I provide consulting services in supply chain cybersecurity risk management, including CIP-013, software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I also lead the OWASP SBOM Forum.
I am also now providing advice to vendors of cloud-based services on working within the existing CIP standards, as well as preparing for the likely advent of a path to full NERC CIP compliance in the cloud.
I write a widely-followed blog which focuses on all of the above topics: https://tomalrichblog.blogspot.com/ . My new book is "Introduction to SBOM and VEX".