far. But my opinion is that the private sector, when faced with tough choices, when it comes to making a choice between spending a lot of money that they cannot afford to secure the systems because they are being told that they own and operate a national security infrastructure, they need somebody to help them with that. The Government cannot tell them that it is their responsibility without saying and here is how we are willing to help you. Because private sector is not in the business of being defenders of America. This is an unprecedented situation in American history, in my opinion, that so much of our national security and our economic stability is in the hands of private companies. So if you are going to ask the private sector to bear the burden, you also have to come to the table with some practical suggestions on how that burden is going to be shared. Mr. Freese. Mr. Chairman, may I add something to that? Mr. Putnam. You may. Mr. Freese. From the energy industry's perspective, we are not asking the Government to do everything for us or to give us all the money for all the security implementation we need to have done. We are asking to help prepare us for the extraordinary security event, extraordinary threat and attack on the energy industry. The other things we will take care of ourselves. But we try to get some assistance on the major upgrades, major changes across the industry. Mr. Putnam. I hear what you are saying. But as somebody who is in business, granted, you have to meet a higher standard when you are a public utility or a private utility. Mr. Freese. Right. Mr. Putnam. But at the end of the day, we have to strike some balance between addressing vulnerabilities and doing a good, thorough risk assessment and then trying to be all things for all potential threats. And I do not know where that line is. You squeeze the balloon here and you tighten up there, you dig deeper moats and you build taller fences, and then you have the cyber threat and so you move to the cyber threat, and in the meantime your fences have gotten rusty and your moats have filled in with sand and so you have to go back and dig those out deeper and replace the fence, and then technology has changed and everybody has gotten ahead of themselves, and then terrorists give up on attacking a new plant when all they really have to do is go into a shopping mall and use low tech devices that are being used in the Middle East on a regular basis. As we wade through all this stuff and you start adding up what it would take to secure the magic 1,700 that DHS has now identified, knowing how many tens of thousands are not on that list, you are going to go out of business making yourself secure. You are not investing in R&D, you are not investing in upgrades of the service that is your core mission because every ounce of profit is going back into something that is not generating economic growth. It is a dead-end issue economically. So I do not know where the line is. You have an obligation to do certain things. But I do not know that you have an obligation to imagine every conceivable bad threat, malicious attack that a gazillion people are out there trying to think of against the United States. It just makes your head hurt, doesn't it? What is the role of the Department of Homeland Security in this effort? And are they the right group of folks to fill this mission on the cyber threat, particularly on control systems? Mr. Verton. I will take that, Mr. Chairman. Mr. Putnam. Go right ahead. Mr. Verton. Since I started the frontal attack, if you will, on DHS. My opinion has been pretty much the same as that of Mr. Richard Clark, you might have heard of him recently, that the position of cyber security has been, not the individual but the position, demoted. I think that right now the position is several layers down below where it needs to be. Basically, it has been removed from a Presidential advisor role to an advisor to an Assistant Secretary level. And I do not think that Mr. Yoran at the moment has the ability to see things that need to be fixed and take immediate action. So I think there are still some thought that needs to be given to the current organizational structure of DHS, particularly with respect to the role of cyber. Mr. Putnam. Is there a Presidential level advisor on chemical-biological-radiological-nuclear devices? Mr. Verton. I believe there is still a Presidential level advisor for terrorism. The problem being, if I know the history correct, as Mr. Clark has told it, a special position was created for cyber terrorism that was recommended by Mr. Clark and he I think had every intention of remaining a Presidential level advisor until the DHS proposal came around and it was placed in the DHS, unfortunately not up at the secretary level but several layers below. Mr. Putnam. I think it is real easy to get hung up on what the flow chart is instead of what the mission is. Any other thoughts on that, Mr. Weiss? Mr. Weiss. Yes. My thoughts are a little bit different. Control systems are not unique to any single industry. To be able to protect control systems, that function needs to reside in whatever organization has the widest breadth to cover the most industries. DOE's function is really energy. But the same, for example, Honeywell control system that is in a power plant is also in a refinery, it is also in a water plant, it is in a chemical plant, it is in a paper mill. So I am really giving you more of a question back. But the real issue in where this needs to reside is what is the organization that will really cover the industrial infrastructure because that is where the vulnerability lies. Mr. Putnam. Within the overall universe of cyber threats, are threats to SCADA systems the greatest of cyber threats because of their connection to the physical infrastructure? Mr. Weiss. Again, I am going to answer this as a control system engineer. The reason I believe that cyber threats are, if you will, critical to control systems, our control systems were not designed to be protected from them. So what is happening is you have a much less resistant system. It is also a system that has a lot higher consequence if something happens to it. I hope, because I am not a policy person, that the number of threats to these systems are much less than they are to other places. But the other systems, in general, have been designed or supposedly have been designed to resist those other threats. Mr. Putnam. Mr. Verton. Mr. Verton. Mr. Chairman, I will answer that question from a terrorism perspective. I think the answer is absolutely yes, only because any time you have computers that control real things in the real world that have public safety implications, they inherently immediately become a potential target for terrorists. So I think my technical colleagues on the panel would agree that description fits the bill for SCADA systems, if you will, across industries. So, yes, I think from a terrorism perspective, they are a primary national security concern. Mr. Putnam. Mr. Freese. Mr. Freese. I agree with Mr. Verton. Again, a lot of the energy industry agrees with Mr. Verton because they are trying to secure their control systems as much as they can. It is a huge task and it is going to take a long time. Mr. Katz. I would agree with that, too. From the perspective of critical infrastructure industries, the threat to SCADA systems and command and control systems is probably much greater and would have greater consequences than threats to our standard traditional data processing systems. Mr. Putnam. How helpful would a SCADA-specific cert be? Mr. Weiss. I believe from all of the meetings I have had with different industries, through ISA, through IEEE, through all of these different organizations, when the concept of a cert from control systems is brought up, it is almost always on the top of the list of what they think would be most helpful. Mr. Putnam. Does everyone agree with that? OK. Let the record reflect that everyone agrees with that. Let us talk about public disclosure. I am going to start with the reporter on this one. I always love hearing their views on open records. Telecom systems use control systems that require the public spectrum, that is an FCC issue, disclosure is an important part of it. As you know, blueprints, plans, designs, electrical wiring, circuitry, everything is generally available and easily accessible. What are your thoughts on restricting that? Mr. Verton. Mr. Chairman, I am obviously interested as a journalist, somebody who would be interested in finding this information and publishing it. But there have been many cases where I have not published information because of my own concerns and understanding of the damage it could do. Now I may be unique among journalists in that respect. I think there is a lot that can be done about restricting not necessarily the disclosure of the information, but how it is communicated to the people that need to know it. Let me give you some examples of some very recent post-September 11 security assessments that were done just on public Web sites for major, major corporations in, of all places, Lower Manhattan. A CIA psychological profiler was hired to do a study of the Web sites of various large Fortune 500 companies to find out to what extent the content of their Web sites would make them targets of Al Qaeda. This particular survey found detailed maps and drawings of air conditioning and ventilation systems for large office complexes, it found the load bearing capacities of elevators, it found private data on some of the senior executives, the number of people present at any one office facility and where they worked, some banks had posted, for example, notices that they had frozen Al Qaeda related bank accounts for the world to see, support for globalization issues which we know has been known to stimulate portions of the Al Qaeda network. So there needs to be a business case and a balance struck between what you post on the Internet and maybe how you communicate it to the people who need to know certain information. For example, a local community has every right to know that they are living within striking distance of a dangerous chemical facility. They want to know that their children are potentially in danger. But do we need to post, for example, detailed information on that facility to the people in that particular community. Do we need, for example, to post detailed information on a uranium mining facility so that a potential terrorist could figure out how to do the most harm. And that is the balance that needs to be struck. From a private sector perspective, the companies that own and operate the critical infrastructures need to take a look at what they are putting out in the public to determine whether or not it serves their business. If it does not serve their business, they need to start asking themselves hard questions as to why are we putting it out there to begin with. And a lot of these companies fall into that first category of putting our air conditioning and ventilation diagrams for their office complexes. It makes absolutely no sense from a sales or a marketing perspective. Mr. Putnam. Does the public have a right to know that there is a site in their community that is 1 of the 1,700 identified lead targets? Mr. Verton. I think a community has a right to know if that 1 of 1,700 is a dangerous chemical facility or a nuclear reactor of some sort. Certainly, they have a right to know that they are living within a danger zone. The question becomes how do you communicate that to the public and to what level do you communicate that information. I found, for example, I found a map of the entire United States with the locations of all spent nuclear fuel storage facilities on the Internet. Did that need to be up there post-September 11? I am not sure. To my knowledge, it was eventually taken down by the Department of Energy. So that is the type of balance we need to strike, in my opinion. Mr. Putnam. Our right to know in the past, particularly with the types of sites we are talking about here, was driven by environmental concerns. And now we are talking about terror threat-based concerns which are somewhat different. You have a right to know if a particular chemical plant is discharging X number of pounds of sulfur per year that has been known to have a connection to higher incidents of cancer or whatever. All that kind of stuff that is imbedded in our environmental law. But what are the consequences of letting the world know what we think the top 1,700 are; meaning that everything that is not on the top 1,700 has a lesser degree of preparation or prevention, and what effect does that have on your business. Obviously, if you run a nuclear plant, I do not think being on the top 1,700 is going to be a surprise to anyone. It is not going to affect your insurance rate and it is not going to affect who your neighbors are; they are pretty well aware of what they bought into when they moved to the neighborhood. But the rubric that they used was public health and safety, economic, which is very nebulous, symbolic, which is extraordinarily subjective and nebulous, and national security, which that ought to be fairly identifiable. But people living next to a tourist attraction might think that is a pretty good thing, not realizing that it also might be a target for terrorists. So, as we move down this road, and I wish there were Members here from the other side of the aisle because they have an outstanding record, as do most Members of Congress, pushing for increased public disclosure, a very rigid FOIA law. But as we deal with these new issues, we have to have this debate. And I do not know where we end up. Mr. Katz. Mr. Katz. Thank you, sir. It is part of the dichotomy of the entire process; and that is, yes, the public is entitled to know certain things that may harm them, and at the same time there is certain information that we make available because it is required to be made available that can fall into the wrong hands and be used against us. For example, Mr. Verton refers to why would a utility market anything that deals with its infrastructure and its office building about air conditioning systems. Well, it does not do that. If we are building an office building, at least in my State, we are probably going to have to get local land-use approval, we are going to be before a planning board or a zoning board of adjustment. Once that is approved, now we are going to have to file plans with the building department and secure all proper permits. So all of those mechanical drawings, all of the electrical infrastructure, everything about that building is now public record because it is in the building department in the municipality that is issuing the permits. So that is a public record. Anybody who wants to find that can go get it. We have Federal agencies that we need to deal with that also discloses information to the public. At the same time, we all comply with SARA Title III. And in the local level, every business and industry in a community has to report to its local Office of Emergency Management once each year all of the chemicals and hazardous substances that it has onsite. That is available to the public and it is also available to anybody who wants to go break in to those facilities to be able to steal harmful materials and use them against us. So, yes, I agree that there is a need for public disclosure. As a former chief executive officer of a municipality, yes, the public should know these things. But to what extent do we let them know about certain things that could be used against us in a manner that hurts a lot of people. And that is a wonderful policy issue for Congress to deal with, and, Mr. Chairman, I wish you an awful lot of luck with that. But, yes, it is there and I think we all recognize it. Mr. Putnam. At what point does disclosure become harmful in and of itself. Mr. Katz. Exactly. Mr. Putnam. Disclosure is intended to protect the public from harm. But at what point does disclosure become harmful. And that is clearly something we are going to have to deal with. I do not know what ill purpose the public is served by not having access to the blueprint of a nuclear power plant. I cannot think of how the public is poorly served by not knowing that, or knowing the precise latitude and longitude of switches and valves and everything else. But I am sure that there are plenty of people who would be happy to tell me what they are. At this point, we are going to bring this in for a landing. I want to give all of you the opportunity to give closing remarks, deal with any issue that you came prepared to discuss that we did not get to, or add your closing thoughts on the topic in general. We will begin with Mr. Weiss and move down the table. Mr. Weiss, you are recognized. Mr. Weiss. First