August 05, 2020
WASHINGTON, D.C. – Today, U.S. Senator Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission, pushed top officials in charge of cybersecurity and energy systems in the U.S. Department of Energy (DOE), the Federal Energy Regulatory Commission (FERC), and private sector companies on the importance of regularly red teaming and penetration testing (pentesting) their own infrastructure to identify cybervulnerabilities and bolster their defenses. Senator King’s questioning came during a Senate Energy and Natural Resources Committee hearing focusing on the federal and private sector efforts underway to improve cybersecurity for the energy industry, including how to improve coordination on various cyber issues and critical infrastructure protection initiatives.
“Mr. O’Brien, do you red team your system? Do you do pentesting to see whether you have vulnerabilities, do you have hackers for hire to test the security of your system?” asked Senator King.
Thomas O'Brien, Senior Vice President and Chief Information Officer at PJM Interconnection replied: “Yes, thank you for the question Senator King. We do a couple things, one is we do continuous red teaming, and we partner with an outside firm that’s constantly probing our systems and looking for issues. Secondly, we do what we call compromised assessments, we’ve brought it our top forensics company…to comb through our network looking for issues. Finally, we do internal audits and penetration testing. So yes we do. Thank you.”
“That’s very reassuring,” said Senator King. “I want to ask Mr. Gates...the same question. Do you – I was very disturbed a year or two ago when we had a hearing on this subject. When I asked the fellow from NERC ‘do you red team? do you pentest?’, and the answer was ‘I don’t think so’ or something to that effect. Do you, as the agencies that are looking after this incredibly important infrastructure, do you do penetration testing and red teaming on the networks that you’re responsible for, Mr. Gates?”
Alexander Gates, Senior Advisor, Office of Policy for Cybersecurity, Energy Security, & Emergency Response (CESER) at the U.S. Department of Energy responded that he was unsure if CESER’s current authorities allow the agency to do the red teaming and pentesting on federally owned assets and private networks for which the agency is responsible, “…We could do more, perhaps we should do more, I don’t know if it gets to the level of pentesting or redteaming. There are people on my staff who would love to take that on. But again, right now in the role with the responsibilities and authorities [CESER] have, and partnerships it is advisory service that we’re providing at this point.”
“Well if you need additional authorities, I hope you will take for the record a question to let us know what additional authorities you need. I don’t see how you can carry out a mission of protecting the grid without testing the grid’s vulnerability,” Senator King concluded.
Senator King is a leader in urging the United States to improve its posture in cyberspace, and has consistently pushed to strengthen the security of U.S. energy infrastructure. Last December, his Securing Energy Infrastructure Act, bipartisan legislation also cosponsored by Senator Jim Risch (R-Idaho), was enacted into law. The legislation passed as part of the FY2020 National Defense Authorization Act (NDAA), and will develop defenses for the U.S. energy grid through partnerships between the National Laboratories and industry. The partnerships will utilize engineering concepts to remove vulnerabilities that could allow hackers to access the grid and the nation’s critical infrastructure. Yesterday, Senator King joined fellow co-chairs and commissioners of the Cyberspace Solarium Commission to present key cybersecurity recommendations to the Senate Armed Services Subcommittee on Cyber. In recent months, Senator King has joined members of Commission the detail CSC’s recommendations before the House of Representatives Committee on Armed Services, House of Representatives Committee on Homeland Security, the Senate Committee on Homeland Security and Government Affairs.
Today’s hearing featured testimony from Alexander Gates, Senior Advisor, Office of Policy for Cybersecurity, Energy Security, & Emergency Response at the U.S. Department of Energy; Joseph McClelland, Director, Office of Energy Infrastructure Security, Federal Energy Regulatory Commission; Steve Conner, President and CEO, Siemens Energy, Inc.; Thomas O'Brien, Senior Vice President and Chief Information Officer, PJM Interconnection.