Note from Tom: I haven’t mentioned it for a few months, but I’m still working on a book, tentatively titled “Supply chain cybersecurity for critical infrastructure”, with Steven Briggs. The book is going well and we hope to publish it by late January. This is the text of an appendix to the chapter on contract language. Note that I didn’t bother to remove references to other chapters, etc.
In early 2019, the Edison Electric Institute (EEI) issued a
document entitled “Model Procurement Contract Language Addressing Cybersecurity
Supply Chain Risk”. In May 2020, EEI released version 2.0 of this document,
which remains the current version as of the writing of this Chapter. Many NERC
entities have paid close attention to this document, although the authors do
not know how many have actually decided to include it in contracts for
Procurements of BES Cyber Systems and related Products and Services.
There are six sections in the document, addressing the six
requirement parts of CIP-013-1 R1.2.1 – R1.2.6; each of those sections is
called a “term”, although as we will discuss below, each section in fact
contains many additional terms that should be each negotiated separately (if
they are in fact really needed at all), not together with many others. While
the authors admire the work that was put into preparing this document, we believe
that no NERC Entity should incorporate even one of the six terms into their
contracts in its entirety, without first considering two points we made earlier
in this Chapter:
1.
Every term that you propose for a contract with
a Vendor or Supplier should be based on a Risk that you have identified as part
of the process described in Chapter xx “Identifying Risks”. Moreover,
each term should address only one Risk.
2.
If in your reading you identify a particular
term that you would like to include in your contracts, yet there currently is
no Risk that corresponds to it, you should first reword the term into a Risk,
then add this to your existing list of Risks. Only after that has been done
should you add the term to your contract. You need to do this so that you can
keep track of the number of Risks that you are actually addressing in your
CIP-013-1 compliance program. If you adopt the EEI document in its entirety,
you will be adding 40-60 new Risks (by the authors’ estimate) to your CIP-013-1
program.
Remember, for every Risk on your list, you need to a) take
steps to assess the Likelihood of the Risk being present in the Supplier’s or
Vendor’s environment, usually through a question on a questionnaire; and b)
take steps to ensure the Vendor mitigates that Risk, first by obtaining their
commitment to do so (in contract terms or via other means like a letter or phone
call – which you document afterwards) and second by following up to make sure
they keep their commitment.
The main problem with the contract language in the EEI
document is that it goes well beyond what is required to address the specific
Risks addressed in CIP-013-1 R1.2.1 through R1.2.6. Remember that each “extra”
term you require a Vendor to include a) leads to additional legal time and effort,
since the vendor is almost always guaranteed to want to negotiate any contract
term that you require of them; b) requires you to take steps to verify the
vendor is in fact complying with the term; and c) puts you at compliance risk
if you do not monitor the Supplier’s compliance with every cybersecurity term
in their contract, and follow up to make sure the Supplier complies with each
one.
Here is just the first section of the term for R1.2.5, which
is titled “Hardware, Firmware, Software, and Patch Integrity and Authenticity”:
(a) Contractor shall establish, document, and implement risk
management practices for supply chain delivery of hardware, software (including
patches), and firmware provided under this Agreement. Contractor shall provide
documentation on its: chain-of-custody practices, inventory management program
(including the location and protection of spare parts), information protection
practices, integrity management program for components provided by
sub-suppliers, instructions on how to request replacement parts, and
commitments to ensure that for [negotiated time period] spare parts shall be
made available by Contractor.
(b) Contractor shall specify how digital delivery for
procured products (e.g., software and data) including patches will be validated
and monitored to ensure the digital delivery remains as specified. If Company
deems that it is warranted, Contractor shall apply encryption technology to
protect procured products throughout the delivery process.
(c) If Contractor provides software or patches to Company,
Contractor shall publish or provide a hash conforming to the Federal
Information Processing Standard (FIPS) Security Requirements for Cryptographic
Modules (FIPS 140-2) or similar standard information on the software and
patches to enable Company to use the hash value as a checksum to independently
verify the integrity of the software and patches.
(d) Contractor shall identify or provide Company with a
method to identify the country (or countries) of origin of the procured
Contractor product and its components (including hardware, software, and
firmware). Contractor will identify the countries where the development,
manufacturing, maintenance, and service for the Contractor product are
provided. Contractor will notify Company of changes in the list of countries
where 11 product maintenance or other services are provided in support of the
procured Contractor product. This notification in writing shall occur at least
180 days prior to initiating a change in the list of countries.
(e) Contractor shall provide a software bill of materials for
procured (including licensed) products consisting of a list of components and
associated metadata that make up a component.
