This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Post

Protecting the Electric Grid with DBOM; A Proof of Concept Demonstration

image credit: LF Energy
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,478 items added with 629,054 views
  • Dec 21, 2020
  • 2212 views

This article is co-authored by Shuli Goodman PhD, Executive Director, LF Energy, Chris Blask, Global Director Industrial and IoT Security, Unisys and Dick Brooks, Co-Founder, Reliable Energy Analytics LLC

The energy industry is well aware of the risks from cyber threats. However, the visibility and sheer scale and scope of the Solarwinds software breach that ripped through the US Federal government and 425 of the Fortune 500 reveals that our software supply-chains need attention, immediately. While it may take years or months to unwind the destruction, solutions for securing software supply-chains need to be identified now. The SolarWinds breach raises the central question, “how do you know if you can trust a software object, before you install it in a critical system?”

One way to answer this is through transparency. All operators must know what’s inside a software object, before installing anything onto networks. That’s where a “Software Bill of Materials” (SBOM) provides some assistance, by providing trust that what a software object claims to be can be attested by the provider of the software. An SBOM allows you to “check what’s inside” a software object, prior to installation and then provides a traceable record. SBOMs enable bulk electric system entities, Utilities and even regulators the ability to conduct a software risk assessment, but there are hurdles to address: How do you know that an SBOM is trustworthy and how can software vendors supply customers with an SBOM, confidentially and securely; that’s where DBOM helps.

The Digital Bill of Materials (DBOM) infrastructure allows parties to create ecosystems of channels where secure, reliable and auditable Attestations such as SBOMs can be written and/or accessed based on policy. For example, a software vendor supplying products to the energy industry could use a DBOM Node to establish an appropriately controlled and reliable shared repository, referred to as a DBOM Channel, between themselves and their customers. The vendor would make SBOM attestations available to their customers by writing them to the DBOM Channel. Only those parties with authorized access based on the policy set by the vendor will be able to access the information. All attestations from the vendor to its customers on this Channel will remain available and retain their established explicit validity over time, which is often not the case with attestations made through traditional methods such as email.

The type of data repository and the policy that controls access for an individual DBOM Channel are chosen by the Channel creator to best reflect its privacy and security requirements. Data repository types such as distributed ledger technology or traditional databases provide characteristics that apply to differing applications depending on requirements for scale, transparency, and other factors. Policies providing access to DBOM Channels are established to meet the purposes of each channel. A Public Channel can be made available without restrictions, for example to attest to information an organization might make available on its website. A Broadcast Channel as described in the software vendor example above can be used to attest to information to a specific group. A Private Channel can be as restricted as the channel creator chooses to share attestations among one or more parties. The DBOM Node  and Channel architecture provides parties with secure, reliable, protected means of sharing critical sensitive information .

The DBOM platform is uniquely qualified, due to its strict controls and secure channels, to be used by Critical Infrastructure Operators, such as the Bulk Electric System Operators of the U.S. Electric Grid to exchange sensitive information with other trusted parties, such as software vendors. Which brings us to one of the main points of this article, which is to make you aware of a DBOM Proof of Concept (POC) for the Energy Industry that is being planned by Linux Foundation Energy, a Linux Foundation initiative. The POC is currently in the planning phase, but steady progress is being achieved. The primary developer of DBOM software, Unisys Corp., has released an open source DBOM Node package which enables any party can use to access existing DBOM Channels if authorized or create DBOM channels of their own. The Energy POC for DBOM is planning to demonstrate how DBOM can help Utilities and others share trusted communication from their software vendors, which can be used to assist entities with software supply chain security, i.e. software integrity and authenticity verification, such as the NERC CIP-010-3 R1, Part 1.6 standards.

Submissions are now open for the DBOM POC to any Energy Industry software vendor and Grid operators, such as Utilities, Generators, Distribution Providers (formerly LSE), Marketers, ISO/RTO’s, Reliability Coordinators, Regional entities, such as Public Utility Commissions with an interest in seeing how DBOM can provide a trustworthy method to exchange sensitive attestation data, i.e.SBOM’s, to aid in business operations such as software supply chain risk management functions. Reliable Energy Analytics LLC, will participate in the LF Energy DBOM POC using the SAG-PM™ software.

All projects are funded by members, but not limited to members - all are welcome.  The projects at the Linux Foundation are open and transparent. Please join us.

Send an e-mail to info@LF Energy.org with the Subject Line: LF Energy DBOM POC for more information

About LF Energy

LF Energy is an open source foundation focused on the power systems sector, hosted within The Linux Foundation. LF Energy provides a neutral, collaborative community to build the shared digital investments that will transform the world’s relationship to energy.

LF Energy brings together stakeholders to solve the complex, interconnected problems associated with the decarbonization of energy by using resilient, secure and flexible open source software, open frameworks, reference architectures and a support ecosystem of complementary projects. Members include RTE, Alliander, Energinet, TenneT, Elering, Statnett, Sony CSL, GE Renewable Energy, NREL, Recurve, Stanford University, OSISoft, Wind River, Savoir-Faire Linux, Cloud Bees, Monash University, and many others. Find further information here: https://www.LF Energy.org.

About the DBoM Consortium

The DBoM Consotrium is a Linux Foundation project in pre-launch status. The project maintains the DBoM Node open source software and manages the community of interest. The project is being established by the Linux Foundation in partnership with Unisys, LF Energy, Reliable Energy Analytics LLC, and other private and public sector partners.

About Unisys

Unisys is a global IT company known for building highly secure, modern digital platforms. We accelerate industry-leading digital workplace services, deliver next-generation cloud and infrastructure services, and provide the world’s most secure operating environment for high-intensity enterprise computing. And, we integrate security into all of our solutions. Unisys is built on nearly a century-and-a-half of game-changing innovation. Throughout our company history, we have enhanced people’s lives by bringing technological innovation to businesses and governments around the world with the singular goal of securing your tomorrow.

About Reliable Energy Analytics LLC

Provides the energy industry with the patent pending Software Assurance Guardian Point Man™ (SAG-PM™), a software supply chain risk assessment control application. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. SAG-PM applies best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions. SAG-PM was released in July 2020.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Dec 21, 2020

The type of data repository and the policy that controls access for an individual DBOM Channel are chosen by the Channel creator to best reflect its privacy and security requirements. Data repository types such as distributed ledger technology or traditional databases provide characteristics that apply to differing applications depending on requirements for scale, transparency, and other factors. 

Will be so interesting to see how these different types and channels develop organically over time

Richard Brooks's picture
Richard Brooks on Dec 22, 2020

I agree Matt. DBOM is the key to a secure and reliable data exchange of sensitive, confidential data between software vendors and their customers. Sensitive data, such as a Software Bill of Materials (SBOM) can be broadcast to all customers of a particular product via a secure DBOM channel which the vendor has designated as accessible to customers ONLY. The SBOM that a customer receives via the secure DBOM channel will then be used to perform a software supply chain risk assessment, resulting in an evidence file, which can be stored in a secure evidence locker, again using DBOM security to exchange the confidential results.

Rick Engebretson's picture
Rick Engebretson on Dec 22, 2020

While we are considering software/linux/energy/security may I add two different areas of great hope and opportunity I would enjoy seeing explored.

First, the Intel NUC PC. It boots to a boot, with little of the old OS "drivers" for parts unknown. My general impression is it is designed with security and stability as priority. But I know next to nothing about it.

Second, the workplace revolution now happening due to pandemic response. Silicon Valley isn't laying people off, they are keeping people working from home and inventing/testing new technology. Much like the early web encyclopedia, later web shopping, we are now seeing greatly reduced traffic along with road construction demands. I like how people are saving time while eating good dinners with family again. Fewer one ton cars in daily stop and go traffic on enormous concrete areas has to have some environmental benefits.

The world went nuts with consumption. A lot needs to be thought out before we spend money we don't have on things we don't want.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »