Utility Management Group
Senior decision-makers come together to connect around strategies and business trends affecting utilities.
Shared Link
New NERC Supply Chain Compliance Guidance issued
I must say, this new Supply Chain Guidance is significantly better than the previous guidance that was offered. Well Done NERC; it does seem that the voices from the cybersecurity trenches are being heard in Atlanta. The newly released, 11/10/2021, guidance documents are available here:
CIP-010-4 Implementation Guidance for Configuration Change Management and Vulnerability Assessments and
CIP-013-2 Implementation Guidance for Supply Chain Risk Management Plans
The most significant improvement, IMO is:
- Under General Considerations for Requirement R1 Part 1.6 Software Verification; elimination of guidance suggesting digital signatures alone can validate software supplier identity; this is a known flaw
In spite of these improvements, I'm concerned that some old guidance contained in the NERC RSAW for CIP-010 that allows entities to bypass software verification may enable entities to install software that has not been verified, providing an entry for hackers to exploit:
Note to Auditor:
If the identity of the software source cannot be verified, then it will not be possible to verify the integrity of the software obtained from the software source. In this case, the documentation of the inability to verify the identity of the software source may also serve to document the inability to verify the integrity of the software.
New NERC Supply Chain Compliance Guidance issued
Implementation Guidance is developed by industry and vetted through pre-qualified organizations. In order for an organization to become pre-qualified, a member of that organization must submit an application to the Compliance and Certification Committee. Vetted examples can then be submitted to the ERO Enterprise for endorsement, and, if endorsed, the ERO Enterprise would give the example deference during CMEP activities with consideration of facts and circumstances. Implementation Guidance would not prescribe the only approach to implementing a standard and entities may choose alternative approaches that better fit their situation. Draft Implementation Guidance will be posted below while it is being considered for ERO Enterprise endorsement. Once the Implementation Guidance is endorsed, it will be moved to the ERO Enterprise-Endorsed Implementation Guidance section. Draft Implementation Guidance that does not receive ERO Enterprise endorsement will be removed.
Discussions
No discussions yet. Start a discussion below.
- What is the difference between FCEM and AOCE
- Highly Recommended Reading - Capacity Accreditation Reforms
- CISA’s public-private cyber collaborative to focus on energy, water
- Groundhog Day, SEC Style: Proposed Rule On Cybersecurity Risk Governance Has All The Pain Of SOX With Fewer Financial Penalties
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate