Part of Intelligent Utility® Network »

Digital Utility Group

The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Author Profile
Private

This question was submitted by a community member who wanted to stay anonymous

Top Members

Tom Alrich

Supply chain Cybersecurity Risk Management and NERC CIP-013 consulting

Tom Alrich LLC

Karen Marcus

Freelance Business Writer

Final Draft Communications, LLC

Joe Weiss

Managing Partner

Applied Control Solutions

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Question

Are file hashes of files from a vendor a viable option for an additional security measure?

  • Aug 19, 2020 11:45 am GMT
  • 445 views

Producer's Note: This question was posed during the recent Energy Central PowerSession: 'Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3,' with keynote speaker Richard Brooks. The PowerSession was so lively and packed with great information that Richard was not able to address all questions live, so we thought we would bring the question to the community so he could answer in writing, as well as provide an opportunity for the community to keep the conversation going with followup questions, comments, and discussion by anyone who was or wasn't able to attend the PowerSession live. 

In case you missed the live event, a recording of the PowerSession can be accessed here.

More Q&A responses from Richard that came after the PowerSession ended can be found here

Richard will also be holding a live Q&A discussion on the topic on Thursday August 27 at 4 PM Eastern. This informal chat will let you share any other questions you may have or topics you want to discuss. Join at any point during the hour when you're free and hop off when you need. More information and calendar reminder sign-up can be found here. 

Answers

Richard Brooks's picture
Richard Brooks
Richard Brooks's picture
Richard Brooks
Co-Founder and Lead Software Engineer
Reliable Energy Analytics LLC

Member since 2018

Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

August 19 2020

All software objects that are destined for deployment in critical infrastructure command and control functions should be subject to a comprehensive risk assessment, as described in the session.
Bob Meinetz's picture
Bob Meinetz
Bob Meinetz's picture
Bob Meinetz
Nuclear Power Policy Activist
Independent

Member since 2018

Nuclear Power Policy Activist, Independent

August 19 2020

"Are file hashes of files from a vendor a viable option for an additional security measure?"

Yes - for now. There was a time when the MD5 32-byte encryption algorithm could be used to safely verify any data; hashes have become longer and longer as computing power and parallel computing have advanced.

In general security is only necessary in proportion to the value of the data being protected. MD5 hashes are more than adequate for most verification purposes. Public key cryptography (RSA) protects nearly all financial transactions in the world today, but is relatively slow for transferring huge files

Quantum computing is expected to come of age in the next decade or two. Then, all bets are off.

Again, in general - it's not hard to protect critically important data from brute-force attacks. The primary cause of data breaches, by far, is human carelessness.

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.

Your access to Member Features is limited.

Apply for membership
Related Content
What could have prevented the SolarWinds attacks?
Don’t overlook the most consequential control system cyber events of 2020
SolarWinds Hack Reinforces Critical National Importance of Securing Electric Grid Supply Chain
The SBoM webinar has been rescheduled!

Recent Comments

Matt Chester
Matt commented on ...
Can SPACs Accelerate the Move Towards a Carbon Free Economy?
According to data from research firm Dealogic, U.S – listed SPACs raised $82 billion in 2020, almost six times greater than their total for the previ
Randy Long
Randy commented on ...
What Everybody Ought to Know to Insure Energy Risks Cost-Effectively in 2021?
Excellent post Rauf! I'd like to add something from a California perspective.
Audra Drazga
Audra commented on ...
2021 Rate Hikes and Sticker Shock
Interesting timing for this topic as Biden is proposing that we invest in renewables.  At the same time, many cannot pay their bills.  So how do...
Matt Chester
Matt commented on ...
Florida Public Service Commission holds rule development workshop on conservation and speakers urged major changes
Presenters stated that Florida is one of the worst states on conservation. 
Energy Central Jobs
Featured Jobs
More Jobs