This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent pending (16/933161) technology: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™)...

  • Member since 2018
  • 1,313 items added with 530,163 views
  • Nov 22, 2021
  • 409 views

I completely agree with Tom Alrich, an industry expert on NERC CIP-013-1 Supply Chain standards, that cloud providers are wasting their time pushing for Bulk Electric System entities under NERC jurisdiction to use the cloud infrastructure for NERC CIP compliance.

I do see a supporting role for cloud services to assist an entity with implementation of their NERC CIP Supply Chain controls, but it's not what the cloud providers are suggesting in the AWS report that Tom identifies.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Bob Meinetz's picture
Bob Meinetz on Nov 22, 2021

From Tom's article:

"Like the document and presentation that Microsoft Azure prepared for the NERC CIPC (remember the CIPC?) in around 2016, AWS seems to think that what needs to be done is just convince NERC and utilities that AWS has good security."

Richard, I had to laugh when I saw Microsoft, the company whose Exchange server was responsible for tens of thousands of (successful) ransomware attacks last year, was promoting security in the cloud. Other than a foreign government ransoming the U.S. to turn its electricity back on, what could possibly go wrong?

Richard Brooks's picture
Richard Brooks on Nov 23, 2021

Bob, I know from my experiences developing software since 1979 that it's rather easy to introduce unintended taint in a program. The notorious buffer overflow is a prime example, which many C programmers have unintentionally put into their code, without realizing. I don't envy Microsoft's position; there must be millions of potential vulnerabilities laying around, with all the software in their possession. The M$ Exchange vulnerability is particularly dangerous and easily exploitable, as you point out.

Bob Meinetz's picture
Bob Meinetz on Nov 23, 2021

Agree, Richard. I think Microsoft's original sin was selling system software separately from the equipment on which it ran. But hindsight is 20/20, and in the early 1980s the ease with which DOS could be hacked was a feature. Developers could essentially add their own options to MS software (by hacking the Microsoft File Allocation Table in 1984, I was able to create a niche Terminate-But-Stay-Resident (TSR) program that predated Windows). Overall, it probably helped to advance personal computing.

Apple's long-term strategy of forcing customers to buy integrated software/hardware solutions ultimately paid off, however. Though Mac integrated solutions are still more expensive, companies are realizing that security holes can be more so - that sometimes, they can be disastrous.

Richard Brooks's picture
Richard Brooks on Nov 26, 2021

The good old days Bob, when you could hook an interrupt and nothing stopped you. Go ahead create that TSR program, I think it was INT(10), if memory serves me well - which it probably doesn't. I think INT(13) became the replacement - but those are some very old (and abused) brain cells I'm calling into action. I'm sure I could verify this with a google search, but it's late in the day on a Friday, and I'm running out of steam. Have a good weekend.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »