In 2019, the NERC Supply Chain
Working Group published six guidelines on supply chain cybersecurity for systems
used for the reliable operation of the North American Bulk Electric System
(BES). The papers were developed by separate working groups. I led two of those
groups, which produced two of the guidelines.
Last year, we updated (or started
to update) all six guidelines, and I led the groups that updated both of those
documents. I’m pleased to announce that one of the two documents, Supply
Chain Cyber Security Risk Management Lifecycle, was just published. The
other one, Vendor Risk Management Lifecycle, is finished, but has to wait
another three months before it’s officially approved. In the meantime, I will
be glad to send anyone who wants to see it the final draft of the document;
just email me.
Two other guidelines were just published:
Supply
Chain Secure Equipment Delivery, led by Wally Magda of WallyDotBiz LLC and
Risk
Considerations for Open Source Software, led by George Masters of
Schweitzer Engineering Labs. I want to point out that George is a real master
of the subject of securing open source software. I know the guidelines I led
are applicable to many industries, not just electric power; I’m sure this
applies to the other two documents as well. So you don’t have to work for say
Duke Energy to find these helpful. I can assure you a lot of work went into
them!
I also want to point out that Steve
Springett, Chair of the CycloneDX Core Working Group and one of the most
creative (and impactful) people in the world of software supply chain security
(including SBOMs, but in no ways limited to them!), will be presenting a
webinar on February 1 titled Understanding
and Using the CycloneDX SBOM Standard. There’s a lot going on with
CycloneDX nowadays, including support for both VEX and VDR (Vulnerability
Disclosure Report) – with a new version of the format coming out very soon. I’m
looking forward to the webinar!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment