Yesterday, Tobias Whitney of Fortress
Information Security introduced to the NERC Supply Chain Working Group a white
paper entitled “Enhancing
Cybersecurity Best Practices with Software Bill of Materials (SBOM)”. This
is a well-written paper that discusses how utilizing supplier-provided SBOMs
for cyber risk management purposes can help an electric utility (or other power
market participant, such as an IPP) in its many cybersecurity compliance
obligations, both those imposed by NERC/FERC (i.e. the NERC CIP standards) and
those that may be “imposed” by the utility itself, such as NIST 800-53, NIST
800-171 (CMMC), and the National Defense Authorization Act (NDAA).
Fortress doesn’t pretend that
SBOMs are a requirement for compliance with any of these standards; in fact,
none of these standards even mentions SBOMs. However, the paper identifies
particular requirements in each standard whose purpose could be better fulfilled
with SBOMs than otherwise. In other words, Fortress asks, for each of these requirements,
“Can SBOMs help utilities address the best practice that is the goal of this
requirement? If so, how?”
For example, for NERC CIP-007-6 R2
(which had never occurred to me to be one in which SBOMs might help), Fortress
points out that having a recent SBOM from the supplier would help the utility “evaluate
security patches for applicability”, as required by R2.2, as well as evaluate
the security impact of applying the patch.
I recommend that you download and
read this excellent paper.
Also, I recommend that you attend
the bi-weekly SBOM Energy PoC meeting tomorrow (Wednesday, October 20) at noon
ET. No sign-up is required, although if you’re not already on the PoC mailing
list, I recommend you join it by sending a request to sbomenergyPOC@inl.gov. The URL for the
meeting is here.
The topic of tomorrow’s meeting
will be VEX,
the “companion” document to SBOMs which now seems as important as SBOMs themselves.
Dr. Allan Friedman of CISA, leader of the Software Component Transparency
Initiative, will describe why VEX was developed in the first place, as well as
how it works. There should be ample time for Q&A.
See you tomorrow!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared CISA’s Software Component Transparency Initiative, for which I
volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment