This is the accessible text file for GAO report number GAO-12-507T entitled 'Cybersecurity: Challenges in Securing the Modernized Electricity Grid' which was released on February 28, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives: For Release on Delivery: Expected at 10:15 a.m. EST: Tuesday, February 28, 2012: Cybersecurity: Challenges in Securing the Modernized Electricity Grid: Statement of Gregory C. Wilshusen, Director: Information Security Issues: David C. Trimble, Director: Natural Resources and Environment: GAO-12-507T: GAO Highlights: Highlights of GAO-12-507T, a testimony before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives. Why GAO Did This Study: The electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure as part of nationwide efforts—-commonly referred to as the “smart grid” -—aimed at improving reliability and efficiency and facilitating the use of alternative energy sources such as wind and solar. Smart grid technologies include metering infrastructure (“smart meters”) that enable two-way communication between customers and electricity utilities, smart components that provide system operators with detailed data on the conditions of transmission and distribution systems, and advanced methods for controlling equipment. The use of these systems can bring a number of benefits, such as fewer and shorter outages, lower electricity rates, and an improved ability to respond to attacks on the electric grid. However, this increased reliance on IT systems and networks also exposes the grid to cybersecurity vulnerabilities, which can be exploited by attackers. Moreover, for nearly a decade, GAO has identified the protection of systems supporting our nation’s critical infrastructure-—which include the electric grid—-as a governmentwide high-risk area. GAO is providing a statement describing (1) cyber threats facing cyber- reliant critical infrastructures and (2) key challenges to securing smart grid systems and networks. In preparing this statement, GAO relied on its previously published work in this area. What GAO Found: The threats to systems supporting critical infrastructures are evolving and growing. In a February 2011 testimony, the Director of National Intelligence noted that there had been a dramatic increase in cyber activity targeting U.S. computers and systems in the previous year, including a more than tripling of the volume of malicious software since 2009. Varying types of threats from numerous sources can adversely affect computers, software, networks, organizations, entire industries, and the Internet itself. These include both unintentional and intentional threats, and may come in the form of targeted or untargeted attacks from criminal groups, hackers, disgruntled employees, hostile nations, or terrorists. The interconnectivity between information systems, the Internet, and other infrastructures can amplify the impact of these threats, potentially affecting the operations of critical infrastructures, the security of sensitive information, and the flow of commerce. Moreover, the smart grid’s reliance on IT systems and networks exposes the electric grid to potential and known cybersecurity vulnerabilities, which could be exploited by attackers. As GAO reported in January 2011, securing smart grid systems and networks presented a number of key challenges that required attention by government and industry. These included: * A lack of a coordinated approach to monitor industry compliance with voluntary standards. The Federal Energy Regulatory Commission (FERC) is responsible for regulating aspects of the electric power industry, which includes adopting cybersecurity and other standards it deems necessary to ensure smart grid functionality and interoperability. However, FERC had not, in coordination with other regulators, developed an approach to monitor the extent to which industry will follow the voluntary smart grid standards it adopts. As a result, it would be difficult for FERC and other regulators to know whether a voluntary approach to standards setting is effective. * A lack of security features built into smart grid devices. According to a panel of experts convened by GAO, smart meters had not been designed with a strong security architecture and lacked important security features. Without securely designed systems, utilities would be at risk of attacks occurring undetected. * A lack of an effective information-sharing mechanism within the electricity industry. While the industry has an information-sharing center, it had not fully addressed the need for sharing cybersecurity information in a safe and secure way. Without quality processes for sharing information, utilities may lack information needed to protect their assets against attackers. * A lack of metrics for evaluating cybersecurity. The industry lacked metrics for measuring the effectiveness of cybersecurity controls, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Until such metrics are developed, utilities may not invest in security in a cost- effective manner or be able to make informed decisions about cybersecurity investments. GAO made several recommendations to FERC aimed at addressing these challenges. The commission agreed with these recommendations and described steps it is taking to implement them. View [hyperlink, http://www.gao.gov/products/GAO-12-507T]. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or David C. Trimble at (202) 512-3841 or trimbled@gao.gov. [End of section] Chairman Stearns, Ranking Member DeGette, and Members of the Subcommittee: Thank you for the opportunity to testify at today's hearing on assessments of security for the smart grid. As you know, the electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure (e.g., electricity networks including power lines and customer meters) as part of nationwide efforts--commonly referred to as the "smart grid"--aimed at improving reliability and efficiency and facilitating the use of alternative energy sources (e.g., wind and solar). Along with these anticipated benefits, however, cybersecurity and industry experts have expressed concern that, if not implemented securely, smart grid systems will be vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security. In addition, since 2003 we have identified protecting systems supporting our nation's critical infrastructure (which includes the electric grid) as a governmentwide high-risk area, and we continue to do so in the most recent update to our high-risk list.[Footnote 1] In our testimony today, we will describe (1) cyber threats facing cyber-reliant critical infrastructures, which include the electric grid,[Footnote 2] and (2) key challenges to securing smart grid systems and networks. In preparing this statement in February 2012, we relied on our previous work in this area, including a review of efforts to secure the smart grid and associated challenges.[Footnote 3] The products upon which this statement is based contain detailed overviews on the scope of our reviews and the methodology we used. The work on which this statement is based was performed in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. Background: The electricity industry, as shown in figure 1, is composed of four distinct functions: generation, transmission, distribution, and system operations. Once electricity is generated--whether by burning fossil fuels; through nuclear fission; or by harnessing wind, solar, geothermal, or hydro energy--it is generally sent through high- voltage, high-capacity transmission lines to local electricity distributors. Once there, electricity is transformed into a lower voltage and sent through local distribution lines for consumption by industrial plants, businesses, and residential consumers. Because electric energy is generated and consumed almost instantaneously, the operation of an electric power system requires that a system operator constantly balance the generation and consumption of power. Figure 1: Functions of the Electricity Industry: [Refer to PDF for image: illustration] Flow of power: Generators: Transmission system; System operations; Substation; Distribution system to final customers: Offices; Homes; Factories. System operations coordinates the balancing of the generation and consumption of power for final customers. Source: GAO analysis. [End of figure] Utilities own and operate electricity assets, which may include generation plants, transmission lines, distribution lines, and substations--structures often seen in residential and commercial areas that contain technical equipment such as switches and transformers to ensure smooth, safe flow of current and regulate voltage. Utilities may be owned by investors, municipalities, and individuals (as in cooperative utilities). System operators--sometimes affiliated with a particular utility or sometimes independent and responsible for multiple utility areas--manage the electricity flows. These system operators manage and control the generation, transmission, and distribution of electric power using control systems--IT-and network- based systems that monitor and control sensitive processes and physical functions, including opening and closing circuit breakers. [Footnote 4] As we have previously reported, the effective functioning of the electricity industry is highly dependent on these control systems.[Footnote 5] However, for many years, aspects of the electricity network lacked (1) adequate technologies--such as sensors-- to allow system operators to monitor how much electricity was flowing on distribution lines, (2) communications networks to further integrate parts of the electricity grid with control centers, and (3) computerized control devices to automate system management and recovery. Smart Grid Aims to Modernize the Electricity Infrastructure: As the electricity industry has matured and technology has advanced, utilities have begun taking steps to update the electricity grid--the transmission and distribution systems--by integrating new technologies and additional IT systems and networks. Though utilities have regularly taken such steps in the past, industry and government stakeholders have begun to articulate a broader, more integrated vision for transforming the electricity grid into one that is more reliable and efficient; facilitates alternative forms of generation, including renewable energy; and gives consumers real-time information about fluctuating energy costs. This vision--the smart grid--would increase the use of IT systems and networks and two-way communication to automate actions that system operators formerly had to make manually. Smart grid modernization is an ongoing process, and initiatives have commonly involved installing advanced metering infrastructure (smart meters) on homes and commercial buildings that enable two-way communication between the utility and customer. Other initiatives include adding "smart" components to provide the system operator with more detailed data on the conditions of the transmission and distribution systems and better tools to observe the overall condition of the grid (referred to as "wide-area situational awareness"). These include advanced, smart switches on the distribution system that communicate with each other to reroute electricity around a troubled line and high-resolution, time-synchronized monitors--called phasor measurement units--on the transmission system. Figure 2 illustrates one possible smart grid configuration, though utilities making smart grid investments may opt for alternative configurations depending on cost, customer needs, and local conditions. Figure 2: Common Smart Grid Components: [Refer to PDF for image: illustration] System operator control and data center: * Advanced control methods, such as distribution automation; * Improved interfaces, such as distribution system modeling software. Wind turbines; Generator; Transmission system; Phasor measurement unit; Two-way communication between System operator control and data center