(f) Contractor shall use or arrange for the use of trusted
channels to ship procured products, such as U.S. registered mail and/or
tamper-evident packaging for physical deliveries.
(g) Contractor shall demonstrate a capability for detecting
unauthorized access throughout the delivery process.
(h) Contractor shall demonstrate chain-of-custody
documentation for procured products as determined by Company in its sole
discretion and require tamper-evident packaging for the delivery of this
hardware.
This is followed by four other sections, three of which are of
almost equal length to the first one. They are titled “Patching Governance”,
“Viruses, Firmware and Malware”, “End of Life Operating Systems” and
“Cryptographic Requirements”. Remember,
all of this is in theory included to address just Requirement Part 1.2.5, which
contains about 25 words in total.
One interesting thing the authors have noticed is that in
EEI’s entire term for R1.2.5, there seems to be no requirement for the Supplier
to provide a means of verifying software authenticity – usually a digital
signature – although there is a requirement to verify integrity using a hash
value. This omission is very puzzling, since this is the single best Mitigation
for the Risk addressed in R1.2.5. So the EEI term for R1.2.5 seems to address at
least 40 cybersecurity Mitigations, but not the one that is most essential for
compliance with R1.2.5!
On the other hand, we also want to point out that there
are many provisions within the EEI document which, even though they do not
directly address the two Risks behind R1.2.5 (lack of software authenticity and
integrity), nevertheless do address important Risks. Perhaps our favorite is
this provision, found in the “Patch Governance” section of the R1.2.5 term:
(e) When third-party hardware, software (including
open-source software), and firmware is provided by Contractor to Company,
Contractor shall provide or arrange for the provision of appropriate hardware,
software, and/or firmware updates to remediate newly discovered vulnerabilities
or weaknesses, if applicable to the Company’s use of the third-party product in
its system environment, within 30 days of availability from the original
supplier and/or patching source. Updates to remediate critical vulnerabilities
applicable to the Contractor’s use of the third-party product in its system
environment shall be provided within a shorter period than other updates,
within [a negotiated time period (e.g., 30, 60, or 90 days)] of availability
from the original supplier and/or patching source. If applicable third-party
updates cannot be integrated, tested, and made available by Contractor within
these time periods, Contractor shall provide or arrange for the provision of
recommended mitigations and/or workarounds within 30 days.
Note that this specifically applies to software components.
The authors believe it is the first explicit acknowledgement from a power
industry organization of the Risks posed by software components. What is the
most important prerequisite for monitoring the Supplier’s compliance with this
provision? Software
bills of materials![i]
It is tempting to say “Well, all of the provisions required
in this term are certainly best practices.” That is correct. However, this
overlooks the fact that each of the 40-60 provisions in this term should be
treated as a separate Risk; and if your organization does not in fact consider
each one of these to be a Risk, why are you asking the Supplier to agree to all
of these provisions in their contract? As we discussed earlier in this Chapter,
you should never ask a Supplier to comply with a contract term – or even ask
them a question in a questionnaire – if it does not address a Risk that your
organization has identified as important. If the term does not address an
important Risk, why are you requiring the term in the first place, especially
given how expensive it is to negotiate any contract term?
EEI’s R1.2.5 term requires far more than what CIP-013-1 R1.2.5
itself requires, which is for the Supplier or Vendor to provide a means to
verify authenticity and integrity of downloaded software and patches. For
example, just paragraph (a) above requires the Supplier to agree to the
following provisions, none of which have any direct bearing on software
integrity or authenticity:
1.
Chain-of-custody practices;
2.
Inventory management program (including the
location and protection of spare parts);
3.
Information protection practices;
4.
Integrity management program for components
provided by sub-suppliers; and
5. Commitments to ensure that, for a negotiated time period, spare parts will be made available by the Contractor.
These provisions are all just in the first paragraph of the
first section of the R1.2.5 contract term. There seem to be over ten additional
provisions in the first section. Plus there are four more sections in just the
R1.2.5 term, with probably 40-60 total provisions in this one term.[ii] None
of these have any direct connection to software integrity and authenticity.
Remember, each one of these provisions must be negotiated
back and forth between you, your lawyers, the Supplier’s lawyers, and the
Supplier’s product and technical teams. Supplier or Vendor lawyers will almost
never accept a new contract term – that’s not already part of their “standard”
contract – without putting up a fight. If you assume there will be at least five
hours of legal back-and-forth required for each provision in the term, the
contract negotiation for this single term (R1.2.5) will require at least
200 hours of time, or $20,000 at $100 per hour, since the authors believe there
are at least 40 implicit provisions in EEI’s R1.2.5 term.
For example, let’s look at the first of the provisions
listed above: chain-of-custody practices. This refers to the Risk that a
hardware Product will be hijacked at some point in the process of shipment to
the customer and a counterfeit Product with malware inserted will be
substituted (or maybe the original Product will be opened and a counterfeit hardware
component with malware will be inserted). This is certainly a valid Risk, but
is it a likely one? It might be, but that is for your organization to decide.
If you decide that the Likelihood of this Risk occurring for this Supplier is
high, then by all means you might want to include this provision in your
contract.[iii]
However, in the authors’ opinion, each provision should be introduced
as a separate term, not included in a single term with 59 other provisions. In
this case, the term might read “You will provide our organization with
chain-of-custody records for any shipment of a hardware Product to us.” That
way, the term can be addressed on its own merits in your negotiations. Perhaps
the Supplier’s lawyers will say “We can absolutely provide chain-of-custody
information for every shipment. But this will make the shipment more expensive
by a factor of X (e.g. 50%).” At that point, you and your legal team will be
able to make the decision whether or not this term is worth including in the
contract, given the tradeoff between cost and risk reduction. If this provision
is included in a single term with 40-60 others (as in the case of the EEI
term), it is very hard, if not impossible, to make decisions like this.
However, negotiating the contract is just the beginning of
what your organization will need to do to address each term that you have been
able to include in the contract. Using the above example, you also need to
follow up with the Vendor to make sure they have done what they promised to do.
You will need to make sure that the Vendor provides chain-of-custody data for
every shipment to your organization. And if you find that in any shipment, they
have not done this, you will need to contact them to either get the
documentation or reprimand them for not collecting chain-of-custody information
for this particular shipment.
Moreover, if your organization has to comply with NERC
CIP-013-1, you will need to make sure you have documentation that the Vendor
provided chain-of-custody data for every shipment to you – and that if they did
not do this for a shipment, you followed up with them to request it. Of course,
you will not be in violation of CIP-013-1 if the Vendor did not provide the
data even after you contacted them, or if they told you that in this case they
had neglected to obtain that information. However, if you did not even follow
up with them about this matter, then you might well be found in violation,
because your supply chain cybersecurity risk management Plan said – or should
have said – that you will follow up in any case where the Vendor or Supplier
does not fulfill a provision they agreed to.
To summarize this Appendix, you need to be very careful about requiring that Suppliers or Vendors comply with the EEI contract terms, because they go far beyond what Requirement Parts R1.2.1 – R1.2.6 require. You need to look at each of the provisions in each of the terms and decide whether or not the Risk that it addresses has a high Likelihood of being present with a Supplier or Vendor. If the Likelihood is high, this might justify your going through the expense of time and money required to negotiate that particular provision, and then following up later on with the Supplier or Vendor to make sure they actually do what they agreed to. And if you do not believe the Risk addressed by a provision is important enough to warrant the required time and expense of including it in the contract, then by all means you should not ask the Supplier to agree to it in the first place.
[i] Note that there is an explicit requirement for SBoMs in paragraph (e) of the excerpt earlier in this Appendix. Tom has been told that NERC entities are getting a lot of pushback from Suppliers on this particular requirement. This is understandable, given that there are many questions about how SBoMs will be produced, managed and implemented. The answers to most of these questions will hopefully be clarified in the upcoming proof of concept for use of SBoMs in the electric power industry.
[ii] There are some very technical requirements embedded in this term, like:
(i) The system implementation
includes the capability for configurable cryptoperiods (the life span of
cryptographic key usage) in accordance with the Suggested Cryptoperiods for Key
Types found in Table 1 of NIST 800-57 Part 1, as may be amended.
(ii) The key update method supports
remote re-keying of all devices within [a negotiated time period(s)] as part of
normal system operations.
(iii) Emergency re-keying of all devices can be remotely performed within 30 days.
Just complying with these three requirements will place a big burden on the Supplier. As with all requirements you place on a Supplier, you need to assume there will be some cost to their complying with every term. You also have to assume that your organization will end up paying that cost in one way or another. As Tom’s former economics professor Dr. Milton Friedman always said, “There is no such thing as a free lunch.”
[iii] Note that the Likelihood of this Risk occurring for a software Supplier is zero, since chain-of-custody only applies to physical shipments. It has been a long time since a Supplier needed to ship you a box, in order for you to be able to install software that you have paid for!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.