Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
·Posted in Intelligent Utility
Mon, Jul 4

Edison Electric Institute Foresight on Software Supply Chain Cybersecurity is Profound

In May 2020, the Edison Electric Institute (EEI) published a model procurement contract for cybersecurity supply chain risk, which is available for download. The foresight shown by EEI in this 2020 artifact is astute and profound on several fronts, as these concepts are now considered mainstream best practices for software supply chains in 2022. The May 2020 release of this contract model makes clear the intent of this publication, “The modifications in Version 2.0 were primarily intended to reflect evolving industry standard practices, including changes which broaden references to specific industry standards …” Here are a few of these EEI recommendations, that are now considered industry best practice in 2022:

Requirement R1.2.4

Disclosure and remediation by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity.

(a) Prior to the delivery of the procured product or service, Contractor shall provide or direct Company to an available source of summary documentation of publicly disclosed vulnerabilities and material defects in the procured product or services, the potential impact of such vulnerabilities and material defects, the status of Contractor’s efforts to mitigate those publicly disclosed vulnerabilities and material defects, and Contractor’s recommended corrective actions, compensating security controls, mitigations, and/or procedural workarounds

 Requirement R1.2.5 (Integrity and Authenticity)

Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System.

(a) Contractor shall establish, document, and implement risk management practices for supply chain delivery of hardware, software (including patches), and firmware provided under this Agreement. Contractor shall provide documentation on its: chain-of-custody practices, inventory management program (including the location and protection of spare parts), information protection practices, integrity management program for components provided by sub-suppliers, instructions on how to request replacement parts, and commitments to ensure that for [negotiated time period] spare parts shall be made available by Contractor.

Requirement R1.2.5 (SBOM)

Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System.

(e) Contractor shall provide a software bill of materials for procured (including licensed) products consisting of a list of components and associated metadata that make up a component.

Fast forward to 2022 and we see these EEI concepts and recommendations being recommended by NIST as industry best practices to meet Executive Order 14028 requirements, as shown below:

Regarding EEI requirement R 1.2.4 on vulnerability disclosure reporting, NIST recommends the following, similar language to R 1.2.4 in NIST SP 800-161r1, RA-5:

NIST SP 800-161r1 RA-5: (published May 2022)

RA-5 VULNERABILITY MONITORING AND SCANNING

Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR. Enterprises should also consider establishing a separate notification channel for customers in cases where vulnerabilities arise that are not disclosed in the VDR. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

AND

Software Security in Supply Chains: Vulnerability Management

  • Integrate SBOMs, vulnerability databases, and reporting mechanisms to ensure that federal departments and agencies rapidly receive notification of recently released vulnerabilities.

Regarding EEI requirement R 1.2.5 (a) on Verification of software integrity and authenticity, correlation with NIST Executive Order 14028 recommendations encapsulating EEI R 1.2.5 (a):

Software Security in Supply Chains: Software Verification see Table F-5

Regarding EEI requirement R 1.2.5 (e) on Software Bill of Materials (SBOM), correlation with NIST following Executive Order 14028 recommendations encapsulating EEI R 1.2.5 (e):

Software Security in Supply Chains: Attesting to Conformity with Secure Software Development Practices

  • Higher fidelity SBOMs, including vendor vulnerability disclosure reports at the component level

AND

Software Security in Supply Chains: Software Bill of Materials (SBOM)

See entire NIST web page for all SBOM recommendations; the following recommendations are especially noteworthy:

  • Integrate vulnerability detection with SBOM repositories to enable automated alerting for applicable cybersecurity risks throughout the supply chain.
  • Ensure that current SBOMs detail the supplier’s integration of commercial software components.
  • Maintain vendor vulnerability disclosure reports at the SBOM component level.

I hope you find this information useful. Happy 4th of July