and Substation; Distribution system, including Smart switches; Factory; Offices; Homes: Smart meter with Substation; Home area network; Smart appliances; Home monitoring of electricity data; Electric vehicle. Source: GAO analysis. [End of figure] According to the National Energy Technology Laboratory, a Department of Energy (DOE) national laboratory supporting smart grid efforts, smart grid systems fall into several different categories: * Integrated communications, such as broadband over power line communication technologies or wireless communications technologies. * Advanced components, such as smart switches, transformers, cables, and other devices; storage devices, such as plug-in hybrid electric vehicles and advanced batteries; and grid-friendly smart home appliances. * Advanced control methods, including real-time monitoring and control of substation and distribution equipment. * Sensing and measurement technologies, such as smart meters and phasor measurement units. * Improved interfaces and decision support, which includes software tools to analyze the health of the electricity system and real-time digital simulators to study and test systems. The use of smart grid systems may have a number of benefits, including improved reliability from fewer and shorter outages, downward pressure on electricity rates resulting from the ability to shift peak demand, an improved ability to shift to alternative sources of energy, and an improved ability to detect and respond to potential attacks on the grid. Regulation of the Electricity Industry: Both the federal government and state governments have authority for overseeing the electricity industry. For example, the Federal Energy Regulatory Commission (FERC) regulates rates for wholesale electricity sales and transmission of electricity in interstate commerce. This includes approving whether to allow utilities to recover the costs of investments they make to the transmission system, such as smart grid investments. Meanwhile, local distribution and retail sales of electricity are generally subject to regulation by state public utility commissions. State and federal authorities also play key roles in overseeing the reliability of the electric grid. State regulators generally have authority to oversee the reliability of the local distribution system. The North American Electric Reliability Corporation (NERC) is the federally designated U.S. Electric Reliability Organization, and is overseen by FERC. NERC has responsibility for conducting reliability assessments and enforcing mandatory standards to ensure the reliability of the bulk power system--i.e., facilities and control systems necessary for operating the transmission network and certain generation facilities needed for reliability. NERC develops reliability standards collaboratively through a deliberative process involving utilities and others in the industry, which are then sent to FERC for approval. These standards include critical infrastructure protection standards for protecting electric utility-critical and cyber-critical assets. Federal Smart Grid Activities: The Energy Independence and Security Act of 2007 (EISA)[Footnote 6] established federal support for the modernization of the electricity grid and required actions by a number of federal agencies, including the National Institute of Standards and Technology (NIST), FERC, and DOE. With regard to cybersecurity, the act called for NIST and FERC to take the following actions: * NIST was to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems. As part of its efforts to accomplish this, NIST planned to identify cybersecurity standards for these systems and also identified the need to develop guidelines for organizations such as electric companies on how to securely implement smart grid systems. In January 2011,[Footnote 7] we reported that NIST had identified 11 standards involving cybersecurity that support smart grid interoperability and had issued a first version of a cybersecurity guideline.[Footnote 8] * FERC was to adopt standards resulting from NIST's efforts that it deemed necessary to ensure smart grid functionality and interoperability. The act also authorized DOE to establish two initiatives to facilitate the development of industry smart grid efforts. These were the Smart Grid Investment Grant Program and the Smart Grid Regional Demonstration Initiative. DOE made $3.5 billion and $685 million of American Recovery and Reinvestment Act ("Recovery Act")[Footnote 9] funds available for these two initiatives, respectively. The Smart Grid Investment Grant Program provided grant awards to utilities in multiple states to stimulate the rapid deployment and integration of smart grid technologies, while the Smart Grid Regional Demonstration Initiative was to fund regional demonstrations to verify technology viability, quantify costs and benefits, and validate new business models for the smart grid at a scale that can be readily adopted around the country. The federal government has also undertaken various other smart-grid-related initiatives, including funding technical research and development, data collection, and coordination activities. In January 2012, the DOE Inspector General reported that cybersecurity plans submitted by Smart Grid Investment Grant Program recipients were not always complete or they did not describe intended security controls in sufficient detail.[Footnote 10] The report also stated that DOE officials approved cybersecurity plans for smart grid projects even though some of the plans contained shortcomings that could result in poorly implemented controls. The report recommended, among other things, that DOE ensure that grantees' cybersecurity plans were complete, including thorough descriptions of potential security risks and related mitigation through necessary controls. The responsible DOE office stated that it will continue to ensure that the security plans are complete and are implemented properly. Smart Grid Is Potentially Vulnerable to a Variety of Cyber Threats: Threats to systems supporting critical infrastructure--which includes the electricity industry and its transmission and distribution systems--are evolving and growing. In February 2011, the Director of National Intelligence testified that, in the past year, there had been a dramatic increase in malicious cyber activity targeting U.S. computers and networks, including a more than tripling of the volume of malicious software since 2009.[Footnote 11] Different types of cyber threats from numerous sources may adversely affect computers, software, networks, organizations, entire industries, or the Internet. Cyber threats can be unintentional or intentional. Unintentional threats can be caused by software upgrades or maintenance procedures that inadvertently disrupt systems. Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign nations engaged in espionage and information warfare, and terrorists. Moreover, these groups have a wide array of cyber exploits at their disposal. Table 1 provides descriptions of common types of cyber exploits. Table 1: Common Cyber Exploits: Type of exploit: Cross-site scripting; Description: An attack that uses third-party web resources to run script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine. Type of exploit: Denial-of-service; Description: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Type of exploit: Distributed denial-of-service; Description: A variant of the denial-of-service attack that uses numerous hosts to perform the attack. Type of exploit: Logic bomb; Description: A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met. Type of exploit: Phishing; Description: A digital form of social engineering that uses authentic-looking, but fake, e-mails to request information from users to direct them to a fake website that requests information. Type of exploit: Passive wiretapping; Description: The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data. Type of exploit: SQL injection; Description: An attack that involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database. Type of exploit: Trojan horse; Description: A computer program that appears to have a useful function but also has a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute. Type of exploit: Virus; Description: A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate. Type of exploit: War driving; Description: The method of driving through cities and neighborhoods with a wireless-equipped computer--sometimes with a powerful antenna-- searching for unsecured wireless networks. Type of exploit: Worm; Description: A self-replicating, self-propagating, self-contained program that uses network mechanisms to spread itself. Unlike computer viruses, worms do not require human involvement to propagate. Type of exploit: Zero-day exploit; Description: An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed time frame between public discoveries of both makes it difficult to defend against. Source: GAO analysis of data from NIST, the United States Computer Emergency Readiness Team, and industry reports. [End of table] The potential impact of these threats is amplified by the connectivity between information systems, the Internet, and other infrastructures, creating opportunities for attackers to disrupt critical services, including electrical power. For example, in May 2008, we reported that the corporate network of the Tennessee Valley Authority (TVA)--the nation's largest public power company, which generates and distributes power in an area of about 80,000 square miles in the southeastern United States--contained security weaknesses that could lead to the disruption of control systems networks and devices connected to that network.[Footnote 12] We made 19 recommendations to improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures and 73 recommendations to address specific weaknesses in security controls. TVA concurred with the recommendations and has taken steps to implement them. As government, private sector, and personal activities continue to move to networked operations, the threat will continue to grow. We have reported[Footnote 13] that cyber incidents can affect the operations of energy facilities, as the following examples illustrate: * Stuxnet. In July 2010, a sophisticated computer attack known as Stuxnet was discovered. It targeted control systems used to operate industrial processes in the energy, nuclear, and other critical sectors. It is designed to exploit a combination of vulnerabilities to gain access to its target and modify code to change the process. * Browns Ferry power plant. In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device. * Northeast power blackout. In August 2003, failure of the alarm processor in the control system of FirstEnergy, an Ohio-based electric utility, prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. When several key transmission lines in northern Ohio tripped due to contact with trees, they initiated a cascading failure of 508 generating units at 265 power plants across eight states and a Canadian province. * Davis-Besse power plant. The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant's process computer failed, and it took about 6 hours for it to become available again. Smart Grid Faces Cybersecurity Vulnerabilities: While presenting significant potential benefits, the smart grid vision and its increased reliance on IT systems and networks also expose the electric grid to potential and known cybersecurity vulnerabilities, which could be exploited by a wide array of cyber threats. This creates an increased risk to the smooth and reliable operation of the grid. As we and others have reported,[Footnote 14] these vulnerabilities include: * an increased number of entry points and paths that can be exploited by potential adversaries and other unauthorized users; * the introduction of new, unknown vulnerabilities due to an increased use of new system and network technologies; * wider access to systems and networks due to increased connectivity; and: * an increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use. We and others have also reported that smart grid and related systems have known cyber vulnerabilities. For example, cybersecurity experts have demonstrated that certain smart meters can be successfully attacked, possibly resulting in disruption to the electricity grid. In addition, we have reported that control systems used in industrial settings such as electricity generation have vulnerabilities that could result in serious damages and disruption if exploited.