The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


A great opportunity

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 371 items added with 120,097 views
  • Jan 17, 2022

Do you remember the NERC Supply Chain Working Group (SCWG)? We’ve been in operation since 2018 and are still going strong. Our current project is to update the set of supply chain guidelines that we drew up in 2019. Drafting them was a great experience, since we had a lot of people participating on the calls. I anticipate that re-drafting them (or perhaps adding to them, since my guess is most of them don’t need to be amended very much) will be equally interesting.

One important goal of the guidelines is to keep them short enough to be read in maybe 20 minutes. The original guidelines were all 3-5 pages long, and I anticipate the new ones will be 5-8 pages. I’ll point out something you may already know: It’s a lot harder to write a short paper than a long one. That may be why the drafting meetings were so interesting – when every word has to count, you need to decide what has to be said and say it as economically as possible (which of course is why blog posts sometimes go on and on – since the blogger knows there’s no limit imposed and he doesn’t have to be careful about his words. Of course, I don’t personally know any bloggers like that, but I’m told they’re out there).

I ended up leading the drafting of two of those papers, and I’ll be leading it for the new versions of both papers (unless someone else would like to take the lead on one of them and I’ll just participate. That would be fine with me). We need to get the drafts done by I believe mid-March, so we won’t have many meetings to draft them. I will have 3-4 meetings for each paper, and I’ll alternate weeks, so there will be a meting for one paper the first week and the other the second, etc. Of course, you can come to as many meetings as you want – although of course there won’t be any recordings made.

The two papers for which I’ll lead the drafting are both found here, along with some slides from presentations we did in Orlando in June 2019. There are also recordings of webinars we did (one for each paper) in 2020, which were well attended (since people weren’t going to a lot of in-person meetings in April through June of 2020). My two papers are Cyber Security Risk Management Lifecycle (which should really be called Supply Chain Cyber Risk Management Lifecyle – we’re not trying to tackle the entire field of cybersecurity in five pages!) and Vendor Risk Management Lifecycle.

You’re welcome to attend any or all of the meetings; I’m not going to keep attendance. You don’t have to be a member of the SCWG, although we’ll probably enroll you anyway. This will entitle you to all the benefits and emoluments of membership - priceless. We’re even waiving the normal $1,000 signup fee…😊

Also, even though these meetings are mostly populated with electric power industry types, I can assure you there’s nothing we’ll be talking about that’s specific to the power industry. So anyone is welcome to participate, both suppliers and end users. We’ve put out Doodle polls to find the best time for both series of meetings. The poll for the Cyber Risk Management meetings is here and for Vendor Risk Management is here.[i]

I hate to pressure you, but for the Cyber Risk Management meetings, we’ll have to decide the time by tomorrow afternoon, since we want to have the first meeting this week. So if you’re interested in that, please sign up asap (note we won’t meet on Monday the 17th, although if Monday is the best for someone, we could later move the meeting to Monday if the rest agree). For Vendor Risk Management, we’ll meet next week (the week of the 24th), so we’ll wait a few days before we set that time. We’ll send everybody who’s participated in the poll an invitation for the series.

I hope you can help us out!

Need CIP-013 compliance help, either from the NERC entity or the vendor side? I’ve worked with a number of electric utilities on CIP-013 compliance, and I’m currently working with two vendors to the industry. Drop me an email and we can talk!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at

[i] If you want to sign up for one of the three other papers that we’re going to revise this quarter (the others will come later) – which are Provenance, Open Source, and Secure Equipment Delivery – drop an email to Tom Hofstetter of NERC at and he’ll send you the links for those Doodle polls.

Jim Stack's picture
Jim Stack on Jan 17, 2022

Do you work on all types of power systems ? It must be tricky to keep the Sunshine supplied to all those Solar plants and Wind to the Hydro. 


QUOTE=NERC is the Electric Reliability Organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves nearly 400 million people

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »