The Energy Collective Group
This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.
Shared Link
NERC: Frequently Asked Questions Supply Chain – Small Group Advisory Sessions Version: December 18, 2020
NERC has provided a very clear response to this Question regarding software verification and integrity regarding CIP-010-3 Part 1.6: Can a registered entity provide signed software or hashes when possible but rely on attestations in some cases for both software source verification and software integrity verification (CIP-010-3 R1 Part 1.6)?
No, in general, ERO Enterprise audit teams do not accept attestations as primary evidence for performance-based Standards. Some vendors do not have the tools for end users to verify the software integrity obtained. If this were the case, the audit team likely would examine applicable mitigating measures taken for these exceptions. As CIP-010-3 R1 Part 1.6 states, “when the method to do so is available to the registered entity from the software source,” the ERO Enterprise recommends registered entities consider how vendor capability may impact the development of potential internal or external mitigation controls in lieu of vendor support for Part 1.6.
Energy Central hosted a session on software supply chain best practices to address NERC CIP-010-3 Part 1.6 on 8/12/2020; an on-demand recording of this session is available here: https://energycentral.com/o/energy-central/demand-energy-central-powersession-series-cybersecurity-us-power-grid-software
NERC: Frequently Asked Questions Supply Chain – Small Group Advisory Sessions Version: December 18, 2020
Can a registered entity provide signed software or hashes when possible but rely on attestations in some cases for both software source verification and software integrity verification (CIP-010-3 R1 Part 1.6)? No, in general, ERO Enterprise audit teams do not accept attestations as primary evidence for performance-based Standards. Some vendors do not have the tools for end users to verify the software integrity obtained. If this were the case, the audit team likely would examine applicable mitigating measures taken for these exceptions. As CIP-010-3 R1 Part 1.6 states, “when the method to do so is available to the registered entity from the software source,” the ERO Enterprise recommends registered entities consider how vendor capability may impact the development of potential internal or external mitigation controls in lieu of vendor support for Part 1.6.
Discussions
No discussions yet. Start a discussion below.
- What is the difference between FCEM and AOCE
- Highly Recommended Reading - Capacity Accreditation Reforms
- CISA’s public-private cyber collaborative to focus on energy, water
- Groundhog Day, SEC Style: Proposed Rule On Cybersecurity Risk Governance Has All The Pain Of SOX With Fewer Financial Penalties
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate