Monday, January 23, 2023

The news from NERC and CycloneDX


In 2019, the NERC Supply Chain Working Group published six guidelines on supply chain cybersecurity for systems used for the reliable operation of the North American Bulk Electric System (BES). The papers were developed by separate working groups. I led two of those groups, which produced two of the guidelines.

Last year, we updated (or started to update) all six guidelines, and I led the groups that updated both of those documents. I’m pleased to announce that one of the two documents, Supply Chain Cyber Security Risk Management Lifecycle, was just published. The other one, Vendor Risk Management Lifecycle, is finished, but has to wait another three months before it’s officially approved. In the meantime, I will be glad to send anyone who wants to see it the final draft of the document; just email me.

Two other guidelines were just published: Supply Chain Secure Equipment Delivery, led by Wally Magda of WallyDotBiz LLC and Risk Considerations for Open Source Software, led by George Masters of Schweitzer Engineering Labs. I want to point out that George is a real master of the subject of securing open source software. I know the guidelines I led are applicable to many industries, not just electric power; I’m sure this applies to the other two documents as well. So you don’t have to work for say Duke Energy to find these helpful. I can assure you a lot of work went into them!

I also want to point out that Steve Springett, Chair of the CycloneDX Core Working Group and one of the most creative (and impactful) people in the world of software supply chain security (including SBOMs, but in no ways limited to them!), will be presenting a webinar on February 1 titled Understanding and Using the CycloneDX SBOM Standard. There’s a lot going on with CycloneDX nowadays, including support for both VEX and VDR (Vulnerability Disclosure Report) – with a new version of the format coming out very soon. I’m looking forward to the webinar!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment