Page images
PDF
EPUB

DOW

September 9, 2005

The Dow Chemical Company
Midland, Michigan 48674

The Honorable Sherwood Boehlert
Chairman, Science Committee
US House of Representatives
2320 Rayburn Office Building
Washington, DC 20515

Dear Chairman Boehlert:

Thank you for the invitation to testify before the Committee on Science of the U.S.
House of Representatives on September 15th for the hearing entitled “Cybersecurity:
How Can the Government Help Address Vulnerabilities in Critical Industries?" In
accordance with the Rules Governing Testimony, this letter serves as formal notice of the
federal funding I currently receive related to the hearing topic.

I received no federal funding directly supporting the subject matter on which I testified,
in the current fiscal year or either of the two proceeding fiscal years.

[blocks in formation]

Chairman BOEHLERT. Thank you very much, Mr. Kepler.
Mr. Freese.

STATEMENT OF MR. GERALD S. FREESE, DIRECTOR OF ENTERPRISE INFORMATION SECURITY, AMERICAN ELECTRIC POWER

Mr. FREESE. Mr. Chairman and distinguished Members of this committee, thank you for the opportunity to appear before you today.

My name is Gerry Freese, Director of Enterprise Information Security at American Electric Power. I am also here representing the North American Electrical Reliability Council in Princeton, New Jersey.

AEP is the largest provider of electricity in the country with over five million customers in 11 states, and I am responsible for infor

mation security for all corporate and operational systems and networks, including those used in the operation of the bulk power sys

tem.

Before I address the three questions posed to the presenters, I would like to preface my remarks.

In the aftermath of Hurricane Katrina, we have seen the suffering and the unprecedented devastation in Louisiana and Mississippi. We have seen the confusion and chaos when essential services were no longer functioning. We have seen how critical infrastructure can be destabilized and destroyed when links are broken in its complex chain of multiple interdependencies. Whether the cause is a natural disaster or a terrorist attack, the impact on people and the economy is horrendous.

Critical infrastructure industries, by virtue of their interdependencies, have a responsibility to work across all sectors, and this includes the Federal Government, to mitigate risk, ensure service continuity and an expeditious recovery in the event of a natural or manmade disaster.

This hearing is timely in its intent to explore means to expand the cooperation and collaboration between the private and public critical infrastructure sectors.

Now for responses to the three questions.

For the first question, the electricity sector has, in many cases, developed its own telecommunications network for conducting electricity operations, but it is steadily becoming more reliant on public networks. The electric sector uses these public networks for many functions with the net result that its interfaces with the telecommunications sector have become more numerous and complex. Both sectors are working together to better understand their levels of operational integration and in ways the vulnerability in either of these sectors impacts the other.

Because of these complex and critical interdependencies, it is fairly clear that serious damage or disruption of telecommunications could seriously undermine the operation and reliability of the electricity infrastructure. Accordingly, the electric sector has taken some decisive steps to secure the cyber and physical resources and will continue to invest in comprehensive and effective security measures. We have interim cyber security standards in place right now and are working diligently to move through the approval process for a permanent, more expansive critical infrastructure protection standard.

The final product will strengthen cyber security across the electric sector and lay the groundwork for greater collaboration between industry and government.

In response to the second question, the electric industry views government entities, such as DHS and DOE, as partners in sector cyber security. In fact, we have worked extensively with DHS, DOE representatives, the National Labs, and others to try and identify areas of focus for good security and determine means to carry out what we all see as primary responsibilities for national security.

We believe the office of the Assistant Secretary for Cyber Security and Telecommunications should focus on several specific areas covering private and public sector cooperation. These areas center on greater awareness of critical infrastructure interdependencies,

information sharing between government and the private sector, and true, non-prescriptive partnerships. I would be happy to elaborate on those three points in the question-and-answer period, if it is possible.

As to the third question regarding possible research and development opportunities, the electric sector is interested in continuing to work closely with DOE on the work being done at the Idaho National Lab. We believe it holds great promise as one of the best and most efficient means of stimulating research and developing technical solutions to the present cyber security problems. DOE and DHS have provided leadership and support on this initiative, and the electricity industry is committed to its success.

Regarding inadequacies of the electric sector security solution, the present electric infrastructure has been built over many years and various types of process control systems produced by a diverse set of vendors. These legacy systems are a large part of the reason that new technology security solutions cannot be more widely deployed across the industry.

The long-term solution to this is to begin a process of rebuilding the old infrastructure with the ultimate goal of replacing it with next-generation equipment and technology. The new infrastructure would be based on greater levels of security and reliability with enhanced design recognition of the interdependencies between the electric and telecommunications sectors.

Work is already underway in this area. The Telecommunications and Electric Power Interdependencies Task Force is exploring the next generation of public networks and how the electricity sector will be able to use these networks of the future through the employment of more sophisticated encryption technology and other security measures.

Cyber security is evolving rapidly, and all of us working in the discipline are tirelessly seeking more effective solutions for protecting our critical assets and systems. We appreciate your interest in this topic and welcome your assistance in helping us to ensure our critical infrastructures are protected, secure, and reliable. Thank you for your attention.

[The prepared statement of Mr. Freese follows:]

PREPARED STATEMENT OF GERALD S. FREESE

Mr. Chairman and distinguished Members of this committee, thank you for the opportunity to appear before you today. My name is Gerry Freese. I am the Director of Enterprise Information Security for the American Electric Power Company in Columbus, Ohio. AEP is the largest supplier of electricity in the country, with over five million customers in 11 states. I am responsible for information security for all of AEP's corporate and operational systems and networks, including those used for the operation of the bulk electric system.

My reason for being here today is to talk about the cyber security needs and activities of the entire electricity sector, one of North America's most critical infrastructures. During my career, I have worked with numerous industry-wide committees addressing the growing need for increased security for information and cyber systems. This need is underscored by the sheer expanse and diversity of the electricity sector, which is made up of large and small entities, publicly, privately, and government owned and operated. Through industry groups and as individual companies, we have always placed great emphasis and the highest priority on the need to protect our information systems and effectively secure the data residing on them. Before I address the three questions posed to the presenters by the Committee, I want to make two points.

First, our industry has long-term and positive working relationships with federal agencies, including the Department of Homeland Security (DHS) and the Department of Energy (DOE). We value these relationships and want to work collaboratively to improve them even further. The recent recognition from DOE and DHS of the Electricity Sector Coordinating Council (ESCC) is a positive step. We firmly believe the relationships between federal agencies and the industry are working well because both the electricity sector and the federal agencies recognize the value in jointly addressing issues. Both the industry and government recognize the difficulties posed by prescriptive mandates and overly rigid rules and regulations that stifle creative solutions to problems.

Second, our industry continues to have concerns about the security of information after it is provided to the government. The electric infrastructure is one of the most critical infrastructures servicing the Nation and allowing us to maintain our way of life. Certain technical, architectural and operational aspects and details must be kept secure so they will not be inadvertently disclosed to those who would try to disrupt or destroy our social, political or economic fabric. We believe the Critical Infrastructure Information (CII) approach meets most of the needs for critical information protection but have been frustrated by an evident lack of progress in fully implementing this important safeguard.

I will now respond to the three questions posed by the committee. In response to the first question, the electricity sector has, in many cases, built its own telecommunications networks but is steadily becoming more reliant on public networks as well. The electricity sector uses the public networks for many functions including customer service and information exchange via the Internet. It also uses the Internet and the public networks for a limited amount of telemonitoring of the electrical system, although this varies by individual electric company. The interdependencies between the telecommunications sector and the electricity sector are numerous and complex. Because of these complex and critical interdependencies, serious damage or disruption of the telecommunications infrastructure would seriously undermine the operation and operability of the electricity infrastructure. Both sectors are working together to better understand their criticality and the ways that vulnerabilities in either of these sectors impacts the other.

Securing the extensive, distributed and critical electric power infrastructure is a huge responsibility that the electricity industry takes very seriously. We have already taken decisive steps to secure our cyber and physical resources and will continue to invest in comprehensive and effective security measures. We have interim cyber security standards in place and are working diligently to move through the approval process a permanent, more expansive Critical Infrastructure Protection (CIP) standard. The permanent standard will strengthen cyber security across the electricity sector and lay the groundwork for greater collaboration between the industry and government.

In response to the second question, DHS can assist the electricity sector in cyber security by continuing its support of security activities like Carnegie Mellon's Computer Emergency Readiness team. DHS also has been very supportive of other information sharing activities, which adds value to our industry's security initiatives. Another more recent example is the Process Control Security Forum. This group is made up of several key industry sectors that use process control systems and includes government representatives, academics, and vendors. The forum is working to develop design guidelines for the next generation of more secure control systems and is looking at what can be done to improve existing systems. As the forum continues to make progress, the possibility of seed money from DHS should be considered to stimulate the implementation of the ideas and concepts developed.

Another way that DHS can assist the electricity sector is by helping coordinate research initiatives taking place in cyber security. Many of the most prestigious institutions in America are engaged in research and development in this area. The missing element that hinders real progress is an overall coordination plan to avoid competition for funding and duplication of effort. The coordination should extend beyond the borders of the United States because a number of other countries such as Australia, Canada, Great Britain, and Japan have also made cyber security a top priority.

The third question focused on current inadequacies in security and possible research and development opportunities. The electricity industry is interested in continuing to work closely with DOE on the work being done at the Idaho National Laboratory. We believe it holds great promise as one of the best and most efficient means of stimulating research and developing technical solutions to the present shortfalls in cyber security. DOE and DHS have provided leadership and support on this initiative and the electricity industry is committed to its success. Again,

DHS should coordinate this work with other projects in this topic, both domestically and internationally.

The present electric infrastructure has been built over many years with various types of process control systems produced by a large number of vendors. The longterm solution to present inadequacies is to build out the old infrastructure with the next generation of technologies and equipment. The new infrastructure will be based on greater levels of security and reliability, enhanced design, and recognition of the interdependencies between the electricity sector and the communications sector. Very interesting work is already taking place in this area. The Telecommunications and Electric Power Interdependencies Task Force is exploring the next generation of public networks and how the electricity sector will be able to use these networks of the future through the employment of more sophisticated encryption and other security measures.

The cyber security arena is evolving rapidly and all of us working in the field find it to be an exciting and stimulating professional challenge. Operational and security technologies are changing quickly. We appreciate your interest in the topic and welcome your assistance in helping us to ensure that our critical infrastructures are protected and secure well in the future. Thank you for your attention.

BIOGRAPHY FOR GERALD S. FREESE

Gerald Freese is the Managing Director of Enterprise Information Security at American Electric Power. He is responsible for defining, developing and executing all information security programs to effectively protect AEP data and systems, including critical digital control systems. He is responsible for regulatory compliance and critical infrastructure protection for cyber security, and has been instrumental in the development of cyber security standards for the energy industry. Gerald Freese is a recognized security and infrastructure protection expert who brings a powerful combination of leadership, domain experience, technological vision and strategy development to American Electric Power. He is the company's primary data security architect, and a strong proponent of industry and government partnerships for critical infrastructure protection.

Prior to accepting a position at American Electric Power, Mr. Freese was the Director of Security Intelligence at Vigilinx, Inc., where he developed an early warning and data analysis process to identify computer-based threats and attack profiles. He has authored in depth analytical papers on cyber-activities relative to geopolitical threat environments and has testified before congress on critical infrastructure interdependencies and control system security. Mr. Freese is a retired naval Cryptologic Officer with extensive experience in computer security and information warfare. He has held other leadership positions in the information technology industry with Perot Systems and General Dynamics Advanced Information Systems.

Mr. Freese is a Certified Information Systems Security Professional (CISSP). He holds a Bachelor's degree from State University of New York (Albany), and a Master's degree in Information and Telecommunications Systems from Johns Hopkins University in Baltimore, Maryland.

« PreviousContinue »