Supply chain risk management is an increasing challenge for software. So much so that NERC has a federal mandate to create a CIP standard that addresses cyber risk from industrial control systems associated with bulk electric system.

  • The highly publicized Stuxnet attack from 2010 is a bellwether case with important lessons learned for suppliers and integrators of industrial software. Stuxnet certainly sparked significant SDL investments as well as software supply chain assurance improvements at OSIsoft. 
  • Other software supply chain incidents include Windows update compromised by Flame in 2012 and updates for 3 industrial suppliers infected by HaveX in 2014.
  • More recently, the “Kingslayer” case study from RSA security highlights some of the major concerns and just how much work there is to do across the breadth and depth of software supply chains in general. (See also the KrebsOnSecurity blog for more on Kingslayer).

 

So with all these examples it seems like regulation is justified, but can the electric sector effectively tackle a problem that hasn’t been solved anywhere else in the software industry?  Of course, I suspect not.  Fortunately, the federal order is focused on internal minimum standards for the utilities themselves. 

 

While this sounds like a reasonable approach, the proposed standard and technical guidance seems to escape a minimum scope. My concerns are highlighted in the attached open letter. Similar to CIP-004, I anticipate hundreds of disjointed interpretations of these new requirements falling on suppliers. While the initial impact may be just be failure prone audit programs, the long term effect could stymie real progress in advancing the development of more reliable and secure solutions for bulk electric system operations.

 

I hope you'll take a moment to browse the open letter and respond to NERCs draft ballot on Cyber Security Supply Chain Risk Management.

 

Sincerely,

Bryan S. Owen PE