This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,715 views
  • Nov 11, 2021
  • 642 views

This new supply chain guidance from NERC is a significant improvement, but more clean-up is needed, i.e. RSAW CIP-010-3 allows unverified software to be installed, so long as an entity shows documentation indicating they were unable to verify the software suppliers identity and software integrity. I would never install a software product in my ecosystem if I could not verify the software supplier or the integrity of the software. That's a recipe for disaster.

Discussions
Barry Jones's picture
Barry Jones on Nov 15, 2021

A problem with CIP compliance and supply chain (including cloud) is one of responsibility. This occurs in CIP-011, CIP-013 and will be in CIP-012 too. Think of it this way? If i ask you to keep a sensitive document for me and ask you to protect it and not disseminate it, will you show me all your internal processes which you and your staff use to ensure these protections? And then, say my document is found out there in the world and is even replicated, and i find you made a mistake, what is my recourse? It's too late at that point because it's out there (much like offshore tax account information) but I guess I can sue. So in reality, once the document leaves my hands i must assume "a best effort."

How can FERC and NERC hold entity's accountable for data and electronic information that is shared with other entity's or regulators? Especially when that data crosses a wire owned by a major carrier whom also maintains, accesses and manages the systems and keys? It's not possible. Only a "best effort is possible." The CIP standards already have multiple compensating controls which provide that "best effort," and in the case of Solarwinds supply chain there is nothing that an entity could have done - because the software supply chain (Solarwinds) was given what it perceived as "defacto" patches. If you cannot trust your developer, then you cannot trust anyone. So CIP does nothing here but require industry to perform administration overhead without addressing the security issue at the base.

Richard Brooks's picture
Richard Brooks on Nov 16, 2021

I agree Barry, NERC CIP Supply Chain (CIP-013 and CIP-010) guidance is deeply flawed and should be replaced pronto!

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »