METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY has been assigned patent number 11,374,961 with an issue date of June 28, 2022.
The Software Assurance Guardian™ (SAG ™) software has been designed specifically to identify suspect software objects that may cause harm to the Bulk Electric System. The SAG patent application describes the most comprehensive Software Supply Chain Risk Assessment methodology to verify software object integrity and authenticity following the NIST Cybersecurity Framework, Version 1.1 and NERC CIP-010-3 standards. SAG Software applies several cryptographic and non-cryptpographic methods to determine the level of trustworthiness of a software object, and its entire supply chain. This SAG process contains thorough risk assessment techniques that are intended to determine the trust level assigned to a software object, called a SAGScore™, across 7 risk categories, considering 22 independent risk factors. Smaller BES Entities, lacking in the cyber security skills needed to perform a thorough verification of software integrity and authenticity can use SAG Software to gain the benefits of “best practices” for verifying software objects before installation in a BES Cyber System, to demonstrate compliance with FERC Order 850 and the NERC CIP Supply Chain Reliability Standards, following the FERC 6/18/2020 white paper suggesting cybersecurity control enhancements and best practices , which REA enthusiastically supports.
Simply identifying a suspect software object may be sufficient to protect a BES Entity from installing malicious software into their BES Cyber Assets, but what about all the other BES Entities – wouldn’t it be nice if a bad actor, once identified, could be made known to other BES Entities so that they don’t become victims. SAG software works diligently to stop the spread of a suspect software object by facilitating the reporting of an “attempt to compromise” cyber incident with NERC E-ISAC and DHS-NCCIC in accordance with FERC’s June 20, 2019 announcement pertaining to FERC Docket No. RD19-3-000 and NERC CIP 008-6.
In summary, the Software Assurance Guardian™ patent pending technology is designed to help Bulk Electric System Responsible Entities, both large and small, keep the BES safe from malicious attempts to compromise a BES cyber asset. Once a suspect software object has been identified the SAG™ Software gets the word out as quickly as possible with E-ISAC and DHS-NCCIC to help prevent the malicious software object from infecting other BES Entities systems, stopping the spread as soon as possible.
Never trust software, always verify and report! ™
A brief presentation is available to interested parties upon request.