Part of Intelligent Utility® Network »

Digital Utility Group

The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Question

Are file hashes of files from a vendor a viable option for an additional security measure?

Private

This question was submitted by a community member who wanted to stay anonymous

  • Aug 19, 2020
  • 924 views

Producer's Note: This question was posed during the recent Energy Central PowerSession: 'Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3,' with keynote speaker Richard Brooks. The PowerSession was so lively and packed with great information that Richard was not able to address all questions live, so we thought we would bring the question to the community so he could answer in writing, as well as provide an opportunity for the community to keep the conversation going with followup questions, comments, and discussion by anyone who was or wasn't able to attend the PowerSession live. 

In case you missed the live event, a recording of the PowerSession can be accessed here.

More Q&A responses from Richard that came after the PowerSession ended can be found here

Richard will also be holding a live Q&A discussion on the topic on Thursday August 27 at 4 PM Eastern. This informal chat will let you share any other questions you may have or topics you want to discuss. Join at any point during the hour when you're free and hop off when you need. More information and calendar reminder sign-up can be found here. 

Your access to Member Features is limited.

Answers

Bob Meinetz's picture
Bob Meinetz
Bob Meinetz's picture
Bob Meinetz
Nuclear Power Policy Activist
Independent
73,744

Member since 2018
Nuclear Power Policy Activist, Independent
August 19 2020

"Are file hashes of files from a vendor a viable option for an additional security measure?"

Yes - for now. There was a time when the MD5 32-byte encryption algorithm could be used to safely verify any data; hashes have become longer and longer as computing power and parallel computing have advanced.

In general security is only necessary in proportion to the value of the data being protected. MD5 hashes are more than adequate for most verification purposes. Public key cryptography (RSA) protects nearly all financial transactions in the world today, but is relatively slow for transferring huge files

Quantum computing is expected to come of age in the next decade or two. Then, all bets are off.

Again, in general - it's not hard to protect critically important data from brute-force attacks. The primary cause of data breaches, by far, is human carelessness.

Richard Brooks's picture
Richard Brooks
Richard Brooks's picture
Richard Brooks
Co-Founder and Lead Software Engineer
Reliable Energy Analytics LLC
93,546

Member since 2018
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC
August 19 2020

All software objects that are destined for deployment in critical infrastructure command and control functions should be subject to a comprehensive risk assessment, as described in the session.

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.

Your access to Member Features is limited.

Apply for membership
Related Content
ICT Supply Chain Library | CISA
Which Cybersecurity Standards should you follow NIST or IEC, across U.S. critical infrastructure?
No good deed goes unpunished
IEC 62443 Week 2023 - Top Rated Presentation - Save the Date!Many - LinkedIn
Recent Comments
David Trahan
David commented on ...
Encouraging Grid Innovation with the Infrastructure Investment and Jobs Act
Hi Anthony,One of your bullet points offered in your post reads.
David Trahan
David commented on ...
Florida Public Power utilities preparing for potential challenges
The power grid is a vital resource for all in everyday life. Preparation is key to minimizing system damage during a high wind event like a hurricane.
Mark Silverstone
Mark commented on ...
No more wholesale price caps?
Thanks Doug - Could you please explain a bit more about how wholesale price caps work, or not, as the case may be?
Richard McCann
Richard commented on ...
Case Study - Electric Utility Moves Towards Cost of Service Rates for Each Customer Class and Develops New Rates for Emerging Technologies
Cost of service allocation is far from being a settled "science." One of the open questions is what set of metrics to use as alternative cost...
Energy Central Jobs
Featured Jobs
More Jobs