Supply Chain Attestation for the Grid
The electric grid for all of the United States, most of Canada, and parts of Mexico is regulated by the North American Electric Reliability Corporation (NERC). The NERC Critical Infrastructure Protection (NERC CIP) regulations impose fines on utilities who do not follow mandated cybersecurity and other cyber reliability practices. On October 1st NERC CIP 13 comes into effect, requiring regulated utilities to implement supply chain security plans and review these on a fifteen month cycle.
Fines for failing to meet NERC CIP regulations have been as high as $10M for a single infraction (PG&E, 2019). This has motivated small utilities to invest ~$1M each year on NERC CIP compliance, and large utilities to spend more than $10M annually and in many cases much more. A dozen years of work on compliance to the NERC CIP standards as these have evolved to include more areas of diligence have put most utilities in reasonably good shape to achieve compliance with the letter and the intent of this new additional regulation.
A set of critical supply chain information that utilities can build compliant processes on during this first five-quarter cycle includes the provenance, content, and disposition of software used in critical systems. This area has seen significant development during the past decade ramping up over the past several years. Diligent utilities will be working with suppliers and regulators to apply this work to this new regulatory requirement.
Software Bill of Materials (SBOM) programs by entities such as the Linux Foundation Software Package Data Exchange (SPDX) project and the US Department of Commerce National Telecommunications and Information Administration SBOM program (NTIA SBOM) have developed mature taxonomies to describe the contents of software components. Utilities will be able to get SBOM data from suppliers, review that data using processes like risk assessment products or services, and demonstrate diligence to auditors.
Like Bill of Materials (BOMs) throughout history, the attestation as to the accuracy of the information inside an SBOM record and the information about its handling is key to establishing trust in supply chain information. Knowing that a BOM for a pallet was created by the supplier and not altered before receipt of the product, that a BOM in a file drawer has been there since the date on the paper, has always been the way to know whether your supply chain had been compromised by malice or error.
The Digital Bill of Materials (DBoM) Consortium was formed to create the infrastructure necessary to share digital attestations such as SBOMs in shared repositories with the surety and access policies agreed by supply chain partners. In Q4 of this year the DBoM Consortium will launch as a Linux Foundation project with the dbom.io URL, with open source DBoM Node software being made publicly available. Supply chain partners can use DBoM Nodes to create repository Channels governed by agreed access policies where attestations can be made and shared regarding the contents and handling of any item.
DBoM Channels can be created by electric utilities as shared repositories for SBOMs and other attestations regarding the source, contents, and handling of critical assets. Such a utility could require in its contract language that suppliers attest to SBOMs for identified products on such DBoM Channel, and subsequent compliance auditors would access that DBoM Channel to verify that the attestation was made and the SBOM provided by the identified supplier at the time and date stated.
Any repository technology can be used for a DBoM Channel, but where Distributed Ledger Technology (DLT, aka "blockchain") is used the surety of attestation is extremely high. The nature of DLT is that no member of the "chain" (or DLT DBoM Channel) can change their ledger without everyone else knowing. Therefore utilities that use DLT for DBoM Channels will enable compliance auditors and their operational staff to reliably use the information attested to on these channels for very high consequence decision making.
As with the adoption of the barcode in the 1970s, which also improved supply chain security, the gains in efficiency throughout business will be what is remembered about this change in supply chain management. Without barcodes, supply chains and the enterprises they serve today could not achieve a fraction of the productivity necessary to stay in business. Our not-too-distant future selves will see the idea of managing our vast fleets of IoT devices without continuous visibility into the provenance of all of it at once as no more ridiculous than closing every retail store weekly to do manual inventory.
SBOM documents deposited in DBoM Channels can provide NERC regulated utilities compliance with CIP 10 today. This SBOM information will enable those utilities to reduce software maintenance cycles, service disruptions, truck rolls, and realize other benefits of this change in supply chain efficiency. These efficiencies will define competitiveness across many sectors in the 2020s. Enterprises that learn the lessons of NERC CIP 13 early and bring these into their operations will have the opportunity to become the leaders in their markets.
Leader of OWASP SBOM Forum and Vulnerability Database Working Group projects; consultant on NERC CIP compliance in the cloud and vulnerability management
4 年Chris, I thought this was very good, but I wish you'd just described this as what it is: An important component of being able to ensure software and hardware security in the future, for all industries everywhere. This really has little to do with CIP-013 compliance and especially with CIP-010 R1.6 compliance. I'd hate to see people think this post is only of interest to the 300 or so entities who are subject to CIP-013-1 and CIP-010-3 R1.6.
ISA Certified Automation Professional at Industrial Control System Security
4 年I'm intrigued. Third party suppliers must follow security practices in developing their products and any security program worth its paper has verification of those suppliers with chain of custody verification for the highest Security Levels. Selection of secure products and SUPPLIERS, secure delivery and test of the installed components first through FAT, then SAT is part of the IACS security design applying a standards based approach such as ANSI/ISA/IEC62443. Security Technology such as applying supply chain technology to guarantee delivery integrity is only one part of a 62443 security management program. Depending on the IACS design, blockchain for Chain of Custody might be only one check of hundreds to mitigate a counterfeit or compromised component, but there is no substitute for inspection testing and validation of every component used in high security IACS. It is a noble concept, but what is the cost of the automation to get into every BOM that may not be electronic vs inspection, testing and validation? Many grid suppliers are scrambling just to setup PSIRTs in an attempt to identify components who's part numbers exist only on a paper drawing. Apply Block Chain to a paper drawing with 20k components in the system.
??Security?Privacy?Risk?Technology??
4 年Interesting application of blockchain to supply chain Software BoM concepts for audit purposes. This is an enlightening read!