This article from Michelle Jump describing work within the medical device arena regarding the use of Software Bill of Materials (SBOM) offers some valuable insights for the Energy Industry.
Replace "medical devices" with "smart grid devices" and "hospital networks" with "Grid command and control networks" in the following excerpt and you'll see why I believe an SBOM becomes a critical artifact to aid in managing cybersecurity risks in the Electric system and to address regulator concerns over foreign influence and software vulnerabilities:
Imagine a new malware attack has emerged, targeting hospital networks and the medical devices that operate on them. Think fast—are your medical devices vulnerable? If you don’t have complete transparency into all of the software components that make up your device, it’s a surprisingly difficult question to answer quickly.
This scenario is not theoretical. In 2017, the WannaCry ransomware attack shut down hospitals across the UK and resulted in billions of dollars of damages globally. Hospital buyers and regulators are increasingly concerned about the potential for medical devices to become a vector for spreading malware attacks onto hospital networks.
I can hear my friends across the electric industry now saying "great - another item to monitor for compliance" - I know there is already a heavy burden on risk managers and compliance departments to meet energy industry regulations. I feel your pain - but at the same time, some items are just far too important to ignore - like vegetation management, which has been known to cause widespread outages. Knowing what software is in your ecosystem, with the help of an SBOM, can help identify risks and prevent disasters, like the one Michelle describes with WannaCry in her article.
The National Telecommunications and Information Administration (NTIA) is planning an SBOM proof of concept (POC) demonstration for the energy industry; I'll provide details of the NTIA SBOM POC, as they emerge. I encourage interested parties from within utility companies, ISO/RTO's, Generators and Transmission Owners to consider engaging in this POC to ensure that this POC serves a useful purpose for the industry.