Friday, November 1, 2019

How does SEL address supply chain vulnerabilities?


As I’ve already mentioned, I was quite pleased with how the panel discussion that I moderated at GridSecCon last week turned out. I received lots of good feedback and compliments. The topic of the panel was – of course – supply chain security threats, and we had quite a distinguished group of presenters. One of them was Dave Whitehead, Chief Operating Officer of Schweitzer Engineering Laboratories.

The biggest problem I had with the panel was that, except for whatever notes people took while we were talking and answering questions, there was no record of what was said. I’ve appeared on a panel – the same three people – at RSA Security Conference this year and last, and both times the session was recorded and posted on the RSAC website (although both recordings seem to have been taken down now, as part of some sort of reorganization of the web site. Maybe they ought to just outsource the whole site to YouTube).

I would like to see the E-ISAC post recordings for the panels at GridSecCon next year; it’s a little discouraging to know that whatever you say is floating out into the ether, never to be heard again. Slides from individual presentations are posted on the website, but the problem is that the panels are only allowed one slide per person, which doesn’t tell you much.

To preserve at least some of what the panelists said – both in their initial four-minute presentations and in their answers to questions from the audience – I asked them all afterwards to provide me with some written record of both their presentation and their answers. But I also suggested they could go beyond what they actually said, if they’d like. They addressed a lot of interesting topics, and they might want to expand on what they actually said. I said I’d post all of these in my blog.

So far, three of the five panelists have taken me up on this (and if the other two don’t do it, that’s fine. I know that people are busy, and they didn’t sign up for doing this when they accepted the invitation to speak). I’ll publish two of them next week, but now I’m posting what Dave Whitehead sent me (this is verbatim what he sent, although I’ve made a few formatting edits). 

I found Dave’s summary to be a great guide to how a quality company secures their own supply chain – and some of these could be considered best practices for electric utilities as well. And by the way, we were extremely pleased that Dave decided to make the long flight from Pullman, WA to Atlanta to speak at GridSecCon. It’s not like he doesn’t have anything else to do with his time…


How does SEL address supply chain vulnerabilities?
Introductory Remarks by Dave Whitehead
At SEL, our supply chain is global and complex. We take a comprehensive approach to securing every facet of our supply chain – from the moment we bring on a new supplier through the lifecycle of the products we deliver to our customers.
There are eight (8) pillars that we constantly assess to ensure a dependable supply chain:

1: Build Trusted Supply Networks
  • We hold an annual supplier conference at our HQ in Pullman, WA, bringing in more than 200 companies that we source components and products from to share our technical needs and strategic objectives for the coming year.
  • Conduct regular ON-SITE audits of our suppliers.
  • And since we invent, design, and manufacture all our products here in the U.S. (Pullman, Lewiston, and Lake Zurich), we NEVER share our bills of materials or design schematics in order to avoid disclosing vendor product and part information. 
2: Rate Suppliers Risks
  • We have a custom supplier rating system that we call PQFIDS – price, quality, features, innovation, delivery, and service.
  • We also evaluate our suppliers’ suppliers, and to the greatest extent possible, we source within the U.S. – even if it costs more. 
3: Ensure Component Integrity
  • SEL verifies the performance of ALL purchased components against our supplier product specs.
  • We continuously test our products throughout the manufacturing process.
  • We take additional steps to ensure the integrity of the components in our products. For example, we use x-rays, inspect packaging, and consult the manufacturer’s design drawings. (I invite anyone who wants to come to our HQ in Pullman to visit and check out our x-ray machines, manufacturing operations, and R&D facilities). 
4: Keep Track of Components and Products
  • This is simple enough. We keep a detailed record of every product we manufacture so that we know exactly where our products are installed, making it easy to notify our customers about potential quality or security issues.
  • We have an outstanding warranty that is essentially good for the lifetime of the product at no cost. Outstanding warranties encourage customers to return products if there is an issue, which in turn allows our engineers to learn how to make our products even better. 
5: Ensure Component Availability
  • With our detailed record keeping of products we manufacture, we are able to quickly identify which parts are at risk of becoming depleted – for example, in the wake of the 2011 Japanese earthquake, we identified the products that were at risk, purchased additional inventory, and continued to provide products to our customers around the world. 
6: Collaborate with Customers and Industry
  • We encourage customer inspection and feedback. And we invite our customers to tour and observe our manufacturing facilities and processes.
  • We participate in various government-led initiatives and standards development activities so we can be aware of the current best practices of others and contribute our best practices.
7: Build Security into Company Practices
  • We own every line of source code, and do not share outside of SEL.
  • We have robust testing practices onsite at SEL, by SEL employees.
  • Our projects are compartmentalized, on a need to know basis.
  • We embrace simplicity of design to create resilient control systems and product architectures.
  • Cybersecurity is embedded from the earliest stages of product development, not on the back end. We START with cybersecurity. We enforce strict security practices for our employees and visitors.
  • We get to the root cause on every failure, because every single one is significant. 
8: Ongoing Risk Management
  • At SEL, our executives are constantly monitoring for emerging risks and threats to our supply chain. It is part of our daily lives.
  • We develop the majority of the software our products use, and if we use third-party software, we always acquire the source code.
  • SEL makes many of our product components in-house. This type of vertical integration allows for high quality products and sustained growth in product expertise.

Questions from GridSecCon Supply Chain Panel
1.       Q: I was told that SEL is concerned about counterfeit equipment. Is this true? How would a customer avoid purchasing counterfeit equipment?

A: We have very little concern that our customers will receive counterfeit equipment, because all our products are invented, designed, and manufactured at SEL, and shipped directly from SEL. So this is very little concern for us.

If by chance you receive a counterfeit SEL product, it is probably because you ordered it off of eBay or some other internet website and did not purchase directly from SEL. And if that is the case, I have to wonder what on earth you are doing ordering critical infrastructure equipment off of eBay?!

2.       Q: How can we assure that equipment isn’t tampered with while being delivered?

SEL provides serial numbers for products and firmware version numbers for code that goes into our electronic devices. Along with the firmware version we provide a cryptographic hash, e.g. a unique digital fingerprint, of the firmware image. The hash allows customers who receive firmware from SEL to independently verify the firmware sent by SEL hasn’t been modified.
  

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.


No comments:

Post a Comment