Protecting the Electric Grid with DBOM; A Proof of Concept Demonstration
- Dec 21, 2020 5:56 pm GMT
This article is co-authored by Shuli Goodman PhD, Executive Director, LF Energy, Chris Blask, Global Director Industrial and IoT Security, Unisys and Dick Brooks, Co-Founder, Reliable Energy Analytics LLC
The energy industry is well aware of the risks from cyber threats. However, the visibility and sheer scale and scope of the Solarwinds software breach that ripped through the US Federal government and 425 of the Fortune 500 reveals that our software supply-chains need attention, immediately. While it may take years or months to unwind the destruction, solutions for securing software supply-chains need to be identified now. The SolarWinds breach raises the central question, “how do you know if you can trust a software object, before you install it in a critical system?”
One way to answer this is through transparency. All operators must know what’s inside a software object, before installing anything onto networks. That’s where a “Software Bill of Materials” (SBOM) provides some assistance, by providing trust that what a software object claims to be can be attested by the provider of the software. An SBOM allows you to “check what’s inside” a software object, prior to installation and then provides a traceable record. SBOMs enable bulk electric system entities, Utilities and even regulators the ability to conduct a software risk assessment, but there are hurdles to address: How do you know that an SBOM is trustworthy and how can software vendors supply customers with an SBOM, confidentially and securely; that’s where DBOM helps.
The Digital Bill of Materials (DBOM) infrastructure allows parties to create ecosystems of channels where secure, reliable and auditable Attestations such as SBOMs can be written and/or accessed based on policy. For example, a software vendor supplying products to the energy industry could use a DBOM Node to establish an appropriately controlled and reliable shared repository, referred to as a DBOM Channel, between themselves and their customers. The vendor would make SBOM attestations available to their customers by writing them to the DBOM Channel. Only those parties with authorized access based on the policy set by the vendor will be able to access the information. All attestations from the vendor to its customers on this Channel will remain available and retain their established explicit validity over time, which is often not the case with attestations made through traditional methods such as email.
The type of data repository and the policy that controls access for an individual DBOM Channel are chosen by the Channel creator to best reflect its privacy and security requirements. Data repository types such as distributed ledger technology or traditional databases provide characteristics that apply to differing applications depending on requirements for scale, transparency, and other factors. Policies providing access to DBOM Channels are established to meet the purposes of each channel. A Public Channel can be made available without restrictions, for example to attest to information an organization might make available on its website. A Broadcast Channel as described in the software vendor example above can be used to attest to information to a specific group. A Private Channel can be as restricted as the channel creator chooses to share attestations among one or more parties. The DBOM Node and Channel architecture provides parties with secure, reliable, protected means of sharing critical sensitive information .
The DBOM platform is uniquely qualified, due to its strict controls and secure channels, to be used by Critical Infrastructure Operators, such as the Bulk Electric System Operators of the U.S. Electric Grid to exchange sensitive information with other trusted parties, such as software vendors. Which brings us to one of the main points of this article, which is to make you aware of a DBOM Proof of Concept (POC) for the Energy Industry that is being planned by Linux Foundation Energy, a Linux Foundation initiative. The POC is currently in the planning phase, but steady progress is being achieved. The primary developer of DBOM software, Unisys Corp., has released an open source DBOM Node package which enables any party can use to access existing DBOM Channels if authorized or create DBOM channels of their own. The Energy POC for DBOM is planning to demonstrate how DBOM can help Utilities and others share trusted communication from their software vendors, which can be used to assist entities with software supply chain security, i.e. software integrity and authenticity verification, such as the NERC CIP-010-3 R1, Part 1.6 standards.
Submissions are now open for the DBOM POC to any Energy Industry software vendor and Grid operators, such as Utilities, Generators, Distribution Providers (formerly LSE), Marketers, ISO/RTO’s, Reliability Coordinators, Regional entities, such as Public Utility Commissions with an interest in seeing how DBOM can provide a trustworthy method to exchange sensitive attestation data, i.e.SBOM’s, to aid in business operations such as software supply chain risk management functions. Reliable Energy Analytics LLC, will participate in the LF Energy DBOM POC using the SAG-PM™ software.
All projects are funded by members, but not limited to members - all are welcome. The projects at the Linux Foundation are open and transparent. Please join us.
Send an e-mail to info@LF Energy.org with the Subject Line: LF Energy DBOM POC for more information
About LF Energy
LF Energy is an open source foundation focused on the power systems sector, hosted within The Linux Foundation. LF Energy provides a neutral, collaborative community to build the shared digital investments that will transform the world’s relationship to energy.
LF Energy brings together stakeholders to solve the complex, interconnected problems associated with the decarbonization of energy by using resilient, secure and flexible open source software, open frameworks, reference architectures and a support ecosystem of complementary projects. Members include RTE, Alliander, Energinet, TenneT, Elering, Statnett, Sony CSL, GE Renewable Energy, NREL, Recurve, Stanford University, OSISoft, Wind River, Savoir-Faire Linux, Cloud Bees, Monash University, and many others. Find further information here: https://www.LF Energy.org.
About the DBoM Consortium
The DBoM Consotrium is a Linux Foundation project in pre-launch status. The project maintains the DBoM Node open source software and manages the community of interest. The project is being established by the Linux Foundation in partnership with Unisys, LF Energy, Reliable Energy Analytics LLC, and other private and public sector partners.
Unisys is a global IT company known for building highly secure, modern digital platforms. We accelerate industry-leading digital workplace services, deliver next-generation cloud and infrastructure services, and provide the world’s most secure operating environment for high-intensity enterprise computing. And, we integrate security into all of our solutions. Unisys is built on nearly a century-and-a-half of game-changing innovation. Throughout our company history, we have enhanced people’s lives by bringing technological innovation to businesses and governments around the world with the singular goal of securing your tomorrow.
About Reliable Energy Analytics LLC
Provides the energy industry with the patent pending Software Assurance Guardian Point Man™ (SAG-PM™), a software supply chain risk assessment control application. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. SAG-PM applies best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions. SAG-PM was released in July 2020.