I recently
received the good news that I’ll be participating in the RSA Conference again next
year. As I was this year, I’ll be one of three panelists on a panel – our topic
will be “Supply Chain Security for Critical Energy Infrastructure”. This year
the conference is from March 4-8; as always, it’s at the Moscone Center in San
Francisco. Our panel is on Wednesday March 6 from 8:00-8:45 in Moscone South
204 (it doesn’t appear on the conference website yet, but will soon).
This year’s session
was well received, with a lot of good audience interaction – and that’s good,
because the three panelists are all returning next year, although the moderator
is different. The topic this year was “How can we regulate critical energy
infrastructure”. However, based on audience questions, the session turned into
a very good discussion about grid security in general - and there’s nothing
wrong with that!
This year,
the panelists, besides me, will be Marc Sachs, former NERC CSO and head of the E-ISAC,
and Dr. Art Conklin of the University of Houston, noted author and speaker on
ICS security for the energy industry. The moderator will be Sharla Artz, VP of
Government Affairs, Policy and Cybersecurity for the Utilities Technology
Council. Here is our description of the session:
The purpose
of this panel is to have an interactive dialogue between panelists and audience
members on some important questions regarding supply chain cyber security for
critical energy infrastructure (CEI). We will pose a series of questions, and as
each question is asked, both panelists and audience members will be able to
respond. While it is unlikely that a definitive answer will be reached on any
of these questions, it is important to hear as many different answers as
possible!
The
panelists will bring a diverse set of perspectives to this discussion, based on
their backgrounds in electric power, natural gas, water, petroleum refining and
transport, and chemicals. It is hoped that audience members will bring many
other perspectives to the discussion, especially if they are from other
industries – finance, insurance, retailing, etc. – in which supply chain
security is as important as it is in critical energy infrastructure.
The session
will open with examples from the panelists of supply chain risks to energy
systems. After that, possible questions to discuss include:
- What are currently the primary vectors for supply chain
cyber attacks?
- How can we put in place a program to manage supply chain
cyber risk?
- How can CEI organizations gain assurance that vendors have
good cyber security practices in place? Do most other organizations
require assessment or certification by an outside party, or are there
alternative means to gain this assurance?
- What usable controls frameworks are available to help my
organization understand supply chain cyber security risks?
- What is the role of contract language? Is it a) always, b)
sometimes or c) never advisable to insist that the vendor agree to certain
contract terms?
- We will have to comply with NERC CIP-013, which requires
that we develop a supply chain cyber security risk management plan. How
does the plan we need to develop for CIP-013 compliance differ from the
plan that we would develop if we were addressing supply chain cyber risk
in the absence of regulation?
I hope to
see you there!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
No comments:
Post a Comment