On September 17, Robert Walton of Utility
Dive published a well-researched article that asked the question why vendors weren’t invited for
the upcoming GridEx exercises. There
were quotations for and against the idea of vendors participating. One of the
“for” votes was from Nick Cappi of Hexagon PPM, who said "If we want
transformational events in improving the security of our critical
infrastructure, then we need to break down the silos of information and
obstacles to collaborate."
I was one of the “against” votes,
and was quoted as saying
"GridEx is an operational
exercise for responding to a hypothetical attack, so only the operators of the
[bulk electric system] can participate. When an attack happens, it's too late
[for] most vendors to be able to help — the software has already been
written, the control systems have already been developed, etc."
Of course, my point was that, when
it comes to a situation where the grid is being defended against a serious
attack, there’s very little that vendors can do – given the very short (in some
cases, literally infinitesimal) timeline for possible action.[i] If there’s a vulnerability in some software,
the software supplier can’t patch it in real time. If a router, server or any
hardware device is compromised, the best thing is usually to shut it down and
remove it from the network, not leave it operating and try to block or remove
the avenue of compromise.
But later I found myself thinking,
“You know, there really isn’t a lot of collaboration between electric utilities
and industry suppliers, to solve security problems they jointly face. It’s
certainly not as exciting as a 2 or 3-day exercise like GridEx, in which the
entire American way of life is assumed to be on the line. But it’s still very
important, and it can be quite satisfying to collaborate to find a solution to
a specific cybersecurity problem. Maybe the solution won’t make everybody happy,
but if it leaves everybody better off and no significant group worse off, that’s
something worth doing.”
I thought about the collaboration
that goes on between vendors and asset owners today. It seems the biggest
collaboration nowadays revolves around CIP-013 compliance. Of course, it’s the
utilities who have to comply, not the vendors. But CIP-013 won’t work if the
vendors refuse to cooperate in filling out questionnaires, improving their
practices when needed, etc. (fortunately, they do seem to be cooperating). This
is all good, of course, but collaboration on compliance, where the ultimate
goal is to help utilities pass audits, isn’t the same as collaboration on
security, where the goal is to find ways to make the power grid more secure.
I wondered, “What would be an
example of real security collaboration between vendors and asset owners?” Then
I realized that I’m involved in one right now: the Energy SBOM Proof of Concept. Here’s why we
started this initiative:
1.
There isn’t a huge
amount of disagreement in the cybersecurity community that one of the biggest
sources of cyber risk is software
supply chain risk.
2.
There also isn’t a
huge amount of disagreement – although there is some, I’ll admit – that software
bills of materials (SBOMs) are a crucial tool for mitigating software supply
chain risk. This is because, numerically speaking, there are many more
component vulnerabilities in the average software product, than there are
vulnerabilities in the relatively small amount of code that was actually
written by the company whose name is on the software.
3.
While the supplier bears
responsibility for preventing those vulnerabilities from appearing in the first
place, and fixing them when they do appear, the customer plays a crucial role,
too. They need to let the supplier know (in contract language where possible
and feasible, but that’s certainly not the only way to do it) that they want
component vulnerabilities fixed as fast as the supplier (usually) now fixes
vulnerabilities in their own code. Only an SBOM allows the customer to do that,
since that’s the only way they can track the supplier’s progress (or perhaps
lack thereof) in fixing component vulnerabilities.
4.
But if SBOMs are so
obviously a good thing, and if software suppliers are using them now for their
own risk management purposes (which they are, in large part), why aren’t they giving
them to their customers?
5.
The reason is there’s
still uncertainty about:
a.
The “rules of the road”
for production, distribution and use of SBOMs (as well as VEXes.
Just as SBOMs are crucial for enabling software supply chain cybersecurity,
VEXes are crucial for enabling SBOMs – and it turns out they’re good
for a lot more than that). These rules don’t need to be etched in stone and
handed down at the summit of Mt. Sinai, but they do need to be agreed upon
between suppliers and their customers. And not necessarily on a country-wide or
world-wide basis; on the basis of a particular industry or say one part of one
industry would be fine.
b.
Tools available to “ingest”
SBOMs, so that organizations can use them to learn about vulnerabilities found
in the components in the software they use.
c.
Services available to help
software-using organizations “consume” SBOMs and use them for vulnerability
management, the number one use case for SBOMs.
d.
Support for SBOMs from
the vendors of tools for vulnerability and configuration management.
As I said, large numbers of software
suppliers – including probably all of the bigger ones – are producing SBOMS for
their products now, and using them to manage their own product risk. For
example, tools that produce SBOMs will often search the NVD for vulnerabilities
that apply to components in the product, giving the supplier a chance either to
patch the vulnerabilities or replace a risky component with a less-risky one –
before they ship the product. On the consumption side, there’s very little in
the way of tools or services now. Fortunately, they’re on the way.
There are two goals of the energy
SBOM proof of concept. The first is education. While it’s certainly not necessary
for everyone who uses SBOMs to become an expert in them, it does help to have a
general understanding of what they are and how they’re put together. That’s why
the PoC is currently running “cooking
classes”, in which very knowledgeable – but accessible – SBOM practitioners
demonstrate how their tools work.
On September 22, Steve Springett, co-leader
of the OWASP project that developed and supports the CycloneDX format, demonstrated
production of an SBOM in that format, based on an open source project. It was a
great presentation, and the video should be up soon on the web site (along with the videos of most of
our meetings so far). On October 6, I believe Kate Stewart of the Linux
Foundation, who has been the leader of the SPDX project for a number of years
(SPDX and CycloneDX are the two “full-featured” SBOM formats. SPDX was just
designated an ISO standard), will provide a similar presentation using her
favorite format.
We’ll have other cooking classes –
including on VEXes – after that. We currently have over 200 people on our
mailing list for this track. You don’t have to be in the energy industry to attend
the education meetings – you just have to be a user of electricity.
The other track of our project has
been slower to start up, but we expect it will start in October. In this track
(the meetings for the two tracks are held every other week on alternating weeks),
individual asset owners will sign NDAs with individual suppliers. We currently
have about six asset owners and six suppliers interested in doing this. The
suppliers are all very large ones, whose products are widely used in the
electric power industry. The suppliers produce both intelligent devices and separately-installed
software.
Each supplier/asset owner pair
will decide on one or more products for their exchange. The supplier will
provide SBOMs and VEXes for those product(s), and the asset owner will consume
them. As I mentioned, the tools and services available on the consumption side are
much fewer than on the production side. However, both tools and services are
available, and an asset owner won’t be required to create their own software
tools to ingest and parse the SBOMs and VEXes.
So here’s where the cooperation
comes in: These exchanges won’t work unless the suppliers and asset owners can
agree on the rules for the road on SBOMs and VEXes: the fields included in the
documents, how the information will be extracted from the SBOMs and VEXes, how
that information will be integrated with current vulnerability management processes,
etc. As issues come up, the group will discuss them together. And as we learn
what works and what doesn’t, we’ll make that information available to the NTIA
initiative and to the general public (since every document the NTIA produces is
public).
And to be honest, this strikes me
as not a bad model for supplier/vendor cooperation in cybersecurity in general.
For example, it would be great if NERC put together a team of suppliers and
asset owners to work on a document on good security practices for suppliers.
However, that idea has been floated
a few times in the past few years, and it always runs into the same hurdle:
Everyone at NERC is sure it will never be allowed by the lawyers (although I
kind of doubt that they run to the lawyers every time questions like this come
up). The reason why they’re sure it won’t be allowed is that it could be seen
as providing compliance guidance on CIP-013. Providing guidance is a firm no-no
for employees of NERC and the Regional Entities.
Of course RE employees, including
auditors, provide compliance guidance all the time. But – except for one
employee of one of the RE’s, whom I have quoted many times in these posts – the
guidance is never written down and always delivered with the disclaimer that “These
are my personal opinions, not those of NERC or my Region.” And ironically, nobody
has ever been able to point out to me where in the NERC Rules of Procedure (or
even GAGAS) the ban on compliance guidance can be found. Nevertheless, it’s
firmly written in the mind of every NERC or Regional employee, even if they provide
guidance anyway. And in cases where NERC has provided real guidance on NERC CIP
– as in some of the Lessons Learned provided during the CIP v5 implementation
period – those were slapped down by the lawyers, and the documents were
withdrawn. The most egregious example of this had to do with the controversy
over the meaning of the word “programmable”.
So don’t look for much help from NERC
on the idea of a forum on supplier best practices. Who else might do this?
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
[i] I
was referring to hardware and software vendors, though. As Ben Miller of Dragos
pointed out in the article, service vendors do participate behind the scenes
sometimes, since they can easily provide consultation to their utility clients
who are directly participating in GridEx.
No comments:
Post a Comment