[Footnote 15] Further, in 2009, the Department of Homeland Security, in cooperation with DOE, ran a test that demonstrated that a vulnerability commonly referred to as "Aurora" had the potential to allow unauthorized users to remotely control, misuse, and cause damage to a small commercial electric generator. Moreover, in 2008, the Central Intelligence Agency reported that malicious activities against IT systems and networks have caused disruption of electric power capabilities in multiple regions overseas, including a case that resulted in a multicity power outage.[Footnote 16] Securing Smart Grid Systems and Networks Presents Challenges: In our January 2011 report, we identified a number of key challenges that industry and government stakeholders faced in ensuring the cybersecurity of the systems and networks that support our nation's electricity grid.[Footnote 17] Among others, these challenges included the following: * Lack of a coordinated approach to monitor whether industry follows voluntary standards. As mentioned above, under EISA, FERC is responsible for adopting cybersecurity and other standards that it deems necessary to ensure smart grid functionality and interoperability. However, FERC had not developed an approach coordinated with other regulators to monitor, at a high level, the extent to which industry will follow the voluntary smart grid standards it adopts. There had been initial efforts by regulators to share views, through, for example, a collaborative dialogue between FERC and the National Association of Regulatory Utility Commissioners (NARUC), which had discussed the standards-setting process in general terms. Nevertheless, according to officials from FERC and NARUC, FERC and the state public utility commissions had not established a joint approach for monitoring how widely voluntary smart grid standards are followed in the electricity industry or developed strategies for addressing any gaps. Moreover, FERC had not coordinated in such a way with groups representing public power or cooperative utilities, which are not routinely subject to FERC's or the states' regulatory jurisdiction for rate setting. We noted that without a good understanding of whether utilities and manufacturers are following smart grid standards, it would be difficult for FERC and other regulators to know whether a voluntary approach to standards setting is effective or if changes are needed.[Footnote 18] * Lack of security features being built into certain smart grid systems. Security features had not been consistently built into smart grid devices. For example, according to experts from a panel convened by GAO, currently available smart meters had not been designed with a strong security architecture and lacked important security features, such as event logging[Footnote 19] and forensics capabilities, which are needed to detect and analyze attacks. In addition, these experts stated that smart grid home area networks--used for managing the electricity usage of appliances and other devices in the home--did not have adequate security built in, thus increasing their vulnerability to attack. Without securely designed smart grid systems, utilities may not be able to detect and analyze attacks, increasing the risk that attacks would succeed and utilities would be unable to prevent them from recurring. * Lack of an effective mechanism for sharing cybersecurity information within the electricity industry. The electricity industry lacked an effective mechanism to disclose information about smart grid cybersecurity vulnerabilities, incidents, threats, lessons learned, and best practices in the industry. For example, experts stated that while the industry has an information-sharing center, it had not fully addressed these information needs. According to these experts, information regarding incidents such as both successful and unsuccessful attacks must be able to be shared in a safe and secure way; this is crucial to avoid publicly revealing the reported organization and penalizing entities actively engaged in corrective action. Such information sharing across the industry could provide important information regarding the level of attempted attacks and their methods, which could help grid operators better defend against them. In developing an approach to cybersecurity information sharing, the industry could draw upon the practices and approaches of other industries. Without quality processes for information sharing, utilities may not have the information needed to adequately protect their assets against attackers. * Lack of industry metrics for evaluating cybersecurity. The electricity industry was also challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Experts noted that while such metrics[Footnote 20] are difficult to develop, they could help in comparing the effectiveness of competing solutions and determining what mix of solutions best secure systems. Further, our panel of experts noted that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, increased risk exists that utilities will not invest in security in a cost-effective manner or be able to have the information needed to make informed decisions about their cybersecurity investments. Accordingly, in our January 2011 report, we made multiple recommendations to FERC, including that it develop an approach to coordinating with state regulators to evaluate the extent to which utilities and manufacturers are following voluntary smart grid standards and develop strategies for addressing any gaps in compliance with standards that are identified as a result. We further recommended that FERC, working with NERC as appropriate, assess whether commission efforts should address any of the cybersecurity challenges identified in our report. FERC agreed with our recommendations and described steps the commission intended to take to address them. We are currently working with FERC officials to determine the status of their efforts to address these recommendations. In summary, the electricity industry is in the midst of a major transformation as a result of smart grid initiatives and this has led to significant investments by many entities, including utilities, private companies, and the federal government. While these initiatives hold the promise of significant benefits, including a more resilient electric grid, lower energy costs, and the ability to tap into alternative sources of power, the prevalence of cyber threats aimed at the nation's critical infrastructure and the cyber vulnerabilities arising from the use of new technologies highlight the importance of securing smart grid systems. In particular, it will be important for federal regulators and other stakeholders to work closely with the private sector to address key cybersecurity challenges posed by the transition to smart grid technology. While no system can be made 100 percent secure, proven security strategies could help reduce risk to an acceptable level. Chairman Stearns, Ranking Member DeGette, and Members of the Subcommittee, this completes our statement. We would be happy to answer any questions you have at this time. Contact and Acknowledgments: If you have any questions regarding this statement, please contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or David C. Trimble at (202) 512-3841 or trimbled@gao.gov. Other key contributors to this statement include Michael Gilmore (Assistant Director), Jon R. Ludwigson (Assistant Director), Paige Gilbreath, Barbarol J. James, and Lee A. McCracken. [End of section] Footnotes: [1] GAO's biennial high-risk list identifies government programs that have greater vulnerability to fraud, waste, abuse, and mismanagement or need transformation to address economy, efficiency, or effectiveness challenges. We have designated federal information security as a high-risk area since 1997; in 2003, we expanded this high-risk area to include protecting systems supporting our nation's critical infrastructure--referred to as cyber-critical infrastructure protection, or cyber CIP. See, most recently, GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [2] Federal policy established 18 critical infrastructure sectors: banking and finance; chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; food and agriculture; government facilities; health care and public health; information technology; national monuments and icons; nuclear reactors, materials, and waste; postal and shipping; transportation systems; and water. [3] GAO, Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, [hyperlink, http://www.gao.gov/products/GAO-11-117] (Washington, D.C.: Jan. 12, 2011). [4] Circuit breakers are devices used to open or close electric circuits. If a transmission or distribution line is in trouble, a circuit breaker can disconnect it from the rest of the system. [5] GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, [hyperlink, http://www.gao.gov/products/GAO-07-1036] (Washington, D.C.: Sept. 10, 2007). [6] Pub. L. No. 110-140 (Dec. 19, 2007). [7] [hyperlink, http://www.gao.gov/products/GAO-11-117]. [8] NIST Special Publication 1108, NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, January 2010 and NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security, August 2010. [9] Pub. L. No. 111-5 (Feb. 17, 2009). [10] U.S. Department of Energy, Office of Inspector General, Office of Audits and Inspections, Audit Report: The Department's Management of the Smart Grid Investment Grant Program, OAS-RA-12-04 (Washington, D.C.: Jan. 20, 2012). [11] Director of National Intelligence, Statement for the Record on the Worldwide Threat Assessment of the U.S. Intelligence Community, statement before the Senate Select Committee on Intelligence (Feb. 16, 2011). [12] GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks, [hyperlink, http://www.gao.gov/products/GAO-08-526] (Washington, D.C.: May 21, 2008). [13] [hyperlink, http://www.gao.gov/products/GAO-07-1036] and [hyperlink, http://www.gao.gov/products/GAO-12-92]. [14] [hyperlink, http://www.gao.gov/products/GAO-11-117]. [15] [hyperlink, http://www.gao.gov/products/GAO-07-1036]. [16] The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (Washington, D.C.: May 29, 2009). [17] [hyperlink, http://www.gao.gov/products/GAO-11-117]. [18] In an order issued on July 19, 2011, FERC reported that it had found insufficient consensus to institute a rulemaking proceeding to adopt Smart Grid interoperability standards identified by NIST as ready for consideration by regulatory authorities. While FERC dismissed the rulemaking, it encouraged utilities, smart grid product manufacturers, regulators, and other smart grid stakeholders to actively participate in the NIST interoperability framework process to work on the development of interoperability standards and to refer to that process for guidance on smart grid standards. Despite this result, we believe our recommendations to FERC in GAO-11-117, with which FERC concurred, remain valid and should be acted upon as consensus is reached and standards adopted. [19] Event logging is the capability of an IT system to record events occurring within an organization's systems and networks, including those related to computer security. [20] Metrics can be used for, among other things, measuring the effectiveness of cybersecurity controls for detecting and blocking cyber attacks. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.