This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,260 views
  • Dec 5, 2020
  • 983 views

This December 2nd report from GitHub contains some insights that should give utility companies good reasons to implement software supply chain risk assessment controls based on industry best practices following the NIST Cybersecurity Framework. Here are a few of the valuable insights available in this report:

  • It can take an average of over four years for vulnerabilities in open source software to be spotted
  • GitHub tallied over 56 million developers on the platform, with over 60 million new repositories being created -- and over 1.9 billion contributions added -- over the course of the year.
  • You would be hard-pressed to find a scenario where your data does not pass through at least one open source component
  • Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world
  • GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. Most frequently, open source dependencies are found in JavaScript -- 94% -- as well as Ruby and .NET, at 90%, respectively. 
  • On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month,
  • According to GitHub, 59% of active repositories on the platform will receive a security alert in the coming year. Over 2020, Ruby and JavaScript have been the most likely to receive an alert. 
  • The open source community now plays a key role in the development of software, but as with any other industry, vulnerabilities are going to exist
  • Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."

Energy Central hosted a PowerSession on August 12, 2020 presenting best practices for software supply chain risk assessments for NERC CIP-010-3 software verification controls, which is available on demand here: https://energycentral.com/o/energy-central/demand-energy-central-powersession-series-cybersecurity-us-power-grid-software

Never trust software, always verify and report!

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »