As electric utilities look towards furthering their compliance programs, consideration needs to be made around software integrity and authenticity. Of the new NERC CIP requirements coming into effect in October 2020, two of them deal with this concept – CIP-010-3 R1 (1.6.1 and 1.6.2) and CIP-013-1 R1 (1.2.5). Asset management, in general, is a daunting task and this requirement furthers this burden. It is not uncommon for a utility to deal with hundreds or thousands of assets where these requirements come into effect. This means that the utility needs to have the time and aptitude in order to ensure the applications and their software sources are not going to put the bulk electric system (BES) in added cyber security risk. There are several resources to read to learn more about what and how you need to approach this topic.
CIP-010-3 R1
https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-010-3.pdf
- 1.6.1. Verify the identity of the software source; and
- 1.6.2. Verify the integrity of the software obtained from the software source.
- “The concept of software verification (verifying the identity of the software source and the integrity of the software obtained from the software source) is a key control in preventing the introduction of malware or counterfeit software. This objective is intended to reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System.”
NATF Article on CIP-010-3 R1
https://www.natf.net/docs/natf/documents/resources/supply-chain/natf-guidance-for-cip-010-3-software-integrity.pdf
- “To the extent that the Responsible Entity uses automated systems such as a subscription service to download and distribute software including updates, software verification may likely be an automated byproduct.”
CIP-013 – 1 R1
https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf
- 1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;
- “Part 1.2.5 is not an operational requirement for entities to perform such verification; instead, it requires entities to address the software integrity and authenticity issue in its contracting process to provide the entity the means by which to perform such verification under CIP-010-3.”
How can FoxGuard help?
Our Patch Availability Report is the first key to putting these assurances in place. This report is designed to monitor a utility’s complete asset list, including IT and OT items, for monthly patch due diligence. (CIP-007-6, R2.1, 2.2). As part of this process, we will ensure you have a properly documented asset list. We will work closely with the product vendors to ensure that the appropriate sources are being monitored and evidence is being documented. From there, our Patch Binary Acquisition service provides the opportunity for you to outsource your patching download burden to a centralized source with security controls in place for this burdensome task. As part of this service, we will acquire the patch download, hash the software, and deliver it encrypted via a secure storage device. This device will be shipped and protected via tamper-evident packaging. By using FoxGuard for this service, you have one source to look to for supply chain ownership of the process. This increases your security while greatly reducing your time, resources and financial investment.