PJM Senior Vice President Thomas F. O’Brien appeared before the U.S. Senate Committee on Energy & Natural Resources Wednesday, and said partnership and collaboration with stakeholders and industry partners is essential to protecting cybersecurity threats that target the bulk power system.
“No one can do it by themselves,” O’Brien said in his testimony to the committee led by U.S. Sen. Lisa Murkowski (R-AK), who chaired the hearing with ranking member U.S. Sen. Joe Manchin (D-WV).
Senators asked questions of each of the witnesses, which included representatives of the U.S. Department of Energy (DOE), the Federal Energy Regulatory Commission (FERC), and Siemens in addition to O’Brien.
Coordination and Information Sharing Discussed
In his testimony, O’Brien noted that PJM depends on classified and non-classified bulletins and information sharing led by the DOE, the North American Electric Reliability Corporation (NERC) and the Electricity Information Sharing and Analysis Center (E-ISAC), O’Brien said, emphasizing that critical information is duly protected.
Clear, timely information sharing is essential, he said, because “risk management must be informed by learning, understanding and appreciation of the adversary,” O’Brien said.
Along the lines of protecting critical information, Chairman Murkowski asked FERC about its present Critical Energy Infrastructure Information (CEII) standards for the public release of energy-flow data and other CEII, and if it should use a “need to know” rather than a “right to know” approach – a subject that has been raised before in the committee through proposed legislation.
“Red Teaming” and Coordination
Among other issues, senators inquired as to whether grid operators like PJM or the DOE are performing “red team” and cybersecurity penetration tests on members, and whether NERC or the DOE should have that oversight authority.
“Red teaming” refers to the work of independent security teams that simulate cyberattacks to test an organization’s vulnerabilities and response capabilities.
In keeping with evolving industry practices, O’Brien noted, PJM employs stress testing of its own systems, which includes red-teaming and penetration exercises, in addition to routine compromise assessments, rigorous audits, exercises with industry partners and internal training. PJM also conducts extensive background checks of both PJM staff and contractors, he added.
O’Brien made clear that PJM does not have the authority presently to undertake such activities with its members, but he underscored the degree of coordination among member companies interacting with PJM to ensure a cyber-secure environment.
Sen. Manchin indicated his intent to follow up with NERC on this matter.
Investment in Resources and Personnel Needed
Besides timely information sharing and coordination between the U.S. DOE, FERC, industry, suppliers, NERC and others, the committee also explored defense protocols, techniques, training opportunities and the need for additional resources and incentives.
Growing sophistication by cybersecurity adversaries requires additional resources, committee members noted.
“There are legacy systems and older systems out there,” O’Brien said. “We know how sophisticated the adversaries are. We need to be able to detect a bad actor. That will require increased investment.”
Inside PJM and the industry, workforce development is also critical, O’Brien said. PJM employs rotational development programs internally and partners with academic institutions, the U.S. Dept. of Defense and the U.S. Dept. of Energy. In addition, the E-ISAC conducts workshops for continuous learning.
“We need to look at diversity and inclusion as an opportunity for untapped potential,” he added.
O’Brien’s full testimony is available on the PJM website.
Original source: PJM