Behold the electric sector software supply chain. It includes:
- The code that comes with the systems you procure: IT, OT, mobile, Smart Meters, etc.
- The code that your developers buy or borrow and use as part of their software development lifecycle (SDLC)
- The code developed, bought or borrowed by integrators you've hired
- The code your personnel download in the form of patches
- Other code that's crept in through the cracks, including code you didn't intend to procure, like the malware you've detected and removed
- ... and the malware resident on your systems that you don't know about yet
The US Department of Defense has been thinking about this for a long time, and recently codified a pretty robust response in the form of the National Defense Authorization Act (NDAA) of 2013.
Would this help remove vulnerabilities and substantially bolster security in our sector? You bet. Could it ever come to pass. That I don't know. But let's watch how it works in DoD, learn some lessons, and see what we can use.
Here's the article in NextGov on this. Hat tip to my Federal colleague, Tim F, for shooting this my way.
Photo credit: breakingmuscle.com