Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,037 views
  • Nov 10, 2021
  • 352 views

I must say, this new Supply Chain Guidance is significantly better than the previous guidance that was offered. Well Done NERC; it does seem that the voices from the cybersecurity trenches are being heard in Atlanta. The newly released, 11/10/2021, guidance documents are available here:

CIP-010-4 Implementation Guidance for Configuration Change Management and Vulnerability Assessments and

CIP-013-2 Implementation Guidance for Supply Chain Risk Management Plans

The most significant improvement, IMO is:

  • Under General Considerations for Requirement R1 Part 1.6 Software Verification; elimination of guidance suggesting digital signatures alone can validate software supplier identity; this is a known flaw

In spite of these improvements, I'm concerned that some old guidance contained in the NERC RSAW for CIP-010 that allows entities to bypass software verification may enable entities to install software that has not been verified, providing an entry for hackers to exploit:

Note to Auditor:

If the identity of the software source cannot be verified, then it will not be possible to verify the integrity of the software obtained from the software source. In this case, the documentation of the inability to verify the identity of the software source may also serve to document the inability to verify the integrity of the software.

 

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »