RSA 2019

I recently received the good news that I’ll be participating in the RSA Conference again next year. As I was this year, I’ll be one of three panelists on a panel – our topic will be “Supply Chain Security for Critical Energy Infrastructure”. This year the conference is from March 4-8; as always, it’s at the Moscone Center in San Francisco. Our panel is on Wednesday March 6 from 8:00-8:45 in Moscone South 204 (it doesn’t appear on the conference website yet, but will soon).

This year’s session was well received, with a lot of good audience interaction – and that’s good, because the three panelists are all returning next year, although the moderator is different. The topic this year was “How can we regulate critical energy infrastructure”. However, based on audience questions, the session turned into a very good discussion about grid security in general - and there’s nothing wrong with that!

This year, the panelists, besides me, will be Marc Sachs, former NERC CSO and head of the E-ISAC, and Dr. Art Conklin of the University of Houston, noted author and speaker on ICS security for the energy industry. The moderator will be Sharla Artz, VP of Government Affairs, Policy and Cybersecurity for the Utilities Technology Council. Here is our description of the session:

The purpose of this panel is to have an interactive dialogue between panelists and audience members on some important questions regarding supply chain cyber security for critical energy infrastructure (CEI). We will pose a series of questions, and as each question is asked, both panelists and audience members will be able to respond. While it is unlikely that a definitive answer will be reached on any of these questions, it is important to hear as many different answers as possible!

The panelists will bring a diverse set of perspectives to this discussion, based on their backgrounds in electric power, natural gas, water, petroleum refining and transport, and chemicals. It is hoped that audience members will bring many other perspectives to the discussion, especially if they are from other industries – finance, insurance, retailing, etc. – in which supply chain security is as important as it is in critical energy infrastructure.

The session will open with examples from the panelists of supply chain risks to energy systems. After that, possible questions to discuss include:

• What are currently the primary vectors for supply chain cyber attacks?
• How can we put in place a program to manage supply chain cyber risk?
• How can CEI organizations gain assurance that vendors have good cyber security practices in place? Do most other organizations require assessment or certification by an outside party, or are there alternative means to gain this assurance?
• What usable controls frameworks are available to help my organization understand supply chain cyber security risks?
• What is the role of contract language? Is it a) always, b) sometimes or c) never advisable to insist that the vendor agree to certain contract terms?
• We will have to comply with NERC CIP-013, which requires that we develop a supply chain cyber security risk management plan. How does the plan we need to develop for CIP-013 compliance differ from the plan that we would develop if we were addressing supply chain cyber risk in the absence of regulation?

I hope to see you there!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013; we also work with security product or service vendors that need help articulating their message to the power industry. To discuss this, you can email me at the same address.