The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Understanding Software Supply Chain Risks

image credit: © Artur Szczybylo | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

The material presented in this article represents the accumulation of knowledge and experiences gathered over 18 months of development and testing, performed during the creation of Reliable Energy Analytics LLC (REA) Software Assurance Guardian Point Man™ (SAG-PM™) Supply Chain verification software. On April 6th the North American Electric Reliability Corporation (NERC) filed a request with the Federal Energy Regulatory Commission (FERC) to extend the deadline date for compliance with FERC Order 850 (Supply Chain Regulations) until October 1, 2020.  REA fully supports NERC’s petition to delay implementation of the FERC Order 850 effective date until October 1, 2020, for the following reasons:

  1. Key components needed to effectively verify supply chain vendor integrity for proper business practices are still under development. The North American Transmission Forum (NATF) is leading an industry initiative to define key components, such as standard vendor questionnaires intended to provide responsible entities with the information needed to verify vendors, using standard terms and semantics. A draft version of the questionnaire is scheduled for release in May, 2020. However, many implementation details remain unanswered, for example: How will vendors make their standardized responses available to customers and prospective customers; Will a common database, similar to NAESB’s EIR be available to search for vendor responses?
  2. Some BES responsible entities are still working on their Supply Chain Risk Management plans and many lack a standardized method/best practice to perform software verification, in accordance with CIP-010-3 R1 part 1.6 and record a standardized proof of evidence. Many smaller companies lacking critical cybersecurity skillsets are especially vulnerable to harm from malicious software, i.e. ransomware, until such time that they adopt and implement appropriate controls to verify software integrity and authenticity.
  3. Currently, there are no proof of evidence standards leaving the decision of what information to record as proof of verification open to each Company’s own discretion. This lack of a standard proof of evidence will make it difficult for NERC and FERC auditing personnel to determine if adequate and effective controls are in place to secure the BES from harmful software and illegitimate, or compromised, vendors. Lack of a defined standard for proof of evidence leaves open the possibility for ambiguities that make compliance auditing difficult. A defined standard for proof of evidence would benefit both auditors and responsible entities in knowing what information is needed, for CIP-010-3 R1, Part 1.6 compliance and, more importantly, to know that adequate and effective protection controls are being followed.
  4. 18 months of software development and extensive testing of REA’s Software Assurance Guardian Point Man™ (SAG-PM™) software has identified numerous, and sometimes surprising, risks in the software supply chain, including, but not limited to:
    1. Suspect source locations where software objects are made available for customer download. Some locations lack digital certificates that are needed to verify the entity providing access to a software object. Some locations are using digital certificates from Certification Authorities that perform no identify vetting. Some digital certificates failed TLS/SSL verification, raising doubts over the integrity and authenticity of a site. Self-signed Digital Certificates provide a veil of trust that may not be warranted, affecting the trustworthiness of a download location and its provider.
    2. Numerous test cases have revealed the presence of BLACKLISTED IP addresses that exist in the route used to acquire and download a software object, raising concerns over man-in-the-middle attacks. Several test cases have identified IP addresses that exist outside the United States, providing hostile nations an opportunity to inflict harm.
    3. Varying levels of meta-information contained within a software object make it difficult to ascertain the original software developer, product names, versions, and inherent risks that exist in a software object, if it were to be installed in a critical system.
    4. Real SAG-PM test cases have identified software objects using digital signatures that are being reported as valid, but have been created using expired Digital Certificates, some as far back as 2014. Upon further introspection, these same software objects were also found to contain trojan vulnerabilities that could bring harm to the BES. Software containing valid digital signatures alone are an insufficient control at protecting against harm to the BES.
    5. Lack of a standard vendor questionnaire and response that is needed to ascertain a trustworthiness score for vendors within the supply chain. Additionally, there is no standard mechanism to make these vendor responses available to interested parties.
    6. Vulnerability search results from well-known vulnerability databases have shown a poor sign/noise ratio, making it difficult to determine if a known vulnerability is applicable to a given software object and version. More specific vulnerability search criteria and a structured response, i.e. JSON or XML, would help.

In summary, these are just a few of the issues that have been identified over an 18-month period during which SAG-PM software development and testing procedures were underway. Many Companies, especially smaller Companies, that lack access to the level of cybersecurity skill sets needed to manually perform effective, risk-based analysis security controls. These Companies could benefit from having access to best practices for software supply chain risk analysis, like those implemented in SAG-PM, in order to make a risk-based decision to install, or not install, a software object in a BES critical system.

Richard Brooks's picture

Thank Richard for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 28, 2020 12:34 pm GMT

Many Companies, especially smaller Companies, that lack access to the level of cybersecurity skill sets needed to manually perform effective, risk-based analysis security controls. These Companies could benefit from having access to best practices for software supply chain risk analysis, like those implemented in SAG-PM, in order to make a risk-based decision to install, or not install, a software object in a BES critical system.

You lay out a clear and compelling argument why such best practices are necessary-- I'm curious, are these smaller companies even aware that such risks are out there and that they could benefit from the best practices? Put another way, are they seeking out solutions, or are they oblivious that the problem exists in the first place?

Richard Brooks's picture
Richard Brooks on Apr 28, 2020 5:25 pm GMT

Good questions, Matt. I don't know about others, but I was sure surprised by what I found while doing verifications, as you can see from the article. Now, I'm downloading and testing a bunch of open source software objects just to see what "gotchas" come attached. All I can say is, Wow!

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »