I was able to attend the NPCC Fall meeting in Hartford on November 6-7, and here I’m sharing my personal experiences from that event.
The first day was chock full of presentations on numerous topics and projects, all of which are available for public review on NERC’s website. Many of the discussions were focused on energy transition matters, which you can read all about on the NERC website. It was great to finally meet the people I’ve been working with in the NPCC TFIST group for the past 3 years. Now I have a face to go with the voice during TFIST meetings.
I was most interested in discussing the FERC SCRM NOPR issued September 19 to understand what people were thinking about the proposed changes. Comments are due by December 2. The FERC SCRM NOPR signals a significant shift in thinking about how to protect critical infrastructure operations from cyber risk in software and the software supply chain, like Volt Typhoon. In a timely show of harmonization the TSA also issued a NOPR on November 6 titled “Enhancing Surface Cyber Risk Management” seeking comments on the use of CISA’s Secure by Design and Secure by Default principles and practices to address software and software supply chain risks. The natural gas industry has already announced support for the CISA Secure by Design principles. The 3 most common attack paths used by hackers are:
- People
- Software
- Supply Chain
These two NOPR’s focus more on the Software and Software Supply Chain attack paths. It’s no surprise that many successful cyber incidents entered through 1 of these two doors, but People remains the most successful attack path with social engineering like phishing and credential stealing. Attacks relying on the people attack path are frequently impactful to a single organization, but Software and Supply Chain attacks can affect hundreds of organizations in a coordinated, simultaneous attack using a CISA KEV in commonly used software products or a known trusted software provider to distribute malware or login using the vendors VPN access into sensitive systems. The FERC NOPR makes clear that entities are expected to apply good faith efforts to detect cyber risk AND to take action when a cyber risk is identified.
I also explained the work underway in NAESB to explore areas for potential cybersecurity standards to aid with implementation of the NARUC/DOE/CISA Cybersecurity Performance Goals. This effort is currently a “research initiative” under NAESB’s cybersecurity subcommittee. All decisions to pursue, or not pursue standards development are the result of a consensus opinion at the subcommittee level, which is sent to the Executive Committee for approval.
I spoke to some individuals about a possible pilot for CISA’s Secure by Design practices based on CISA’s Software Acquisition Guide, as a prelude to the FERC NOPR work. The discussion continues. I also invited colleagues to join in a CISA Webinar on November 14 describing “how to implement” CISA’s Secure by Design practices based on the CISA Secure by Design Software Acquisition Guide.
I’ve also extended a hand to assist the local CISA regional office with any outreach regarding SCRM practices based on the CISA Secure by Design Software Acquisition Guide practices.
A big thank you to NPCC for such a well organized meeting and all the great food.
Â
