This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,601 views
  • Dec 18, 2020
  • 1150 views

The Solarwinds incursion has damaged government credibility with regard to our ability to defend against sophisticated, nation state cyber threats and software supply chain risks. This posting from Brad Smith of Microsoft has several recommendations that are worthy of consideration, to help prevent more attacks. But one recommendation in particular can have real and immediate effect that improves our collective ability to protect and defend against cyber attacks: First, we need to take a major step forward in the sharing and analysis of threat intelligence.

Of all his recommendations this one, in particular, can be implemented by every person that receives software and can detect potential threats that may be present. We have the facilities to report suspected software via the existing CVE/NVD repositories and other channels, i.e. *-ISAC. We don't need a government mandate to make this happen, but it does take discipline and the ability to detect when risks are present. There are several vendors of software supply chain risk assessment solutions, i.e. SAG-PM, that can help to detect potentially risky software packages. It's up to the consumers of software to take advantage of these solution offerings and help stop the spread of bad software by applying comprehensive software supply chain risk assessments and reporting any issues that are identified, which raise doubt as to the Trustworthiness of a software package.

Energy Central hosted a PowerSession on 8/12 that echo many of Brads points, available on demand at: https://energycentral.com/o/energy-central/demand-energy-central-powersession-series-cybersecurity-us-power-grid-software

Never trust software, always verify and report!

Discussions
Matt Chester's picture
Matt Chester on Dec 18, 2020

I wonder if the depth and severity of the SolarWinds incident will jolt this to the top of the new Administration's priority list-- both specific to addressing what happened and overall grid cybersecurity. 

Nathan Wilson's picture
Nathan Wilson on Dec 19, 2020

For computer systems that require maximum security, the gold standard security technique is the "air gap".  That means keeping mission essential systems physically disconnect (not just via a software firewall) from the public internet!

We should recognize the mission essential status our electric grid, and resist the temptation to create demand-response systems over the public network.  That means that under no circumstances should BEV chargers, home water heaters, or PV system batteries be allowed to come under control of utilities or DR aggregators via remote control.

That will be bad news to many who envision certain types of future smart grids, but we have to take computer security seriously, or the cyber attacks of the future will be even more damaging.

Rick Engebretson's picture
Rick Engebretson on Dec 19, 2020

I just spent time trying to upgrade a bios of an old intel motherboard. Included in a boot cdrom image was this text;

mkisofs 2.01a32-3-bootcd.ru -o fdoem.iso -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -J -r -c _$ -hide-joliet ...

It is part of a linux command line to construct a boot cdrom image to change the motherboard bios. What caught my attention was the ".ru". This particular motherboard had a large bios to include the "intel management engine (spyware)" and required a large file size cdrom. Thus using the linux command "mkisofs," to boot a "freedos" kernel" using "isolinux" memory disk.

It seemed to me ironic we need to hire the Russians to implant spyware in our PCs because we are too dumb to program a computer anymore.

An old joke is we Americans are lucky the foreign software experts still speak fluent English.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »