The ultimate goal, before installing any software is to determine if it is trustworthy enough to install. The 7 step risk assessment steps described in the session is intended to help a party determine the trustworthiness of a software object so that a risk-based decision to install/not install can be made. File hashes alone are inadequate because they do not verify authenticity.
What is the best way to verify software integrity and validation other than file hashing when applying patches to BES Cyber assets?
- Aug 17, 2020 3:31 pm GMT
Producer's Note: This question was posed during the recent Energy Central PowerSession: 'Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3,' with keynote speaker Richard Brooks. The PowerSession was so lively and packed with great information that Richard was not able to address all questions live, so we thought we would bring the question to the community so he could answer in writing, as well as provide an opportunity for the community to keep the conversation going with followup questions, comments, and discussion by anyone who was or wasn't able to attend the PowerSession live.
In case you missed the live event, a recording of the PowerSession can be accessed here.
Richard will also be holding a live Q&A discussion on the topic on Thursday August 27 at 4 PM Eastern. This informal chat will let you share any other questions you may have or topics you want to discuss. Join at any point during the hour when you're free and hop off when you need. More information and calendar reminder sign-up can be found here.
Tap Into The Experience of the Network
One of the great things about our industry is our willingness to share knowledge and experience.
The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.
When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.