North American Electric Reliability Corporation’s supply chain regulations could cost millions for those out of compliance. Dick Brooks explains how this impacts third party software providers of NERC-related systems.
The stakes are high for energy companies acquiring third-party software. They face fines of up to $1 million per day if they’re found to be out of compliance with NERC’s newest supply chain risk management regulations.
In this interview, we ask Dick Brooks, co-founder and lead software engineer at Reliable Energy Analytics, about how developers are adhering to these guidelines, particularly those working on energy and ICS third party apps.
Q: Can you refresh us on requirements for software supply chain development?
The North American Electric Reliability Corporation defines the cyber security infrastructure protection standards for the energy industry. Last year, NERC’s software supply chain CIP standards went into effect, which require electric entities to verify the integrity and authenticity of a software package before making any baseline configuration changes. That means that NERC auditors will come on sight and look for evidence that companies are following these regulations and checking the authenticity of software suppliers before making any changes.
Q: What are the costs associated with noncompliance?
NERC defines the fines. Depending on how egregious the violation is, it can run into the millions of dollars in the worst cases. For example, if a party doesn’t provide evidence demonstrating their compliance, and if the software is being used on energy systems that are critical, these infractions would add to the fines. There haven’t been a lot of fines issued yet, largely because of COVID-19 keeping auditors from going out to check. That’s going to come to an end as the pandemic lifts.
Of note: NERC issued a 2019 fine of $10 million to an energy co with 127 CIP violations, including failure to identify and classify critical assets.
Q: How does this impact developers of third-party energy applications (and for other ICS systems)?
Edison Electric Institute produced the Model Procurement Contract Language for energy consumers that spells out expectations for their software vendors. One critical element that the EEI identified is the software bill of materials (SBOM), to provide software vendors some insight into what sort of questions and answers are expected of them. The North American Transmission Forum has also created a model questionnaire for electric companies to use when submitting to their software vendors to help them perform a software risk assessment.
Any software vendor who’s providing a solution used within the energy critical infrastructure is subject to providing responses to those questions and the SBOM materials called out in the Edison document. There are a lot more details there that software vendors need to be aware of, including what standards and format to use and how the SBOM will be delivered. Today, vendors are using their customer portals to distribute software bill of materials, along with the questionnaire, too.
Pro Tip: Learn how Reliable Energy’s SAG–PM tool breaks down the NATF questionnaire into an electronic form to make answers available in an xml format and SBOM structure.
Q: What best practices can you offer to NERC-related developers and developers of other ICS systems.
Get used to SBOMs in the DevOps environment. Also, look within repositories like GitHub to help implement these SBOMs. There are lots of tools and free help available, and the learning curve is relatively short.
Next, grab a copy of the vendor questionnaire available online and produce that document so customers can retrieve it and automate their supply chain risk management tools. If you are using SPDX and CycloneDX standard formats that have been adopted by the NTIA, you’ll be well on your way to having a viable solution.
Pro Tip: Learn how CodeSentry generates SBOMs from binary code and more about where SBOMs are going in the future.
