By Lila Kee, GlobalSign and Richard Brooks, Reliable Energy Analytics
On December 17, 2020, the Federal Energy Regulatory Commission (FERC) announced proposed enhancements to the cybersecurity posture of the bulk power system. The proposal would enable public utilities to secure incentive-based rate treatment for voluntary cybersecurity investments going “above and beyond” mandatory Critical Infrastructure Protection (CIP) Reliability Standards.
The announcement couldn’t have come at a better time. It was just days after the startling revelation of a massive cyberattack involving government cybersecurity software provider, SolarWinds.
As many know, Texas-based SolarWinds was hacked by Russian cybercriminals who inserted malicious code into an update of the company’s Orion software platform. Approximately 18,000 SolarWinds customers installed the infected update onto their own systems. To date, at least nine federal agencies and 100 private sector groups were breached. Both FireEye and Microsoft were compromised, and the latter continues to investigate and monitor the activity.
Amid Senate Intelligence Committee hearings that took place the week of February 23, a spokesperson for committee ranking member John Katko (R-N.Y.) told The Hill “As SolarWinds has reinforced, third-party and supply chain risk is now a core component of all cybersecurity conversations, adding a new layer that amplifies the impact of a cyber-attack “We expect witness testimony to provide key insight into significant questions that must be addressed to prevent and respond to future cyber espionage campaigns.”
Impact on Public Utilities
While the electric industry had already been implementing cybersecurity measures, the SolarWinds incident made it clear as day that everyone MUST significantly up their game to avoid a similar fate. As the New York Times reported on January 3, “SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.” As Steve Naumann of Protect our Power recently pointed out, “Implementing a supply chain program based on U.S. national security needs must consider the breadth of the international supply chain and the myriad challenges that presents.”
Introducing the SBOM for Public Utilities
All these incidents are exactly why GlobalSign, Reliable Energy Analytics and several other entities involved in the public utilities space recently filed comments with FERC (Accession No.: 202102095087; Docket(s) No.: RM21-3-000). The intension of the recommendations in these filed comments is to enable financial incentives for the voluntary inclusion of software supply chain risk management products, processes, and procedural improvements, in accordance with the NIST Cybersecurity Framework, V1.1, referred to as the “NIST Framework Approach.” If these recommendations are adopted by FERC in the final order, they will be eligible for incentive-based rate treatment.
This is where the Software Bill of Materials (SBOM) comes into play.
While an SBOM is a relatively new concept within the software development and security operations domains, the Bill of Materials concept has been broadly implemented in other industries for decades, such as food labeling standards. It is analogous to a food label, listing the ingredients contained in a product. By itself, this “ingredients list” provides very little value. The real benefits and value of SBOM information is only realized when the information is applied in practice to detect risks or for asset and license management and other use case purposes.
SBOM information can help electric utilities perform both proactive and reactive cybersecurity protections such as risk assessment control functions to identify risks and threats in a software object – before any attempt at installation – which prevents bad software from being installed, where it can carry out its malicious intents. SBOMs also enable companies to quickly react to new threats by examining the inventory of software objects installed within their digital ecosystem, based on SBOM data collected for installed software objects, to determine their risk exposure to newly discovered vulnerabilities and risks.
In addition, electric companies can improve their cybersecurity protections by implementing software supply chain risk management best practice solutions, such as those provided by the SCRM Filing Parties. An SBOM is an essential and critical component of these SCRM solutions. SBOM adoption by software vendors has lagged behind other priorities in their software development life cycle (SDLC), such as adding new features, functions and “bug fixes”.
It’s All About Trust
Establishing trust in a software supply chain requires a foundation of trust that is based on proven, cryptographic methods and credentialed parties that are properly vetted and approved by a trustworthy authority. With that in mind, another step electric utilities can take is to work with a trustworthy Certificate Authorities, who issue CA/Forum Baseline and Extended Validation standards compliant code signing digital certificates. These are the cornerstone of the chain of trust needed to ensure the authenticity and integrity of SBOM’s by applying digital signatures using the certificates issued by these trustworthy CA’s. There are many trustworthy Certificate Authorities (CA) in operation. Some of these CA’s have achieved accreditation status within the electric industry by meeting specific requirements.
The recommendations we’ve put forth are intended to help government, commercial and other entities, proactively identify software supply chain risks before a software object is installed in a critical system.
This is quite achievable. The production, delivery and use of an SBOM for ongoing software supply chain risk management functions among software vendors and their customers will make a positive difference: fewer cybersecurity incidents, and even when they do occur, there will be greater insight, leading to faster recovery times.
About The Authors
Dick Brooks is a CoFounder of Reliable Energy Analytics LLC and Lead Software Engineer responsible for the patent pending Software Assurance Guardian Point Manâ„¢ (SAG-PMâ„¢ ) software supply chain risk assessment application that processes both SPDX and CycloneDX SBOM formats, supported by the Department of Commerce NTIA SBOM initiative.
Lila Kee is the General Manager for GlobalSign’s North and South American operations, as well as the company’s Chief Product Officer. She has more than two decades of encryption and identity experience from working at GlobalSign, GeoTrust and RSA.