►
From YouTube: Interim Joint Committee on Natural Resources and Energy
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
To
order-
and
we
appreciate
everybody
in
attendance
and
all
of
those
that
are
participating
via
a
zoom
call
or
from
their
cell
phone
as
we
do
roll
if
you're,
not
in
the
room,
please
identify
yourself
and
state
if
you're
in
your
office
or,
if
you're
in
your
district
for
us
at
this
time,
I'd
like
to
ask
the
clerk
to
call
the
role.
B
B
E
President
in
the
96th
district.
B
B
B
Cheers
chair
smith.
A
A
A
Leadership,
I'm
not
very
good
and
I
hadn't
had
a
chance
to
ask
him
in
advance,
but
I
wonder
if
representative
cb
embry
would
lead
us
in
the
pledge
of
allegiance
cb.
Would
you
be
willing
to
do
that?
Enforcer?
Oh,
please,
stand
and
follow.
Cb's.
A
G
G
Most
of
them
will
probably
be
things
that
we
will
be
dealing
with
in
the
next
session
and
that's
why
the
interim
the
interim
process
so
is
so
very
important
that
we
get
a
chance
to
review
and
hear
testimony
from
people
out
there
that
have
interest
in
in
these
subjects,
and
I
always
enjoy
the
interim,
and
I
hope
that
you
will
as
well.
Thank
you,
mr
chairman,
and
look
forward
to
working
with
you
again
very.
A
Good
same
here-
and
I
also
would
like
to
give
special
recognition-
I
see
our
commissioner
of
fish
and
wildlife
and
also
a
good
friend
of
mine,
rich
storm.
If
you
stand
up
rich,
we
appreciate
you
taking
time
out
of
your
day
to
join
our
our
committee
today
and
it's
good
to
see
you
here,
sir,
very
good,
all
right,
let's
get
into
our
meeting,
do
we
have
any
members
that
wish
to
be
recognized
at
this
time.
Senator
southwood.
A
A
A
A
A
lot
of
the
issues
now
that
the
country
is
dealing
with,
and
this
group
right
here
was
awake
at
the
wheel
and
it
says
a
lot
for
a
lot
of
the
states
assembly
got
caught
asleep
as
this
hit,
but
this
committee
has
done
the
majority
of
the
heavy
lifting
for
the
state
of
kentucky
and
several
other
states
that
were
kind
of
competing
with
to
take
the
top
spot
as
far
as
blockchain
technology
and
other
aspects
of
cryptocurrency
and
securities.
A
But
this
group
in
front
of
you
has
probably
been
one
of
the
most
informed
group
of
members
of
the
natural
resource
committee.
I
or
I
think
chairman
gooch,
has
ever
served
with
so
you'll
have
some
really
good
questions
today,
you'll
find
a
group
of
people
that
are
very
informed
and
what
you
are
talking
about
and
in
light
of
what
we
just
saw
with
the
breach
with
the
oil
line.
A
A
A
C
C
Okay,
so
the
first
thing
we
were
going
to
start
with
was
a
little
background
on
the
the
pipeline
event,
so
I
don't
know
who
you've
gotten
briefings
from
on
the
pipeline
event,
but
we
thought
it
might
be
a
good
idea
to
just
give
you
a
little
little
background
of
what
we
know,
which
is
not
much
different
than
what's
in
the
public.
We
have
not
gotten
a
lot
of
insight
from
classified
sources
or
other
connections
we
do
have
while
we're
well
connected.
We
still
don't
don't
have
a
lot
of
visibility
into
that.
C
The
the
pipeline
event
happened
and
or
the
reports
started
happening
in
may
8
on
saturday.
That's
when
a
lot
of
the
media
started
talking
a
lot
about
it.
There
weren't
a
lot
of
statements
from
colonial,
but
all
the
reporting
and
still
the
reporting
continues
to
be.
It
affected
their
corporate
environment,
their
I.t
systems,
not
their
operations
systems
that
manage
the
pipeline.
However,
the
the
reports
we
have
all
secondhand
through
media
and
sources
is
they
disconnected
the
pipeline
to
protect
it,
which
is
a
good
practice,
but
they
weren't
able
to
quickly
bring
it
back
up.
C
A
No
but
I'll
make
a
comment.
I
I
think
that,
because
this
happened
to
a
private
corporation,
it's
been
more
difficult
for
us
to
get
in
and
find
out
more
than
had
it
been
a
public
utility,
and
so
I'm
not
sure
we
will
find
out
the
full
extent
of
what
happened
for
a
while.
But
I
think
that
the
fail-safe
for
it
is
shutting
up
the
pipeline.
So
in
my
opinion,
for
them
to
go
there.
That
means
that
was
a
la
let's
unplugging
the
fan.
A
If
you
will
that
they
had
to
go
and
take
that
action
which
tells
me
maybe
they
might
have
lost
the
ability
of
turning
the
speed
up
or
down.
So
that
was
one
of
the
most
concerning
things
for
me
is
reading
the
port
of
how
they
went
about
solving
it
and
just
like
they
use
the
analogy
of
a
fan.
A
But
I
do
feel
like
we
have
a
very
effective
tool
to
help
combat
this
and
that's
hopefully,
what
the
takeaway
here
is
that
you
know:
we've
been
sort
of
yelling
in
a
vacuum
from
this
committee
that
this
is
very
serious
and
that
the
people
of
kentucky
and
this
nation
deserve
to
have
the
best
people
on
it
and
put
everything
you
know
forward
to
stop
this
from
happening.
But
so
I
think
there'll
be
more
to
come,
but
I
do
think
it
went
farther
than
than
what
we
know
simply
because
how
they'd
stop
it.
H
What
we
believe
at
this
point-
and
we
don't
have
confirmation
yet-
is
that
their
I.t
technology
was
jeopardized
and
they
proactively
shut
down
their
ot
to
prevent
any
adversarial
impacts
to
their
operations,
so
an
adversary
wouldn't
get
control
of
the
operations
and
maybe
do
more
harm.
That's
the
belief
right
now,
but
the
details
are
yet
to
be
known.
Yep.
C
And
now
we'll
say
a
proactive
step
for
for
indus
for
utilities
that
are
further
advanced.
Is
they
practice
that
so
in
our
case,
at
aep?
If
something,
if
we
suspect
anything's
in
our
system,
internet
gets
disconnected
immediately
by
my
24
7,
you
know
3
am
they
can
disconnect
us
from
the
internet?
The
next
step
is
to
disconnect
because
we've
got
it
segmented
and
we've
tested
it
multiple
times.
So
we
know
what
it
can
come
down.
Come
back
up
or
the
network
can
come
down.
It
does
not
impact
our
transmission
scada,
for
example,
we've
tested
it.
C
C
I
did
include
a
slide
about
the
dark
side
ransomware,
which
is
really
what
targeted
them.
All
reports
are
they're,
not
really
targeting
energy
today
and
in
many
cases
might
be
finance
and-
and
at
least
electric
specifically
have
been
leading
the
cyber
security
front.
For
for
several
years
now
considered
to
be
the
more
advanced
industries,
so
that
may
be
they're
going
for
the
easier
game
right
that
they're
not
going
to
come
after
the
ones
that
there's
a
lot
of
protections,
a
lot
of
design,
that's
been
being
designed
for
years.
So
that's
some
assumptions.
C
Aep
does
have
a
major
network.
The
largest
transmission
network,
which
is
kentucky,
is
a
major
part
of
that,
and
we
absolutely
take
all
this
seriously
and
we
get
to
leverage
that
capability
and
we
do
have
a
private
internal
network
of
of
fiber.
So
our
internet,
for
the
most
part,
connect
communicating
between
kentucky
ohio
texas
is
our
own
fiber,
it's
not
on
the
public
internet.
So
it's
a
luxury
that
I
get
to
take
advantage
of
doing
what
I
do.
C
I
mentioned
the
organization
which
I'm
I'm
lucky
to
have
this
type
of
organization.
I
am
responsible
for
cyber
physical
security,
privacy
and
aviation.
I
do
I'm
two
steps
from
the
ceo.
I
briefed
the
ceo
and
executive
team
monthly
on
whatever
topics
I
think
are
interesting.
Obviously
we
talked
about
the
colonial
pipeline.
C
I
actually
briefed
them
that
day
on
what
we
knew,
which
wasn't
a
lot
more
than
the
public,
but
we
do
have
that
active
communication
at
that
level
and
that
level
of
support,
so
the
brett,
the
operating
company
president
for
kentucky
power.
I
just
talked
to
him
yesterday
about
various
cyber
things
that
were
happening
and
he
is
on
the
initial
communication
that
day
so
trying
to
make
sure
our
leaders
are
aware
of
everything.
C
That's
happening
everything
we
know
whether
it's
a
scary
thing
that
we're
worried
about
or
something
that
hit
the
media,
that
we
need
to
make
sure
we're
briefing
everyone
on
and
then
preparing.
If
there
is
something
that
we
can
learn
from
it,
I
do
have
155
pure
cyber
people,
they're,
not
doing
it
support
jobs
at
all,
they're
full
on
outside
of
that
role.
C
So
it
gives
me
a
capability
to
develop
a
lot
of
more
advanced
capabilities
like
I
have
an
internal
penetration
testing
team
that
attempts
to
hack
into
our
systems
from
internal
to
see
if
we're
vulnerable
or
not
not
wondering
if
we're
vulnerable,
we're
testing
that
on
a
regular
basis,
including
into
our
substations.
So
it's
being
proactive
and
testing
that
stuff
to
the
full
level.
C
So
if
we
learn
something
that
can
help
financial
or
med
or
healthcare
or
our
peers,
we're
sharing
anything
we
know
and
then
hopefully
they
can
build
on
it
if
they're
seeing
anything-
and
this
is
stuff-
even
that
never
gets
in
the
bounce
is
outside,
but
it's
an
attempt
from
russia
that
didn't
make
it
in,
but
we
still
know
that
they're
trying
something.
So
we
do
share
those
very
proactively.
C
We
have
an
annual
white
hat
hackers
that
try
to
attack
us
from
external,
so
we
bring
in
somebody
from
a
third
party,
not
one
of
my
people
and
have
them
in.
In
our
case,
we
bring
them
inside,
sit
them
at
a
desk
and
say
what
can
you
get
to
because
they
haven't
been
able
to
get
in
from
outside
for
for
several
years?
So
we
want
to
step
up
our
game
a
little
bit
right.
C
C
These
it
goes
into
detail
on
the
protective
measures
making
sure
there's
there's
a
resiliency
built
in,
so
that
you
can
do
the
disconnects
and
things
so
that
it
is
a
very
thorough
and
somewhat
sometimes
a
little
too
prescriptive,
but
a
very
prescriptive
regulation
that
we
have
to
comply
with
and
we
get
audited
regularly
on.
The
aep
has
already
been
knotted
twice
already
this
year
and
I
am
the
nurksip
senior
manager.
So
it
is
a
role
over
all
nercsip
functions
at
aep,
so
I'm
responsible
for
all
of
that,
as
well
as
enterprise
security.
C
We
have
maturity,
assessments
done,
which
is
a
different
type
of
assessment,
to
see
if
our
overall
program
versus
the
technical,
stopping
a
bad
guy.
The
overall
program
and
managing
risk
is
well
designed
if
there's
improvement,
areas
which
a
good
assessment
person
always
finds
something
in
an
area
to
improve.
C
Otherwise,
we
need
to
find
another
assessment
person
that
can
find
something
because
there's
always
area
to
improve
for
everybody
and
everything
we
partner
with
our
internal
audits
and
work
with
them
on
coordinating
audits
of
our
internal
systems
and
they
actually
facilitate
the
external
penetration
test.
I
don't
control
that
engagement,
our
internal
auditors
do
so
somebody
that's
a
third
party
that
really
reports
the
board
of
directors
and
business
unit
relationships
are
critical
for
everything
we
do.
C
If
we
don't
have
the
trust
of
our
generation
transmission
distribution
systems,
our
operating
companies
they're
not
going
to
want
to
partner
with
us
to
manage
the
risk
and
in
a
lot
of
things
that
I've
talked
about,
they
have
the
ones
that
requested.
We
have
more
requests
for
for
hacking,
white
hat
hacking
efforts
more
requests
than
we
can
fulfill,
because
there's
just
so
many
they
want
to
test
everything,
and
that
type
of
partnership
is
is
a
luxury
again
that
that
we
have
that.
C
This
talks
about
our
24
7
cyber
response
center.
We
actually
stood
this
up
in
2005..
I
actually
came
out
of
the
air
force
in
the
90s
doing
this,
so
we
stood
it
up
early.
So
in
2005
we
stood
up
24
7
aep
staffed
cyber
response
capabilities,
which
includes
all
the
monitoring
of
technologies.
It
includes
processing,
intelligence
that
comes
in
and
within
minutes
we
can
tell
you
if
we
saw
that
anywhere
in
our
system.
Whatever
that
detail
was,
we
can
look,
the
other
pieces
are
proactive
blocking,
so
at
3
am
on
easter
sunday.
C
Somebody
can
block
something
that
potentially
could
be
bad.
If
we
find
a
hole
or
or
a
new
strain
of
a
virus.
That's
coming
in,
we
can
put
those
proactive
blocks
in
without
having
to
wake
up
organizations
and
stuff.
These
people
are
always
there.
They
also
process
all
the
sharing
that
goes
out
to
to
the
electric
sector
isac
to
dhs
to
fbi,
the
collaborative
relationships
we
have
we're
feeding
them
everything
we
have
so
we're
being
transparent
and
letting
them
know,
here's
some
things
we
we
think
others
should
watch
for
that
are
unique
in
our
industry.
C
C
If
there's
curiosity
on
the
pandemic,
when
we
send
everybody
home
which
aep
did
across
our
enterprise,
including
my
cyber
teams,
that
went
home,
they
did
not
miss
a
beat
connecting.
We
already
had
secure
connectivity
set
up
when
they
connect
to
aep.
All
other
connections
are
dropped,
it's
not
possible
to
connect
to
aep
and
something
else.
They
have
to
use
a
token
to
connect
a
secure
connection
system
like
a
vpn
or
a
citrix
type
virtual
desktop
type
system.
C
A
A
C
Our
own
private
internet
presence,
so
we
have
two
at
aep
that
cover
the
enterprise
and
then
our
own
vpns,
and
there
are
additional
vpns
that
often
are
inside
getting
from
segmentation
right.
We
can't
we
don't
allow
internal
people
to
get
to
the
internal
control
system
network.
We
we
make
it
very
difficult.
You
can't
just
get
here
from
there.
A
In
some
cases
your
employees
cell
phones
executives,
do
you
run
the
same
vbn
on
their
devices
as
well
on
computers,
so
you
don't
have
a
weak
spot.
There.
C
For
the
computers,
absolutely
for
cell
phones,
where
they're
just
getting
email,
that
is,
comes
through
a
filtered
system
and
we
can
shut
those
off
at
any
point,
the
cell
phone
itself.
So
if
it's,
if
it's
connecting
it's
gone-
and
it
has
our
size,
antivirus
software
on
this-
the
cell
phones
and
things
to
give
us
capabilities
to
protect
just
like
we
would
a
desktop,
which
is
that
technology
is
still
coming
along.
It's
it's
really
early
putting
that
stuff
on
cell
phones,
but
we
are.
C
We
had
the
support
to
put
it
on,
because
it
has
a
little
bit
of
extra
overhead
that
people
don't
like,
but
it's
necessary,
evil
yeah.
So
we
there's
a
lot
of
discussion
on
having
people
sent
home
it.
It
did
change
the
threat
profile.
We
did
see
some
of
the
threats
change,
but
in
our
case
our
profile
didn't
really
change,
because
everything
is
still
coming
from
our
corporate
center.
C
The
last
one
is,
I
think
this
is
my
last
one
on
the
the
nerc
standards,
and
this
is
just
a
list
of
them.
As
I
mentioned,
we
get
audited
on
these
a
regular
basis.
Some
of
us
get
audited
several
times
a
year
by
different
regions
because
we're
across
the
country,
these
things
are
they
bring
in
auditors.
C
They
ask
questions,
they
make
us
provide
evidence,
they
do
walk
throughs
on
occasion,
so
so
this
is
a
very
thorough
set
of
standards
that
have
been
in
place
since
I
think
the
late
90s
2002,
maybe
actually
something
like
that.
Maybe
yes,
early
2000s,
these
have
been
in
place.
So
we,
these
have
been
evolving
as
we've
been
evolving
to
mature
our
security
controls
mature
our
protections
and
capabilities,
and
it
is
in
in
the
case
of
aep.
C
We
actually
have
ferc
and
nerc
are
actually
on
site
for
the
audits
because
they
get
to
a
view
of
a
lot
across
the
country.
So
it's
and
sometimes
does
so,
there's
a
lot
of
visibility
on
these
things.
To
make
sure
we
have
our
game
we're
critical
to
the
infrastructure.
I
mean.
That's
that's
part
of
our
mission
that
we
believe
in
is
we're
protecting
the
us.
I
I
did
it
before
in
the
air
force.
Now,
I'm
doing
it
working
for
aep,
so
it's
a
passion
we
do
have.
So
it's
something
we
take
seriously.
C
A
F
All
right,
yeah,
thank
you
again,
I'm
david
mcleod,
I'm
the
director
of
I.t
security
and
risk
management
at
lg
and
enku.
So
I
have
responsibility
for
cyber
security
for
the
company.
F
F
It
was
issued
in
response
the
colonial
pipeline
event
that
we
discussed
so
it
was
released
last
month
and
it
really
gave
best
practices
specific
to
critical
infrastructure
asset
owners
and,
as
you
can
see,
this
was
the
dark
side.
Ransomware
related
the
colonial
pipeline.
F
The
alert
did
provide
really
a
set
of
recommendations
from
two
different
postures.
One
was
actually
how
to
prevent
ransomware
in
an
environment
and
then
the
second
was
how
to
reduce
the
impact.
If
you
were
to
become
a
victim
of
ransomware,
so
I've
paraphrased
some
of
their
recommendations
and
how
lg
e
and
k.u
meet
those
on
the
next
couple.
Slides.
F
F
On
one
note
as
as
we
discussed,
I
think,
keith
mentioned
the
distinction
between
it
and
ot.
I
t
is
information
technology,
that's
going
to
be
the
more
traditional
systems,
if
you
think
company,
email
systems
and
such
and
then
ot
is
operational
technology,
and
that
is
going
to
be
the
technology
that
supports
more
operational
functions,
industrial
control
systems
or
you
may
have
heard
the
term
scada.
F
But
if
you
think
in
our
industry
we're
talking
about
things
that
support
like
generation
or
transmission
functions.
F
So
the
first
item
that
they
recommended
was
really
keeping
your
remote
access
secure
and
that's
to
both
it
and
ot,
as
I
believe
steve
mentioned,
the
multi-factor
authentication.
So
if
you're
going
to
be
connecting
remotely
it's
having
multiple
factors,
something
you
know
something,
you
have
that
type
of
thing
so
securing
remote
access.
A
If
I
could
just
stop
you
for
a
second
tanya
made
a
very
good
point.
Some
people
may
not
be
familiar
with
the
term
phishing
sure.
A
So
if
you
want
to
elaborate
on
that,
but
that
has
also
been
a
very
effective
tool,
even
though
it's
very
outdated,
even
with
the
term
ransomware,
with
what
we're
seeing
now
has
changed
from
2018
to
now,
it's
a
totally
different
game
of
who's,
doing
it
and
what
they
want,
but
we
were
using
sort
of
the
reverse
fishing
to
be
able
to
track
these
people
down
right
to
the
cafe
and
wherever
they're
at
they're
sending
this
stuff.
A
So
the
fishing
works
both
ways
for
us,
thankfully
right
now,
but
if
you
would
explain
just
generally
for
for
members
that
may
not
know.
F
Sure,
and
and
phishing
is
going
to
be
emails
that
are
crafted
in
an
effort
to
get
people
get
employees
or
users
to
click
and
really
once
they
click
it
can
take
them
to
a
malicious
website
or
it
can
have
a
malicious
file
within
the
email.
A
And
so
that's
why
members,
when
emails
or
you
see
anything,
sort
of
make
some
sort
of
offer
or
a
special
20
off,
but
what
we
found
even
is
up
just
like
yesterday,
I
saw
a
case
where
they
had
tracked
down
some
individuals
that
had
tried
to
do
some:
a
ransom
attack
on
a
hospital
software
and
had
it
narrowed
down
and
they
sent
them
emails,
phishing
for
government
grants
and
sure
enough.
They
were
dumb
enough
to
click
on
it
and
those
people
probably
got
picked
up
about
an
hour
and
45
minutes
ago.
So
it
works.
H
Is
for
us
senator
if
I
could
just
add
something
on
the
fishing
that
is
probably
the
biggest
risk
today
of
of
cyber
ransom
attacks.
H
One
of
the
things
we're
seeing
at
duke
energy
is
adversaries
are
breaching
our
vendors
they're
getting
into
our
vendor
systems,
who
don't
have
as
strong
as
protections
and
controls,
and
then
they
send
emails
from
those
vendors
to
duke
energy
employees
that
appear
to
be
very
legitimate
emails
emails
that
our
employees
would
expect
to
get,
and
so
we're
adding
extra
protection
and
warning
our
employees
to
even
if
it
appears
to
be
a
good
email
from
a
vendor.
You
need
to
look
for
clues
in
there.
F
Additional
just
filtering
network
traffic-
this
is
going
to
be
typically
done
through,
what's
called
network
firewalls
and
there
can
be
multiple
layers
of
network
firewalls
but
being
able
to
understand
what's
coming
in
and
out
of
your
your
company
network
patching
is
another
just
good
cyber
hygiene,
that's
keeping
your
software
and
applications
up
to
date,
as
vulnerabilities
are
released.
F
Additional,
as
we
talk
about
deeper
in
to
the
network,
is
limiting,
who
has
remote
control
access
to
other
systems
or
servers
even
within
a
inside
a
network.
Another
more
traditional
is
antivirus
and
anti-malware.
That's
still
important
for
protecting
antivirus
and
enemy
malware.
F
What
we
would
call
malicious
code,
and
so
good
practices
are
to
make
sure
that
those
those
programs
stay
up
to
date
with
the
latest
definitions
and
that
you're
conducting
regular
scans
and
then
the
last
item
on
on
their
recommendation
was
hardening
devices
and
company
systems,
and-
and
this
can
be
really
multi-faceted
but
in
general
hardening
is
equated
to
kind
of
having
purpose-built
devices
so
that
you're
running
what's
designed
to
be
run
on
them,
but
they're
not
as
open
to
other
services
to
be
run
or
other
applications
that
don't
need
to
be
on.
F
F
So
the
next
set
of
recommendations
from
their
alert
was
reducing
the
impact
of
ransomware
and
really
what
this
was
about
is
if
those
attackers
were
able
to
get
a
foothold
within
a
network.
F
How
can
you
reduce
the
impact
or
exposure,
and
so
the
first
couple
items
within
the
recommendation
was
going
back
to
it
and
ot
as
having
those
networks?
Segmented.
So
typically,
the
information
technology
networks
are
more
exposed
to
the
internet.
F
What
would
be
transmission
or
generation
or
what
have
you
doesn't
necessarily
need
to
talk,
and
so
it's
going
to
be
a
more
protected
network.
So
you
want
to
have
tighter
controls
between
those
two
and
even
between
ot
networks
themselves.
They
don't
need
to
be
on
the
same
network.
There
may
be
different
criticality
between
a
generation
network
and
a
transmission,
so
all
of
that
will
help
if
an
attacker
was
able
to
get
a
foothold
to
prevent
the
the
overall
exposure.
F
Additionally,
we
touched
on
some
alternative
plans
regarding
specific
to
colonial.
Is
it's
important
to
have
alternative
plans
for
if,
if
you
did
need
to
sever
that
connection
between
it
and
ot
to
to
make
sure
that
you
know
how
to
do
it?
And
then,
even
if
you
had
to
shut
down
that
network,
the
manual
controls
in
place
so
that?
If,
if
that
network's
unavailable,
that
you
can
switch
over
to
manual
and
continue
your
operations.
F
If
you
had
a
ransomware
impact
and
it
started
encrypting
systems,
you
don't
want
the
ransomware
to
also
encrypt
your
backup,
so
you
need
to
ensure
that
the
backups
are
secure
and
also
that
you've
tested
your
backups
so
that
you
know
that
the
backups
are
successful
and
that
you
know
how
to
use
those
backups
and
then
they
need
that
if
it
comes
out
and
then
the
last
item
from
their
recommendations
was
around
protecting
privileged
accounts,
this
is
really
around
if
you
think
of
privileged
accounts
being
administrator
accounts.
F
F
And
then
just
a
few
other
items,
I
thought
I'd
mention
specific
for
lg
and
e
and
ku
that
weren't
in
the
csa
fbi
alert.
We
do
conduct,
conduct
tabletop
exercises
and
we
do
use
ransomware
as
a
potential
scenario
in
this
tabletop
exercises.
Those
are
very
valuable
help
us
identify
gaps,
also
exercise
our
team
and
our
incident
response.
If
we
had
a
ransomware
event
industry
cyber
cyber
information
sharing
working
with
our
peers
understanding.
F
What
else
is
happening
if
others
are
impacted
and
able
to
use
that
information
to
guide
our
monitoring,
guide,
our
responses
and
then
evaluating
our
protections
and
then
the
last
item,
as
steve
mentioned,
you
know
doing
penetration
exercises
we're
using
tools
that
hackers
would
typically
tool
kind
of
their
tactics
and
techniques.
F
We're
able
to
you
know
test
our
defenses
see
if
we
have
any
gaps.
If
we
have
any
blind
spots
and
monitoring
so
continuing
to
try
to
exercise
ourselves-
and
that
was
all
I
had
yeah.
A
David,
if
I
could
ask
you
just,
I
think
one
of
the
things
that
is
my
concern
is
that
a
lot
of
the
stuff
that
you
and
each
of
your
companies
are
doing
have
a
lot
of
moving
parts.
A
lot
of
personnel
you're,
doing
a
lot
of
testing
you're
doing
a
lot
of
monitoring.
It's
a
lot
of
moving
parts
and
pieces,
and
I'm
always
curious
about,
if
you
guys
had
were
using
blockchain
to
bring
it
down
to
that
level.
A
How
that
would
make
it
easier
for
you
all
to
make
it
much
more
difficult
for
a
lot
of
the
stuff
you're
running
to
worry
about
somebody,
hacking
it,
but
in
the
last
probably
48
hours
since
june.
The
first,
something
very
significant
has
happened
if
you've
got
tick,
tock
or
facebook
or
if
you
have
a
alexa
or
any
device.
That's
recording
you!
A
I
don't
know
if
you've
seen
the
the
warnings
that
your
devices
have
given
you,
if
you
suddenly
just
brushed
it
by
you,
probably
shouldn't
have,
but
you
have,
I
guess
until
june,
the
8th
to
be
able
to
say
take
me
off
of
this
system,
but
alexa
will
now
be
a
part
of
a
greater
network
where
they
will
be
sharing
and
collecting.
Not
only
anything,
it
may
see
in
your
house
as
far
as
the
back
room
but
a
conversation,
and
so
if
you've
got
that
on
your
phone,
you
tell
alexa
call
my
mom
it's,
mr
chairman,.
D
A
D
Well,
what's
happening
on
june
8th
is
that
amazon
has
announced
that
it's
using
all
of
its
hardware
devices,
if
they're
current
and
if
they're
new
enough,
maybe
the
first
generation
alexa
devices
may
be
too
old,
but
all
their
other
hardware
devices
that
have
a
wi-fi
connection
or
network
or
are
connected
to
your
home.
Wi-Fi
are
sharing
that
for
other
users
to
benefit
from
it
also
expands
their
their
information
network.
They've
just
entered
into
an
agreement
with
tile,
which
makes
little
little
plastic
devices
that
can
track
items.
D
You
can
attach
it
to
your
keys
or
whatever
else
and
broadens
that
network,
but
it's
a
huge
privacy
concern
and
you're
right
to
bring
it
up.
I
I
sent
out
a
tweet
a
couple
a
couple
days
ago,
when
I
read
the
news
about
what
amazon's
done.
In
fact,
they've
made
it
automatically
kick
in
for
every
amazon
hardware
gadget,
that's
out
there
that
qualifies,
or
that
has
enough
internals
to
support
doing
this.
A
You
have
until
the
eighth,
but
it's
not
only
that
tick
tock
as
well.
Today,
if
you
look
at
the
five
friends,
so
here's
here's
the
concern.
You
have
all
the
firewalls.
You
have
all
this
stuff,
but
what
you
can't
stop
is
me
being
on
my
break
in
the
bathroom,
my
tick
tock
and
it's
videoing
you,
your
phone,
takes
a
picture
of
your
face
every
five
seconds
and
it
does
that
for
a
lot
of
reasons.
It
says
it's
for
you
know
better
customer
service
or
whatever
a
lot
of
people.
A
Don't
know
it
does
that
you're
if
you
have
an
iso
device,
but
I
can
yell
to
my
secretary
and
say
what
you
changed
my
password.
What's
my
new
password?
Well,
it's
listening
to
that
and
that
happens
sometimes
in
our
office
because
I'm
working
and
we
have
to
change
ours
because
that's
our
security
measure
here
and
she
may
say
you
know
it's
brandon
smith,
that
you
know
whatever
and
I'm
putting
it
in
well.
A
My
phone
has
picked
that
up,
but
it
also
can
pick
up
different
pictures
and
perimeters
inside
of
a
building
hallway
security
systems.
So
now
I'm
inside
your
operation
at
duke
energy
and
I'm
no-
I
bypass
your
firewall.
I
bypassed
all
the
stuff
you
put
into
place,
and
now
I
have
access
to
discussions
that
executives
are
having
the
the
vpn
on.
My
phone
is
not
going
to
stop
that
because
it's
audio
and
so
the
all
the
stuff
that
we're
talking
about
changed
and
it's
going
to
be
changing
even
further.
A
And
surprisingly,
a
lot
of
people
won't
catch.
That
they'll
just
say.
I
don't
want
to
give
up
tick,
tock
and
they'll
just
go
ahead
and
swipe
it
and
that'll
be
some
of
your
employees
and
some
of
the
most
sensitive
places
out
there.
So
the
threat
that
we
had
as
of
really
yesterday
when
the
clock
started
ticking,
has
completely
changed
for
all
the
work
that
that
you,
men
have
dedicated
so
much
skill
and
stuff
too.
A
A
So
we
can
identify
what
room
of
the
house
you're
in
they're
saying
is
so
if
you're
in
the
laundry
room
it
takes
enough
pictures
while
you're
moving
around
it,
assesses
that
I
know
where
your
laundry
room
is
and
if
I
don't
see
a
certain
product
in
there
or
if
I
see
tight
in
there,
that's
how
they
want
to
sell
it
to
you
it's
to
help.
You
just
make
your
life
easier,
but
then
I
know
that
there's
other
things
in
there.
I'm
in
your
garage.
I
see
what
cars
you
drive.
A
C
Yeah
absolutely
to
support
what
keith
said.
The
this
is
a
new
set
of
challenges,
and
sometimes
it's
protecting
users
from
themselves.
They're
not
intending
to
be
malicious.
In
most
cases,
they're
actually
doing
things
they
don't
know
is
a
risk
they're
introducing
risk.
So
it's
it's
the
new
twist,
which
is
why
our
jobs
exciting
the
new
challenging
twist
or
there
isn't
an
easy
answer.
C
We'll
have
to
figure
it
out
is
the
one
you
just
described,
which
we're
gonna
we'll
be
on
we'll
have
that's
why
we
have
good
teams
that
we
can
rely
on
to
dig
into
this
partner
with
dhs
part
partner
with
fbi
and
use
all
our
resources
to
figure
out
the
best
way
to
control
these
risks
and
manage
them
right.
So.
A
H
A
A
If
you
do
this
in
our
in
the
commonwealth
of
kentucky
that
you
have
to
have
special
permission
to
protect
families
out
there,
because
you're
seeing
more
and
more
more
there's
a
whole
section
of
kids
under
the
age
of
13.,
you
would
be
surprised
on
the
applications
like
tick
tock,
how
many
young
girls
on
their
prancing
around
bathing,
suits
and
stuff
like
that
and
who's
sharing
that
information
who,
how
many
43-year-old
men
need
to
be
looking
at.
You
know
13
year
old
girl,
there's
a
lot
of
issues
here
and
who
should
be
sharing
that
information.
A
So
kentucky
needs
to
take
this
very
serious
about
letting
these
particular
groups
know
that
that
not
in
kentucky
so
there's
a
lot
of
challenges
for
all
of
us.
Security
is
another
aspect.
Our
job
is
to
protect
the
citizens,
and
you
also
make
sure
that
people's
air
conditioners
work
and
the
hospitals
have
power
and
things
like
that,
all
both
very
important.
H
The
california
consumer
privacy
laws
ccpa,
is
the
most
aggressive
in
the
country
you
have
to
a
california.
Citizen
automatically
gets
that
protection.
New
york
is
putting
in
place
similar
laws
and
I
think,
there's
about
five
or
six
other
states
that
are
looking
at
that
right
now,
in
my
previous
role
prior
to
becoming
chief
security
officer,
I
was
the
chief
risk
officer
for
the
company
and
privacy
fell
under
risk.
H
A
H
You
want
to
just
pull
up
my
slides
because
I'm
not
sure
I'm
going
to
take
a
little
different
twist,
I'm
not
using
slide
by
slides.
I
have
four
slides
that
I'll
reference,
but
I'm
going
to
go
through
my
testimony.
Please
stop
me
at
any
point
in
time,
as
I
said
earlier,
I'm
keith
butler
chief
security
officer
for
duke
energy.
H
I
have
responsibility
and
oversight
for
the
enterprise-wide
security
program.
It
encompasses
cyber
security,
physical
security
threat
management
threat,
intelligence,
executive
protection
and
the
nerc
sip
program
for
our
regulated
businesses
in
seven
states.
Our
commercial
businesses,
our
commercial
renewable
business,
also
has
to
comply
with
nerc
sip
and
then
likely.
Our
corporate
functions
are
several
areas
in
our
I.t.
Functions
have
to
comply
with
nerc
sip.
Also,
I've
been
with
duke
energy
37
and
a
half
years.
H
I
know
the
industry
well,
I
know
the
company
well
today,
I'm
representing
duke
energy
kentucky,
and
I
thank
you
for
the
opportunity
to
participate
in
this.
You
know
duke
energy
is
an
essential
service
provider.
You've
said
that
you
recognize
that
we're
one
of
the
largest
grid
operators
in
the
united
states
and
so
protecting
our
assets
remains
a
top
priority
for
duke
energy.
H
We
realize
that
threats
are
evolving
every
day
and
we
work
diligently
to
stay
apprised
of
the
tactics,
techniques
and
procedures.
Ttp
and
you'll
hear
that
phrase
as
you
think
about
adversaries,
ttp
tactics,
techniques
and
procedures
and
there's
no
denying
that
security
is
a
critical
issue.
That's
facing
our
industry
in
our
nation
threats.
We
see
every
day
continuing
to
increase
in
frequency
and
sophistication
the
irish
health
system.
H
The
colonial
pipeline,
jbs
food,
the
new
york
transit
authority,
just
announced
that
they
were
hacked
back
in
april
and
they
just
announced
that
yesterday
and
then
the
the
ferry
that
serves
nantucket
and
cape
cod
also
had
an
I.t
cyber
attack
on
them.
H
H
So,
at
duke
energy,
we
continue
to
strengthen
our
cyber
defense
tools
and
processes,
including
the
implementation
of
advanced
security
measures
for
the
operational
technology,
the
ot
in
our
substations,
our
power
plants
and
the
grid.
Modernization
that
we're
doing
today.
That's
an
important
part
of
our
go
forward.
Strategy
is
to
modernize
our
grid,
but
with
that
comes
risk
too,
the
electric,
the
nuclear
power
and
the
natural
gas
sectors
adhere
to
mandatory
regulations,
as
well
as
enforceable
cyber
security
standards
and
voluntary
guidelines
too.
H
As
we
talked
about
earlier,
and
my
colleagues
talked
about,
one
of
the
key
requirements
we
have
on
the
businesses
are
the
nerc
sip
requirements
and
we
have
a
formal
program
underneath
my
area
of
responsibility
called
sip
program
manage
management,
cip,
critical
infrastructure
protection,
and
so
I
have
a
dedicated
group
of
individuals
who
are
focused
on
this
sip
protection
under
the
nerc
sip
guidelines
and
it's
an
enterprise
level
team
for
all
of
our
jurisdictions,
including
duke
energy
kentucky
and
they
own
they
create,
and
they
maintain
policy
that
sets
the
expectations
for
sustainable
security,
management
controls
and
accountability
for
adherence
to
that
program
to
protect
the
bulk
electric
system.
H
Our
sip
management
program
ensures
alignment
and
consistent
implementation
on
an
enterprise-wide
basis
to
comply
with
those
narc-sip
standards
that
are
constantly
being
updated
and
changed,
but
we
go
beyond
just
those
nercsip
standards
and
we
go
beyond
that
of
what
is
required
to
make
sure
we're
adequately
prepared
to
identify,
protect,
detect,
respond
and
recover.
Those
are
the
five
elements
of
the
nist
framework
and
I'm
going
to
walk
through
those
right
now
for
you,
the
first
element
is
to
identify.
H
This
is
where
we
identify
our
critical
assets,
so
this
is
where
a
company
identifies
what
maybe
you've
heard
of
the
crown
jewels.
These
are
your
most
critical
assets
to
the
operations
of
the
company,
whether
that
be
on
the
I.t
or
the
ot
side.
This
is
where
we
do
threat
assessments
and
we
do
intelligence
gathering.
H
We
have
internal
third
party
and
no
notice
penetration
tests.
So
my
colleagues
talked
about
those
penetra
penetration
tests.
We
have
internal
folks
that
do
that
as
well
as
we
hire
external
and
our
employees,
don't
even
know
it's
coming,
so
we
want
to
be
surprised
by
it.
We
don't
want
to
know
about
it.
Keith
can
I.
A
Ask
you
a
question
and
your
group
you're
talking
about
is:
does
your
fuel
stock
or
your
feedstock?
Is
that
included
in
your
stuff
that
you
managed
to
watch
in
the
sense
of
whether
it
was
solar,
wind
or
coal
as
far
as
disruptions,
or
you
know,
bridges
being
out
or
taken
out
to
slow
your
als
ability
to
have
or
gas
pipes
in
there?
Is
that
all
part
of
the
stuff
you
watch
as
well.
H
H
Even
during
the
there
was
during
the
insurrection
that
happened
at
the
capitol
we
learned
of
threats
that
there
might
be
attacks
on
data
centers,
for
instance,
facebook,
amazon,
other
data
centers.
We
have
some
of
those
in
our
territory.
We
stepped
up
special
protection.
We
did
flyovers
with
our
helicopters
to
see
if
we
could
see
any
type
of
activity
that
might
be
a
threat
to
those
to
make
sure
that
not
only
our
systems
were
protected,
but
those
critical
systems
of
our
customers
were
being
protected
too
great
question.
H
So
the
second
element
in
the
nist
framework
is
protect
and
protect
involves
developing
and
implementing
appropriate
safeguards
to
ensure
delivery
of
critical
infrastructure
services,
and
this
component
includes
internet
network
protection,
intrusion,
protection
on
substations,
critical
transmission
infrastructure
and
rit
systems,
so
both
electronic,
as
well
as
physical
and
support
processes
and
procedures
for
data
protection
at
rest.
So
when
data
is
just
sitting
there,
data
that's
in
use
and
data
that
is
in
transit
electronically
and
as
well
as
protection
against
data
loss
too,
which
is
a
risk
for
us.
H
The
third
element
of
the
nist
framework
is
detect.
This
involves
developing
and
implementing
appropriate
activities
to
identify
the
occurrence
of
a
cyber
security
event.
You
want
to
know
if
one
is
happening
and
duke
energy
is
dedicated
to
having
very
strong
and
sound
information
and
intelligence-sharing.
I
H
Was
there
a
question
or
okay,
we
coordinate
frequently
with
our
fbi
offices
and
all
our
jurisdictions,
but
in
particular
where
our
headquarters
is
in
charlotte
north
carolina.
We
have
a
very
strong
relationship
with
our
fbi
office
and
talk
to
them
regularly,
including
unclassified
and
classified
briefings.
H
We
also
share
with
the
industry,
through
the
isacs
and
the
electric
industry
is
called
the
e.I
sac.
Electric
information
sharing
analysis.
H
While
we
have
these
strong
relationships,
it's
also
important
that
we
invest
in
the
tools
and
technologies
to
protect,
and
so
those
are
intrusion,
detecting
detection
and
monitoring
systems,
both
electronic
and
physical,
as
well
as
vulnerability
detection
management
tools
that
are
analysts
and
we
have
a
whole
team
of
analysts
that
are
studying
these
on
a
regular
basis.
The
information
we
get
from
that
so
I've
been
through
identify,
protect
and
detect.
H
H
H
These
drills
and
exercises
are
regularly
conducted
on
a
broad
range
of
scenarios
include
both
internal
and
external
partners.
Duke
energy
again
will
participate
if
we
could
go
to
two
slides.
I
believe
one
more.
The
grid
x
exercise
duke
energy
is
going
to
participate
in
this,
and
I
imagine
aep
and
lg
e
will
too.
H
This
is
a
nationwide
exercise
sponsored
by
the
north
american
electric
reliability
corporation
or
known
as
nerc,
and
this
is
an
exercise
that
each
individual
utility
can
design
on
their
own,
but
is
also
a
nationwide
utility,
including
our
canadian
utilities,
participate
in
this
to
stress
test
situations
and
the
last
one
really
focused
on
cyber
security
attacks
and
pushed
the
edge
on
cyber
security,
where
there
were
multiple
attacks
happening
to
multiple
utilities,
which
could
have
jeopardized
the
entire
nation's
grid,
and
so
those
are
the
exercise
we
manned
that
we
have
our
incident
management
centers
in
full
operation.
H
Then
I'll
talk
about
recover
recover
involves
developing
and
implementing
appropriate
activities
to
maintain
plans
for
resilience
and
restoration
to
ensure
its
readiness
to
recover
duke
energy
context,
conducts
regular
backup
and
restoration
processes
for
all
of
our
critical
information
systems.
Remember
I
talked
about
identifying
those
crown
jewels.
H
We
make
sure
we
have
our
crown
jewels,
backed
up
with
information
and
protection,
and
we
drill
that
regularly
it's
important
for
us
to
keep
that
muscle
memory.
Just
like
you
do
in
a
sports
with
tennis,
you
want
that
muscle
memory
when
you're
playing
tennis.
We
want
to
have
that
in
cyber
security
in
recovery
and
response,
so
I've
explained
the
different
processes
and
through
the
elements
of
the
nist
framework,
but
I
also
want
to
say
we
just
don't
rely
on
these
at
duke
energy.
H
We
also
have
a
concept:
that's
called
defense
in
depth
and
that's
used
to
protect
the
confidentiality,
the
integrity
and
the
availability
of
the
network
and
the
data
that
is
within
our
network
and
defense
in
depth
takes
many
forms
and
I'm
going
to
highlight
a
few
of
those
remote
access.
I
think
that
was
a
question
that
this
committee
had
about
remote
access.
H
H
H
This
greatly
reduces
the
risk
of
the
adversary,
the
bad
person
gaining
access
to
the
system,
as
well
as
for
potential
of
negative
impacts
to
the
system.
If
an
intrusion
were
to
occur,
so
we
do
have
some
grid
performance
data
that
is
permitted
to
flow
to
key
partners
and
manufacturers
of
grid
equipment.
So
we
can
work
just
like.
Sometimes
when
your
iphone
says
do
you
want
to
send
analytics
to
apple
well,
we
have
some
of
that
and
we
allow
that.
H
But
what's
important
is
it's
allowed
on
an
outbound
basis,
only
not
a
two-way
communication
with
these,
so
they
cannot
come
in
electronically.
We
can
only
send
information
out.
These
connections
do
not
originate
at
the
control
level
either.
Remember
I
talked
about
the
distinction
between
the
control
and
the
non-control
level.
These
are
not
at
the
control
level.
They're
outbound
only
design
and
along
with
the
point
of
origin
outside
of
the
control
network,
it
provides
protection
such
that
a
successful
intrusion
or
attack
would
be
highly
unlikely.
H
H
So,
as
I
said
earlier
in
my
testimony,
duke
energy
limits
any
type
of
remote
access
to
our
systems,
but
we
also
prohibit
the
crossover
of
networks
and
credentials
between
the
it
and
the
ot,
and
that's
that
clean
segmentation
between
it
and
ot.
If
you
could
go
to
my
last
slide,
slide
four,
please
and
I'm
not
going
to
go
through
this,
but
this
is
showing
the
different
aspects
of
the
ot
environment,
and
what
you
need
to
do
is
how
we're
probing
traffic.
H
So
the
other
question
was
about
the
addressing
the
risk
and,
more
specifically,
the
risk
of
a
of
a
ransomware
cyber
attack
and
we
use
risk-based
models
and,
as
I
said
prior
to
this
job,
I
was
duke
energy's
chief
risk
officer
and
chief
acting
ethics
and
compliance
officer,
and
so
I
was,
I
was
overseeing
the
risk
and
working
closely
with
cyber
on
the
risk
work
and
this
we
do
these
risk
models
to
determine
potential
impacts
to
our
systems
that
could
cause
a
disruption
in
service
to
the
critical
national
defense
to
public
critical
infrastructure.
H
All
these
are
defined
terms,
governmental,
essential
services
and
then
just
to
our
general
customer
base.
So
risk
assessments
are
an
imperative
component
of
our
overall
enterprise
risk
framework
that
we
have
at
duke
energy.
That
is
much
more
than
just
cyber,
so
we
leverage
a
lot
of
standards
and
frameworks
to
do
that.
You
heard
about
the
nist
framework,
there's
multiple
others
that
we
use
in
this
risk
analysis.
H
So
we
also
have
a
protective
and
consistent
partner
in
both
the
information
with
the
fbi
and
the
eisac,
as
I
mentioned
earlier,
and
we
partner
with
federal
state
and
local
agencies
and
sharing
information
with
eei,
which
is
our
industry
trade
group
with
nayruk,
who
many
of
you
may
be
familiar
with,
as
well
as
with
department
of
homeland
security,
the
department
of
energy
and
several
of
us
are
going
up
next
week
to
meet
with
the
department
of
energy
and
talk
about
the
industrial
control
systems.
H
H
H
H
So
I
want
to
thank
you
for
allowing
me
to
share
these
today.
I
know
I
got
into
a
lot
of
details,
but
please
ask
any
questions
about
anything.
I
have.
A
E
Thank
you,
mr
chairman.
Mr
chairman,
I
do
want
to
say
thank
you
for
bringing
this
issue
before
the
committee
in
such
timely
fashion.
Mine
will
be
as
much
a
comment
rather
than
a
question.
E
I
want
to
thank
to
presenters
for
coming
before
us
sharing
this
information,
and
it's
it's
important
that
we
that
you've
shared
with
us
that
you
are
sharing
what
security
risks
that
you
have
discovered
and
sharing
those
with
other
entities.
E
I
would
like
to
ask
them
the
presenters.
Please
feel
free
to
reach
out
to
us
the
members
of
the
general
assembly
and
share
with
us
what
we
may
be
able
to
do
to
help
in
any
way.
We
have
experiences
here
within
the
state
with
the
breach
within
the
unemployment
system,
so
we
need
to
be
aware
of
what
we
can
do
to
help
and,
mr
chairman,
I
would
be
happy
to
be
a
part
and
help
helping
you
with
what
you're
working
on
there
as
far
as
limiting
access
to
our
citizens
information.
E
So
I
would
be
happy
to
do
that.
I
was
to
hear
the
issue
come
up
on
fishing.
E
It's
something
that
my
wife
mentioned
to
me
today
that
she
received
a
phone
call
from
amazon
stating
that
we
had
a
very
high
charge
on
our
account,
which
we
both
knew,
that
it
was
a
fishing
excursion
that
was
coming
out
and
we're
seeing
so
many
of
our
citizens
have
this
issue
where
they're
experiencing
it
on
a
daily
basis,
and
I
did
want
to
share
with
the
cyber
attack
on
the
our
food
network
there
with
our
our
food
processors.
E
I
have
asked
the
director
of
ag
policy
next
week
with
the
my
committee
there
with
tobacco
settlement
oversight
whenever
they
come
in
and
do
their
presentation
also
there
from
the
department
of
agriculture
to
share
with
us
where,
where
we're
at
as
far
as
security
within
our
food
industry,
because
whenever
you
start
seeing
whether
it
be
within
our
energy
production,
electricity
production
or
our
food
here
across
the
state
or
across
the
entire
nation,
all
these
things
are
vulnerable
right
now
and,
as
I
said,
I'm
very
happy
that,
mr
chairman,
that
you
have
brought
this
issue
to
the
forefront
here
today.
A
Thank
you.
Next,
we
have
representative
gibbons
prunty
thank.
B
B
I
have
a
young
constituent
who's
in
purdue
university,
studying
cyber
cyber
security
and
he
said
to
me:
why
don't
you
make
it
out
outlaw
paying
ransom
for
the
ransomware
in
kentucky
and
then
I,
when
I
did
some
research,
it's
like
well,
you
would
be
a
you'd
stop
companies
from
coming
and
all
that,
but
I
also
learned
that
it's
already
on
federal
on
the
federal
books
but
they're
not
enforcing
it.
What's
your
all's
opinion
on
that.
H
H
Whether
a
company
should
or
should
not
pay
ransomware,
I
I
think
it's
dependent
upon
the
situation.
I
think
there's
a
lot
of
risk,
as,
as
you
read
publicly,
with
the
colonial
pipeline,
ransomware
was
paid.
The
encryption
key
was
sent.
The
encryption
key
did
not
work,
so
the
fbi
discourages
that.
What
I
would
say
is
organizations
like
us
will
always
be
working
with
the
fbi
and
other
federal
agencies.
H
If
we
have
a
ransomware
cyber
attack
and
and
it's
going
to
be
a
gut
call,
so
I
can't
say
whether
we
would
pay
or
whether
we
would
not
pay.
A
A
Very
good
question:
next
we
have
representative
dodson.
B
Thank
you,
mr
chairman,
just
out
of
my
curiosity-
and
I
may
be
the
only
one
here
that
maybe
thought
about
this-
I
don't
know,
but
just
for
myself.
First
of
all,
I'd
just
like
to
say
this
is
a
very
timely
topic
and
I
appreciate
you
guys
bringing
it
to
us,
but
in
the
case
of
a
major
security
breach,
what
processes
are
in
place
that
bring
in
the
fbi
dhs
that
come
in?
Do
they
bring
their
own
forensic
I.t
people
or
do
they
have
their
own
separate
independent
system
for
cyber
forensics.
C
I
C
B
C
B
E
C
A
Very
good
question:
next:
we
have
senator
southworth.
B
Thank
you,
mr
chairman.
I
have
a
question
our
first
presenter
mentioned
talking
about
protecting
the
country,
and
we
just
mentioned
it
again
and
I'm
wondering
on
a
smaller
scale,
because,
obviously
you
all
are
at
the
country
level
and
I'm
thinking
as
far
as
like
a
local
government
level.
For
example,
you
know
a
county
clerk
trying
to
run
an
election.
B
C
I'll
jump
out
first,
so
one
thing
that
I
think
you
all
should
realize
is
the
people
you
probably
have
cybractors
that
live
in
your
community,
want
to
protect
the
community
and
would
probably
be
willing
to
help
advise
contribute
at
some
level.
They
probably
won't
be
able
to
be
the
monitor
people,
but
they
may
be
able
to
be
called
on
if
your
it
staff
reviews
and
sees
something
that
looks
scary,
there's
people
they
could
consult
with.
I
mean
I
would
be
happy
if
my
local
community
called
me
and
said:
can
you
look
at
this?
C
The
sheriff's
department
just
had
a
potential
hack.
Can
you
pop
over
here
and
check?
I
want
to
protect
my
sheriff's
department.
My
voting
registration,
all
that
stuff,
so
so
that
would
be
one
recommendation
I
have
is
is
to
leverage
some
of
the
experts
that
are
in
your
community
that
want
to
help
protect
your
community,
because
I
think
we
all
believe
we
want
to
take
care
of
the
us
which
is
from
local
to
national
right.
So
that's
that's.
One
idea.
H
Hear
that
we
have
to
have
36
24
7
365,
because
we
offer
a
24
7
365
service,
a
local
election
board.
I
would,
I
would
say
they
need
to
step
up
their
security
during
election
processes
before
and
after
there's
security
consultants
that
they
can
bring
on
that,
you
know,
can
provide
basic
recommendations
and
protections
that
would
help
them,
but
I
I
don't
think
a
local
election
board
would
need
a
24,
7
365
type
protection.
H
A
Okay,
our
last
question,
senator
westerfield
and
I'd
be
interested
to
hear
his
comments.
He's
been
one
of
our
certainly
most
astute
members
of
this
committee
and
and
and
very
thoughtful
on
this
issue,
so
I'll
yield
to
senator
westerville.
D
Chairman,
thank
you.
I
appreciate
that
sorry
got
a
couple
of
things
here,
all
the
same
time.
First,
I
appreciate
you
putting
the
this
topic
on
the
agenda
and,
as
others
have
said,
this
is
a
very
timely
conversation,
but
it's
it's
something.
We
need
to
be
much
more
aware
of
more
familiar
with
on
an
ongoing
basis,
because
these
sorts
of
incidents
aren't
going
away
and
the
human
factor
or
the
human
part
of
the
equation
with
regard
to
cyber
security
is
always
going
to
be,
is
almost
always
going
to
be
the
weakest
point.
D
I
had
my.
I
had
a
question
that
I
wanted
to
just
speak
briefly
and
share
a
thought
or
two,
but
my
question
is
particularly
for
the
duke
and
the
lg
e
folks.
If
I'm
just
curious
to
the
extent
you
feel
comfortable
answering,
do
you
all
have
protections
or
protocols
that
that
protect
any
of
your
internet
of
things,
devices
things
that
are
not
computers,
necessarily
that
humans
interact
with
like
a
laptop
or
a
desktop
machine,
but
thermostats
hvac
units
copiers
and
printers
other
devices
like
that
on
your
systems
and
networks?
D
Are
you
all
protected
against
that?
I
say,
and
I
ask
the
question,
because
some
of
the
biggest
hacks
or
or
vulnerabilities
that
have
been
found
have
been
because
of
iot
devices
that
were
horribly
unprotected
that
were
set
to
use
factory,
spec,
passwords
and
the
like,
but
were
installed
in
very
expensive
and
elaborate
factories
and
businesses.
H
So
I
appreciate
the
question
in
terms
of
printers
in
our
corporate
environment
they're
hooked
up
to
our
network
with
all
the
proper
firewalls
and
protections.
H
When
we
went
remote
with
covid,
we
would
not
let
employees
use
home
printers
for
a
number
of
reasons.
One
is
you're
printing,
confidential
information
at
home
and
then
it's
sitting
at
home.
We
did
start
allowing
certain
use
of
printers,
but
they
could
not
be
bluetooth
printers
because
of
the
risk
of
an
interception.
H
D
H
I
H
We
have
protections
on
smart
meters
again,
I
can't
go
into
the
detail
of
that.
Electric
charging
stations
are
another
one
that
we're
putting
protections
on
those
and
I'll
limit
it
to
that.
But
yes,
all
those
type
of
devices
as
we're
modernizing
our
grid
as
we're
putting
additional
offerings
out
there,
we're
ensuring
that
we
have
the
adequate
protection.
So
david.
F
Yeah
I
mean
I
I
tend
to
agree.
I
I
think
the
one
thing
I
mean
kind
of
calling
back
to
some
of
my
good
cyber
hygiene
is
that
network
segmentation.
I
mean
we
would
rely
a
lot
on
that
for
those
iot
devices.
We
we
kind
of
call
those
unmanaged
devices
because
they're
not
necessarily
falling
into
a
lot
of
our
cyber
controls
and
necessarily
all
of
our
patching
processes,
and
things
like
that.
So
try
to
have
other
mitigations
for
those
unmanaged
devices.
D
I
appreciate
both
of
your
responses
on
that
and
I'm
pleased
to
hear
that
there
are
some
controls
in
place,
whether
it's
by
isolation
or
by
by
actively
managing
those
devices,
because
that
that's
a
place
where
a
lot
of
particularly
households
don't
have
adequate
protections
at
all.
It
also
makes
the
the
thing
that
chairman
I
mentioned
earlier
regarding
amazon's
announcement
for
their
sidewalk
network
and
what
they're
doing
it
makes
it
that
much
more
alarming,
and
I
worry
about
the
susceptibility
of
people's
home
networks
to
other
nefarious
traffic.
D
I
want
to
put
all
this
in
context,
though
this
is
a
problem.
Obviously
that's
not
going
away
as
we
continue
to
expand
our
digital
presence
and
livelihoods
and
the
amount
of
data
which
is
truly,
I
believe,
incalculable,
that
we
share
and
provide
not
just
to
critical
infrastructure
providers
like
yourselves,
but
with
every
other
thing
that
we
use
and
live
and
deal
with
online.
D
This
is
becoming
an
increasing
risk
and
a
problem
for
kentucky
citizens
of
all
ages,
young
and
old,
and
in
between
the
2021
verizon
data
breach
investigation
report.
I
may
have
gotten
the
name
wrong,
but
they
looked
at
29
200.
Some
odd
separate
incidents
and
from
that
they
they
discovered-
and
this
is
just
the
ones
that
they're
aware
of
5200
or
so
distinct
data
breaches
and
there's
a
lot
of
kentuckians
information
involved
in
those
breaches.
D
I
suspect
it
touches
every
member
of
this
committee
directly
or
or
within
one
degree
of
separation
of
this
committee
of
every
member
on
it,
and
that
number
is
not
ever
going
to
get
smaller
and
I
think
it's
important
not
just
that
we
take
action
to
address
what
sort
of
conduct
is
already
there,
but
I
wholeheartedly
believe
that
kentucky's
law
is
insufficient,
particularly
with
regard
to
consumer
privacy.
D
We
have
taken
some
steps,
as,
as
the
chairman
knows,
and
others
are
aware,
we've
done
some
things
to
protect
critical
infrastructure,
defining
it
and
adding
facilities
to
it
in
the
last
several
years,
but
we're
not
doing
nearly
enough
for
consumer
privacy
and
cyber
security
concerns.
Regarding
that
there's-
and
I
shared
this
in
a
committee
presentation-
I've
shared
it
twice
now
once
was
back
during
session
in
front
of
chairman
schroeder's
economic
development
committee.
It
was
for
information
only,
but
I
talked
about
this
2019
piece
from
the
dallas
morning.
D
News-
and
they
were
referring
to
a
company
called
live
mobile
insights
and
because
of
the
information
that
people
agreed
to
share
on
their
dev,
their
smartphones
or
ipads
or
whatever,
and
that's
an
important
point,
but
they
agreed
to
share
location
information
with
this
app
or
with
that
app
or
whatever,
and
they
did
that
without
reading
privacy
policies
and
being
cognizant
of
just
where
that
data
is
going
and
long
story
short.
This
company
was
able
to
identify
where
chick-fil-a
customers
would
go
on
sundays.
D
It
was
they
loved
people
wanted
to
know
where
all
these
people
were
spending
their
dine
out
money
when
their
favorite
chick
chicken
place
was
shut
down
on
sunday
and
kentuckians
won't
be
surprised
to
know
that
cracker
barrel
was
the
winner
here,
and
I've
got
the
link
to
that
dallas
morning.
News
piece,
I'm
happy
to
share
it
with
members,
but
all
of
that's
being
shared
and
with
no
opportunity
for
the
user
to
give
have
knowledge
and
give
informed
consent
to
that
kind
of
tracking.
D
That's
going
on
there's
a
whole
lot
of
work
that
we
need
to
do
to
improve
and
protect
kentuckians.
I
don't
have
a
problem
with
the
data
economy
that
exists.
I
have
a
problem
with
it
being
used
to
our
detriment
and
without
our
knowledge
and
informed
consent.
So
I
appreciate
that
the
presentation
and
chairman
thanks
for
letting
me
rant
a
little
bit
here
at
the
end.
A
Very
good
appreciate
the
input.
Gentlemen.
Thank
you
all.
I
know
that
we
could
probably
each
one
of
you
could
have
taken
the
full
hour
and
few
minutes
that
we
have
going
through
some
of
the
stuff
that
you're
working
on,
but
I
think
the
takeaway
is
that
you've
got
a
you've
got
a
committee
here
through
natural
resources.
That's
put
a
lot
of
time
and
effort
into
it.
A
The
hardest
thing
about
getting
this
topic
is
trying
to
get
people
to
to
first
off,
understand
it
or
be
interested
in
it
and
as
soon
as
you
start
talking
over
somebody's
head,
they
just
tune
out.
Well,
if
you
notice
most,
the
members
stayed
because
we
have
a
great
interest
in
this.
This
committee,
above,
I
think,
all
realizes
significance
and
appreciation
for
what
you
do
and
what's
coming,
and
I
applaud
this
committee-
it's
it's
probably
like
I
said
the
best
natural
resource
committee
we've
had
in
kentucky,
so
you'll
have
a
lot
of
buying
for
us.
A
Please
keep
us
in
the
loop
as
you
all
move
forward
with
some
of
the
stuff
we've
talked
about.
We'll
probably
most
definitely
have
you
back
from
this
committee
as
we've
got
some
challenges
in
front
of
us
that
we'll
be
working
on
over
the
summer
and
with
that
thank
each
of
you
to
the
members.
Now
I
speak
directly
to
you.
If
you
look
at
your
agenda,
you'll
see
on
reference
three
there's
no
action
taken
on
this.
A
I
I
I
I
am
I
I
let's
see,
can
you
hear
me.
A
I
I
I
did
want
to
give
you
an
idea
that
utilities
are
obligated
under
krs
chapter
278,
to
provide
adequate
service
and
only
charge
reasonable
rates,
so
cyber
security
impacts
both
service
and
rate
jurisdiction,
and
that's
where
the
psc
comes
in.
Obviously,
the
investments
and
costs
necessary
are
passed
through
rates
to
customers
and
maintaining
adequate
cyber
security
is
a
critical
component
to
ensuring
reliable
service.
I
Today,
the
psc
has
been
proactive
in
regard
to
oversight
of
cyber
security,
in
addition
to
the
federal
oversight
that
occurs,
and
so,
as
as
you
heard,
the
the
presenters
talk
about
the
nerc
sip
or
the
north
american
electric
reliability
corporation,
critical
infrastructure
protection,
that's
what
protects
the
bulk
electric
system
and
they
are
required
to
comply
with
that.
I
Given
the
sensitivity,
the
utilities
are
allowed
to
keep
all
of
their
procedures
confidential
and
they
are
required
to
certify
that
they
have
such
procedures
in
place.
So
the
commission,
including
the
commissioners,
has
periodic
meetings
with
each
of
the
utilities
individually
for
the
purpose
of
receiving
their
updates.
Just
like
the
presentation
that
you
heard
today,
the
commission
does
not
require
any
filings
because
of
again
the
release
of
the
documents
would
jeopardize
what
we're
trying
to
protect
the
electric
distribution
cooperatives
do
not
follow
the
nerc
sip
standards,
and
so
just
to
give
you
a
background.
I
I
The
final
report
office
offered
a
focus
assessment
and
a
general
guidance
for
those
co-ops
to
also
work
on
their
cyber
security.
So,
in
addition
to
those
practices,
we
are
a
big
part
of
nehru.
Commissioner
matthews
is
on
the
new
critical
infrastructure
committee.
Psc
staff
participates
in
the
critical
infrastructure
committee.
I
This
allows
the
psc
to
stay
current
on
the
best
practices
and
trends,
in
addition
to
communicating
with
our
partner
utilities,
and
obviously
the
most
important
piece
out
of
this
is
communication,
and
communication
is
recognized
as
the
first
step
to
addressing
any
vulnerabilities
with
the
cyber
security
issues.
I
don't
want
to
take
any
more
of
the
committee's
time.
I
do
appreciate
the
opportunity
to
speak
with
you,
but
I
think
you,
you
really
heard
the
bulk
of
of
what
you
all
needed
to
hear,
probably
with
the
first
three
presenters
so.
A
We're
very
good
thank
you
for
being
with
us
today
for
members
you
hear
nerk
ferc
myso,
all
these
different
ones
out
there.
If
you
ever
have
any
questions
acronyms,
are
please
contact
me
we'll
sit
down
and
walk
you
through
it,
because
you're
going
to
be
hearing
a
lot
of
that
on
this
committee
as
it
affects
so
much
of
what
kentucky
does
and
and
our
utilities
chairman
gooch
is
going
to
close
us
out
here,
but
thanks
for
the
attendance
today
for
everybody
that
joined
us
either
in
person
or
via
remote.
G
Thank
you,
mr
chairman,
and
thanks
for
having
this
discussion.
You
know
on
the
agenda
and
obviously
I
always
learn
a
lot
of
things
and
I
think
sometimes
committee
meetings
are
good.
When
maybe
you
rethink
some
of
your
own
ideas
and
I've
always
been
one
that
felt
like
that
anything
california
does.
G
We
should
do
180
degrees
completely
opposite,
but,
but
obviously
with
today,
we
found
that
we
might
want
to
look
at
something
that
they
do
on
to
protect
our
citizens
and
their
privacy,
so
that
does
show
that
even
a
small
ray
of
light
can
escape
from
the
darkest
black
hole
in
the
universe,
and
so
with
that
I
stand
corrected.
So
thank
you,
mr
chairman.