of all, I wanted to thank you for inviting me here. I very much appreciate that. I also appreciate that this discussion itself took place. I just want to reiterate three things. One is that control systems are truly important but security was never a basic premise when they were designed. They need to be protected. The second part is that there really needs to be a business case for their protection. And that is part of where that e-cert comes in. The third part is we need an adequately funded test bed for, if you will, the entire infrastructure to be able to evaluate and develop and demonstrate technologies to secure these, and, to me, that is the SCADA test bed. So, thank you. Mr. Putnam. Thank you. Mr. Verton. Mr. Verton. Mr. Chairman, thank you very much again for having me here today. I will just close by saying that I feel that these are very dangerous times for us post-September 11 because I think we are entering a phase where we are potentially becoming dangerously complacent because of the fact that nothing has happened since September 11. Particularly in electronic realm of this problem, the threat of cyber terrorism, as we have been discussing today, faces a very significant perception problem because people do not think that people who are trying to kill us are interested in these tactics, they do not think that they are capable of it. I have documented plenty of instances arguing the opposite point of view in that. I will just say that I think this is an urgent national security matter. Also, I would hope that the private sector gets some sort of real practical assistance in this effort to make sure that these systems are secured in a way that works for everybody. Mr. Putnam. Thank you. Mr. Freese. Mr. Freese. Taking the information disclosure one step further, a lot of the discussions earlier from the Government side focused on industry and Government cooperation, providing information to each other to help secure the critical infrastructure. But I think it needs to go further. Right now, I think there needs to be a better awareness between Government and industry of what the scope of the threat really is. I think they have to make a joint commitment that they have to work together, not just lip service like we have always heard, but something that is concrete, some kind of a plan that we will work together. This will require better information protection for information submitted from utilities, between utilities, to the States. All of those things have to be addressed. Right now, a lot of the blockage on getting things done--for example, the 1,700 list from the States is derived in a lot of cases without energy companies or other infrastructure organizations providing what they consider to be critical. The State says I think that is critical, let's send it in. They ask the infrastructure organizations for information. How can you protect my information if I give it to you? If you cannot, I cannot provide it. So there is kind of a roadblock there. We need to eliminate that roadblock as soon as possible. Mr. Putnam. Mr. Katz. Mr. Katz. I agree, gentlemen. So I am not going to duplicate that. On behalf of UTC, I would just like to thank the committee for its time and attention to this matter. I think it is extremely important to all of us. It is certainly important to the critical infrastructure industries. And one of the areas in which the Federal Government could really be helpful is if there could be just one Federal agency with accountability and responsibility to push this effort through. Right now, DHS is still organizing itself, the other independent Federal agencies do not see a lot of these issues as in their ballpark or part of their jurisdiction. So it would be very, very helpful if there was one point of contact within the Federal Government for all of this in cyber security. And I agree with Mr. Verton. I think the level of attention that needs to be paid to cyber security at the Executive level probably needs to be raised. With the departure of a cyber security czar, it probably is not there anymore. And I realize there are a number of national priorities and this is just one of them. But it is an important one and you have the folks here who are involved with that on a day-to-day basis and we recognize it as being important. But we do need some Federal leadership on this and the public sector will help and the private sector will cooperate to the extent that it needs to in order to get the job done because it helps all of us. Mr. Putnam. Thank you, all of you for your comments. I would urge you to keep DHS' feet to the fire and help us do the same. At some point the excuse that they are a new department will cease to be valid. It has already reached that point with me. It is no longer an issue. They have had their 1 year anniversary, they have cut the cake, and now no more excuses. So we thank all of you very much for your candor and insight and for your patience with the disjointed nature of this hearing. I also want to thank Mr. Clay and Mrs. Miller for their participation and interest in this issue. In the event that there may be additional questions that we did not have time for today, the record will remain open for 2 weeks for submitted questions and answers. With that, the subcommittee stands adjourned. [Whereupon, at 5:17 p.m., the subcommittee was adjourned, to reconvene at the call of the Chair.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T5799.067 [GRAPHIC] [TIFF OMITTED] T5799.068 [GRAPHIC] [TIFF OMITTED] T5799.069 [GRAPHIC] [TIFF OMITTED] T5799.070 [GRAPHIC] [TIFF OMITTED] T5799.071