This group is the default community for every Energy Central registered member. We discuss and share a variety of topics related to the global power industry. 

Post

FERC Order 850: Verifying the Software Supply Chain to protect Bulk Electric System Cyber Assets

image credit: Department of Defense free images
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent pending (16/933161) technology: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™)...

  • Member since 2018
  • 1,250 items added with 502,051 views
  • Jul 25, 2019
  • 1741 views

FERC Order 850 was issued on October 18, 2018 with a mandate to Bulk Electric System (BES) Entities (Responsible Entities) to verify software object integrity and authenticity prior to making any baseline changes to a BES Cyber Asset. NERC CIP 013-1 and CIP 010-3, collectively referred to as the NERC Supply Chain Reliability Standards, provide BES Entities with specific requirements pertaining to software integrity and authenticity, as shown in CIP 013-1 Requirement R1 1.2.5: “Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System”.  All BES Responsible Entities are required to comply with this FERC Order by July 1, 2020.

Your access to Member Features is limited.

But, what does it take to verify software integrity and authenticity? Software verification can be a daunting challenge for smaller entities with limited cyber security expertise and incomplete knowledge about how to verify a software objects integrity and authenticity. Digital Signatures can provide some level of verification, but digital signatures alone are insufficient to ensure a high degree of confidence, as there have been several well-known compromises that were able to subvert digitally signed software objects, see ASUS and MICROSOFT for two examples where digitally signed software objects should not be trusted in a BES Cyber System. Some commercial software products used in a BES Cyber Asset are provided to BES Entities without a digital signature or any form of cryptographic integrity and authenticity being applied. These “unsigned” software objects pose a risk to the BES if a BES Entity makes no attempt to perform a reasonable level of due diligence to confirm software integrity and authenticity before being installed in a BES Cyber Asset.

The challenges of keeping the BES safe from malicious software is becoming even more difficult with the rapid rise of distributed energy resources. The electric supply chain is transitioning to a more decentralized model with a large, and growing, population of distributed energy resources (DER). This expansion introduces significantly more cyber assets that can impact BES reliability, many of which contain software components running in inverters and other devices embedded throughout the BES.

Recently filed, patent pending technology, called the Software Assurance Guardian™ (SAG ™) software product has been designed specifically to address the concerns raised above by defining specific methods to verify software object integrity and authenticity using a process-based approach, akin to a background check for the entire supply chain of a software object, resulting in a SAGScore™, analogous to a FICO Score, but for software. SAG™ Software applies several cryptographic and non-cryptographic methods to determine the level of trustworthiness of a software object, and its entire supply chain. Simply identifying a suspect software object may be sufficient to protect a BES Entity from installing malicious software into their BES Cyber Assets, but what about all the other BES Entities – wouldn’t it be nice if a bad actor, once identified, could be made known to other BES Entities so that they don’t become victims. SAG™ software works diligently to stop the spread of a suspect software object by facilitating the reporting of an “attempt to compromise” cyber incident with NERC E-ISAC and DHS-NCCIC in accordance with FERC’s June 20, 2019 announcement pertaining to FERC Docket No. RD19-3-000 and NERC CIP 008-6.

Additional information about Software Assurance Guardian™ patent pending technology is available online.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Jul 25, 2019

This issue seems like one that's a slam dunk everyone agrees is important but then your question "But, what does it take to verify software integrity and authenticity?" brings to light that it takes more than just agreement on action, it's figuring out what that action should be. We're lucky there are smart people creating the solutions you detail here (and lucky that you're sharing that knowledge with us, Dick!)

Richard Brooks's picture
Richard Brooks on Jul 27, 2019

Thanks, Matt. You've probably noticed I've been quiet on EC for the past couple of months - that's because I was heads down researching and writing the patent application for this. It's a big relief now that it's filed. It's just like Edison said, 1% inspiration and 99% perspiration - mostly just hard work! Thanks.

Matt Chester's picture
Matt Chester on Jul 25, 2019

Congrats on the accomplishment-- and welcome back :)

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »