The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


FAQ: Software Supply Chain Risk Assessment SCRM) NERC CIP-010-3 software verification PowerTalk

image credit: Authors logo

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Successful developer of Energy Industry B2B and Cyber security standards at North American Energy Standards Board (NAESB) ( since 1995; ANSI Meritorious Service Award Recipient;...

  • Member since 2018
  • 1,062 items added with 429,071 views

Many thanks to Energy Central for hosting the 5/6 PowerTalk on NERC CIP-010-3 software supply chain verification best practices. The on-demand video and slide are available here:

Access On-Demand Recording      Access On-Demand Slides   

Your access to Member Features is limited.

The following Questions and Answers were recorded from the session - I'm happy to address any additional questions the Energy Central Community has regarding CIP-010-3 software verification:

Q. Why is warning showing 0 but you have two warnings in SAG-PM ?

A. This question was posed during the SAG-PM™ digital signature verification step. SAG-PM™ uses Microsoft’s signtool to verify the digital signatures applied to software objects that are intended to be installed within a digital eco-system. Signtool will “pass” a digital signature (0 errors and 0 warnings) so long as a valid digital certificate was used to apply the signature. SAG-PM™ takes this check one step further by determining if the digital signature is from a party authorized by the software source supplier to sign their software object – which is why SAG-PM™ raised the warning that the digital signature didn’t match the source supplier of the software, which means the signature could be from a hacker, as opposed to the original software source supplier.

Q. Is SAG-PM only windows base? Or supports other operating systems, like macOS, GNU/Linux, if not, how would you approach this cases?

A. SAG-PM™ only runs on Windows 10 Professional due to dependencies on cryptographic functions in the underlying operating system. However, SAG-PM™ can be used to conduct a software supply chain risk assessment on any binary software object. Some SAG-PM™ functions will be limited, i.e. the ability to construct an SBOM, however other functions will work properly, i.e. Malware scans, provenance checking, etc.

Q. Does SAG-PM work and integrate well with the FireEye product?

A. SAG-PM™ is classified as an Endpoint Detection and Response (EDR) product that works in concert with FireEye and other EDR products, which are easily integrated with a little scripting effort. Evidence data produced by SAG-PM™ can also be integrated with Secure Evidence Lockers (SEL), such as NERC’s Align product.

Q. Would it be possible to share a copy of the slides?

A. The slides are available here:    Access On-Demand Slides    

Q. How does trustworthiness and verification uphold the capability of software functions support and not just indicate corruptions?

A. The ability to validate proper functioning of software functions with regard to software requirements is beyond the scope of what SAG-PM™ can provide today. SAG-PM™ is used to verify the software supply chain after all software development has completed and a binary, digitally signed, software object is made available to consumers.  Other tools, such as in-toto, are used to track and verify steps during the software development portion of the supply chain, leading to software release. SAG-PM™ covers the software supply chain steps that occur after a software package has been released, including releases for patches, upgrades and updates.

Q. Are there any Canadian standards equivalent to the NERC-CIP standards?

A. This answer was provided by one of the meeting attendees:     NERC Regions (WECC, MRO and NPCC cover Canada go to:  SAG-PM™ can be used in Canada to meet NERC CIP-010-3 software verification requirements.

Q. Is the vendor Database populated by the user or through a SAG-PM update?

A. SAG-PM™ installs a placeholder vendor database that contains the information needed to verify the SAG-PM™ distribution, itself. In version 1.1.0 the customer is required to update this vendor database manually, however a future version of SAG-PM™, the GUI version, will include the ability to add, change and delete vendors within the vendor database.

Q. What kind of Trust Score would be high enough for an average software user (those who not deemed as cybersecurity expert) to feel convinced enough to proceed with their respective work?

A. This largely depends on the risk appetite of an organization and the intended use of a software object. For example, a software object that is being deployed in the Amazon AWS cloud to collect customer survey results, with no exploitable connection to any Company resources may be deployed with little risk or damage to a Company’s digital ecosystem. On the other hand, I would be very concerned about installing a software object in a Company’s Energy Management System (EMS) with a SAGScore™ below 90, with 100 being the maximum possible score (I’ve never seen a SAGScore™ of 100).

Q. Would it be possible for NIST or other institutions to set up cybersecurity programs to help train the average software users (with constant refreshment updates) to be more effective in their daily work life

A. NIST does indeed provide an abundance of cybersecurity guidance materials today, and has done so for several years, ref: SP 800-160, SP 800-161, SP 800-53, SP 1800-32 (Volumes A and B) and the Cybersecurity Framework Version 1.1. This represents only a few of the numerous cybersecurity guidance publications available from NIST describing guidance on “WHAT TO DO” but does not provide prescriptive, or specific, guidance on “HOW TO” implement controls to meet this guidance. SAG-PM™ adheres to the NIST Cybersecurity Framework version 1.1 by implementing the actual “HOW TO” functions needed to perform a comprehensive software supply chain verification to meet NERC CIP-010-3 software verification requirements and NIST’s “WHAT TO DO” guidance (see NIST publications above for “WHAT TO DO” level guidance)


Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »