Discussion of potential changes centered on a need for software transparency and independent supply-chain assessments.
Regulators are exploring how to update critical infrastructure protection—or CIP—standards in order to secure electric utilities and other energy-sector entities from attacks against their software supply chains.
“I think, absolutely, we need to consider updating the liability standards,” said Federal Energy Regulatory Commission Chairman Richard Glick. “Clearly things have changed. It's important that we start considering that now.”
Glick spoke at a technical conference FERC co-hosted with the Department of Energy Wednesday to receive input on potential changes coming to the sector’s CIP standards in the wake of supply-chain attacks like the SolarWinds breach, which also inspired changes underway at the Federal Acquisition Regulatory Council, under a May 2021 executive order.
“We have seen an absolute increase in the supply chain threat vectors and how those things are being exploited by nation-state actors, as well as common cyber criminals being able to hide in the noise of the supply chain,” said Jeanette McMillian, assistant director of supply chain and the cyber directorate at the National Counterintelligence and Security Center.
Asked how energy-sector entities might gain more transparency into their vendors’ supply chains, McMillian shared an update on the implementation of that May executive order, which will culminate in new clauses acquisition officials at federal agencies must consider when procuring software.
“With regards to that software, as well as any updates, as well as any cybersecurity breaches … to say these are the type of cybersecurity things that need to happen,” McMillan said, “That is still ongoing. I believe the FAR regulation is still chugging along that particular line.”
In September, the Office of Management and Budget said the FAR would require agencies to collect a form from vendors attesting their adherence to appropriate software security practices. After leaving it up to agencies to determine whether they should also require evidence—including a software bill of materials, or SBOM—to support vendors’ security claims, OMB is now under pressure from the industry to discourage such evidence collection from agencies.
Glick specifically questioned the high, medium and low categories regulators currently use in assessing compliance with CIP standards, noting adversaries can get access to a facility that would have a high impact, if breached through one where such a breach would be considered more low-impact.
Under the current CIP standards, the regulated entities are allowed to take a risk-based approach in designing their own cybersecurity plans according to the categorization system. Wednesday’s discussion prompted calls for a common set of standards all entities would be required to meet.
“I think what we need to take a look at is having a certain baseline standard of care that applies across the board,” said Marty Edwards, deputy chief technical officer for information and operational technology at the cybersecurity firm Tenable.
Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response, asked those participating in the conference whether the DOE should specifically require the use of SBOMs in the CIP standards.
“Yes, require an SBOM,” Emily Frye, director for cyber integration at the Homeland Security Center of the MITRE Corporation, responded, adding, “And, require the ability to independently validate the SBOM.”
Referring to OMB’s instruction to agencies under the executive order, Frye said, “A self-attestation letter does not provide us the kind of illumination or transparency that we who are accepting the risks as users should be forced to accept. I would encourage that we continue to march strongly toward the need for transparency.”
Frye’s remarks also conflicted with the industry’s assertion that SBOMs are not yet scalable or consumable.
“An SBOM, right now, is technically feasible, either by you, the supplier, giving it to me and by me double checking and creating my own,” she said. “That's up and running, the technology works.”