July 1, 2020 The “Safe Grid” era begins
image credit: Author
- Mar 8, 2020 5:00 pm GMT
- 889 views
Way back in October of 2018 the Federal Energy Regulatory Commission (FERC) issued Order 850 requiring bulk electric system responsible entities to protect their Bulk Electric System (BES) CIP assets against harm emanating from supply chain incursions by hackers, nation states and any party wishing to disrupt the electric grid, effective July 1, 2020. The expectation for compliance with the supply chain regulations is provided by the North American Electric Reliability Corporation (NERC) CIP-013-1 and CIP-010-3 standards along with several insightful guideline documents. The industry has been charging ahead, preparing for the July 1st deadline by creating vendor questionnaires that are intended to determine a vendors trustworthiness, based on their business practices and the application of secure coding and other activities designed to prevent “taint” from entering the process which ultimately leads to the use of a product within a BES system hardware/software component.
The vendor community has been overwhelmed by the number of questionnaires and the variation in their content, leading to excessive work in preparing responses and a realization that a coordinated and collaborative effort would be more effective in meeting the intent of the FERC Order. The North American Transmission Forum (NATF) has taken the lead on an industry wide initiative to coordinate these supply chain activities in the quest for a more efficient and effective approach. This very important initiative is in high gear as we approach the July 1 deadline.
Much has been written about NERC CIP Supply Chain compliance and you can gain some very useful insights from the high priest of NERC CIP Supply Chain compliance, Tom Alrich, blog writings. Tom provides in-depth analysis and methodical, practical advice to parties that need to meet the July 1 deadline. I’ve found Tom’s advice and insights nourishing and have grounded me with an understanding of what it takes to achieve a viable CIP-013-1 solution, along with specific areas that deserve careful attention. But there is one area that, IMO, needs specific “howto” implementation guidance: NERC CIP-010-3 R1 part 1.6, 1.6.1 Verify the identity of the software source and 1.6.2 Verify the integrity of the software obtained from the software source.
Of all the NERC Supply Chain Standards, these two specific requirements are designed to identify and prevent operational harm from being introduced into a BES CIP ecosystem by software installation and maintenance activities. Some guidance is available from NERC with regard to software verification; NATF Guidance, NERC Open Source Software Guideline, and Provenance Guidelines. Each of these documents provides sound, high level advice and a spattering of “howto” guidance, however they leave some room for improvement and this is the area I have spent considerable time researching and documenting the specific “howto” best practices to perform a comprehensive software object verification process to meet the intent of requirements CIP-010-3, R1, Part 1, 1.6.1 and 1.6.2, described below.
The Software Assurance Guardian™ (SAG™) methodology and patent pending technologies defines the specific activities needed to identify and detect tainted software object supply chains, prior to any attempt to install software packages in a BES Cyber Asset. The following guidance is being provided, based on my own research into best practices for software integrity and authentication verification to ensure a modicum of due diligence is being performed, which will demonstrate compliance with the two NERC standards identified above.
SAG™ Best Practices for Software Supply Chain Integrity and Authentication verification:
- Contains no known malware, viruses or other issues discovered during introspection, i.e. use of suspicious web services, carefully inspect metadata in install package, perform a Software Composition Analysis (SCA) to look for suspect behavior
- Determine if a software object was obtained from a trustworthy location, verify TLS certificate information; is it from a reliable CA with a thorough identity vetting process
- Determine if a software object was obtained from trustworthy supply chain entities (distributor, developer, internet repository, etc.); any known compromises?
- Is unaltered from its original intended contents, as provided by a trustworthy software source originator or software source using cryptographic methods where possible
- Contains no recorded/known vulnerabilities or reports of suspicious activity (i.e. Bitcoin mining)
- Determine if other parties have assigned a passing grade for integrity verification of a specific software object
- Ensure that Companies are informed of any integrity related risks pertaining to the route used to obtain a software object, i.e. did it go through a system in Iran?
- Verify the source location where SW was acquired using Internet diagnostic tools, i.e. web site certificate verification and validation
- Verify the path taken to acquire SW using Internet diagnostic tools, i.e. tracert; look for man in the middle risks from State actors – did the route go through Iran?
- Verify the party hosting the source location – are they trustworthy? Lookup information pertaining to party identity (D and B search) and correlate using DNS CAA records
- Verify the SW object is free of known defects and risks during introspection step, i.e. look for viruses/malware/external web service use, use Software Composition Analysis (SCA) for open source defects
- Verify the party that developed and licensed the SW – for example, if using open source software identify the developers and determine if any known hackers are involved
- Verify the party that distributed the SW – are they trustworthy – have they been known to distribute malicious software
- Search for known vulnerabilities with the SW using known CVE sources
- Search for known compromises of parties within the supply chain; i.e. stolen certificates/keys
- Capture all findings in a document that can be presented to NERC/FERC auditors in a tamperproof format.
This list is designed to give a reader some understanding of the steps needed to perform a software object integrity and authentication verification, which is addressed by SAG™ technologies. Software security is a cat-mouse game, which changes frequently, requiring constant monitoring and updating of these practices over time. More information on SAG™ is available here. [UPDATE: 4/4/2020: The SAG Point Man™ software is now available for beta testing: https://reliableenergyanalytics.com/products ]