Here are my take-aways from today's FERC SCRM meeting:
- More information sharing is better, so long as there are no anti-trust violations. [Sharing is Caring] Anti-trust violations are not a valid concern when sharing product "Trust Declarations" within SAG-CTR - see below for details.
- There is no one-size fits all solution
- There are no silver bullets
- There was a good mix of representatives from small and large entities across the electric industry
- There were no meaningful discussions on the need for harmonization of cybersecurity regulations, standards and practices across the entire electric industry. "Harmonizing existing and proposed cybersecurity requirements is vital."
- There seems to be a disconnect at NERC HQ with regard to knowing about SCRM best practices using effective and efficient software supplier artifacts and attestations that are being collected and applied across US Government software risk assessments following CISA secure by design best practices and NIST Guidance and Standards per OMB M-22-18, the SCRM practices adopted by GSA, the Department of Defense, the Department of Energy and NASA and NARUC Cybersecurity Performance Goals. NOTE: FAR rule changes are forthcoming, soon, per EO 14144 requiring software suppliers to submit software attestations and share supply chain artifacts to the CISA RSAA portal for risk assessment purposes; see NASA webinar on use of the CISA RSAA portal to submit secure software attestations forms and artifacts, such as SBOM's and Vulnerability Disclosure Reports. The sharing of software risk assessment results and product "trust scores" by agencies can provide significant benefits and efficiencies during procurement processes required by all agencies under OMB M-22-18. "DOD will be developing a “new scoring methodology” (trust score) for NIST 800-171 Rev. 3 - see slide 22 for example DoD CMMC trust score and the US Coast Guard plans to use only trusted products that are listed in a "Trust Registry" (approved products list)
- I heard lots of reasons why it's too hard to implement proper SCRM practices including the false assertion that attestations don't work to protect against risky products. I'll reiterate one of the panelists statements; "That's unAmerican"; we don't throw in the towel just because something is hard, especially if it's worth pursuing for the benefit of society and it produces real value. [Attestations certainly do work when they are properly applied in a robust risk assessment process, such as those used by NASA and other US Government Agencies]
- There was no clear indication that any of the NIST SCRM standards and Guidelines contained in CISA's best practices guidance are being considered within the SCRM NOPR activity or will even influence what happens next. Collectively, NIST and CISA are the nation's cybersecurity and SCRM experts, without doubt. We must put our best players #42 on the field to face a tenacious and innovative cyber adversary capable of sophisticated, stealthy incursions across critical infrastructure, like Volt Typhoon and Salt Typhoon.
- There was only one panelist with actual SCRM implementation experience; very light representation from the SCRM community of implementers
- The status quo will likely prevail
I highly recommend that FERC and NERC HQ consider the practical advice provided on the need for cybersecurity harmonization offered by EEI and the practical advice offered by Tom Fanning on the need for greater public-private collaboration to harden critical infrastructure with practical cybersecurity best practices and the work underway between CISA and US States to address SCRM best practices for procuring trustworthy software products, and NARUC's recommendations for baseline cybersecurity best practices.
The IESO Lighthouse program is an innovative and effective model for the NERC ERO regional entities to follow to provide the support needed to rollout and maintain harmonized cybersecurity best practices and information sharing across their respective regions. Always remember, and never lose focus, that cybersecurity is a team sport that requires respectful collaboration and commitment to success #42; Club House thinking and leadership.
Today, I filed my comments regarding the March 20 SCRM technical conference with FERC
A video tape of the SCRM technical conference at FERC on March 20 is available online. Very insightful; the disconnect I refer to between NERC HQ and National Cybersecurity best practices, guidelines and standards, and ongoing adoption by the US Government becomes obvious around the 1:22-1:50 period of the discussions. I commend all of the panelists for providing their honest, objective responses to FERC questions. I especially want to recognize Joseph McClelland with FERC for asking the industry their views of the CISA ICT_SCRM Task Force work products for SCRM best practices supporting SMB's and other entities, including what practices are being used today by utilities (SMUD and ConED provided useful insights here). Well done, Joe.
It's also worth mentioning that many registered entities subject to FERC and NERC regulations also produce and distribute software products making them "software suppliers" in the context of SCRM best practices described by CISA. Will these registered entity software suppliers also be subject to "software supplier" obligations when FERC introduces the updated SCRM Order under Docket RM24-4-000?
Remember, Sharing is Caring and cybersecurity is a team sport that requires our best players on the field working collaboratively with mutual respect to succeed against a very determined, innovative and adaptable adversary; #42. The SAG-CTR community Trust Registry works like other consumer expression sites, like Trip Advisor, Expedia and others where trusted, authorized individuals freely provide information about their software product risk assessment experiences.
Only a consolidated "Trust Score" is displayed without naming the issuers of trust declarations within a cybersecurity label, along with vendor provided data. A disclaimer on SAG-CTR makes this clear:
