The truth about SBOM’s; A consumer perspective
- Mar 19, 2021 5:04 pm GMT
Software Bill of Materials (SBOM) is becoming a hot topic of discussion following the Solarwinds attack that affected 18,000 entities in December 2020. People are asking, could an SBOM have prevented the installation of corrupted software distributed by Solarwinds. Sadly, the answer is no. However, this same attack is preventable today thanks to the availability of pattern matching algorithms that can detect the Solarwinds malware, called SUNBURST. Now that we know what the “SUNBURST virus” looks like, we can stop it from being installed, with the proper supply chain risk assessment controls in place. The ability to stop zero-day exploits, such as the original Solarwinds attack, remain a challenge to detect and prevent.
This article aims to educate consumers of software products on what can REALISTICALLY be expected today when deciding to use SBOM’s in your cyber security protection processes.
Before beginning, a full disclosure is in order. Reliable Energy Analytics LLC has developed patent pending software that implements a 7-step software supply chain risk assessment solution, called SAG-PM™ for use by smaller electric companies that may not have the cyber security skills and expertise on-site, and are living on a very limited cyber security budget. This is reflected in the cost of SAG-PM™, $1,800 for an annual subscription. Smaller electric utilities need to prevent bad software from causing harm, and SAG-PM™ aims to achieve this at a price point that fits within a smaller electric utility company’s budget. Energy Central hosted an online PowerSession on 8/12/2020 describing this 7-step process, which is available on demand.
Understanding what SBOM is, is the first step to understanding how an SBOM can provide benefits to software consumers. An SBOM file, provided by a software vendor, contains an inventory of software components that have been incorporated into a software product. Complex software products, such as Energy Management Systems (EMS) and Customer Information Systems (CIS) are quite complex resulting in SBOM files of very significant size, e.g. 1,000 pages of documentation or more, that are not intended to be manually processed by humans, and are better handled using specialized software, such as SAG-PM™, as part of a risk assessment.
To start your SBOM journey you will need to work with your software vendors to provide you with an SBOM file for every delivery of their software product, including patches and upgrades. There are two SBOM formats that are gaining in popularity SPDX and CycloneDX. SAG-PM™ can process both formats equally, in the next V1.1 release, scheduled for 5/1/2021 . Both SPDX and CycloneDX SBOM formats are supported by a dedicated and knowledgeable community of experts that have proven to be very responsive to users request. I wholeheartedly endorse both SPDX and CycloneDX and you should request your software vendors to provide you with SBOM’s in either of these formats. Additionally, each of these SBOM formats support different type of data representations, i.e. XML, Text, JSON, etc. You will need to inform your software vendor of both the format (SPDX or CycloneDX) and data representation you prefer, I recommend that you request SPDX in Tag Value format, and CyclonedDX in XML format; these seem to be widely supported and implemented.
An SBOM file needs to accompany a software distribution package, e.g. patch, upgrade or initial release, that you are preparing to install. Before installation of any software package, you need to check for red flags that could indicate risk; this is where an SBOM becomes invaluable. SBOM’s can be used for both proactive and reactive cybersecurity controls. Proactively, an SBOM can drive the initial risk assessment process, before any attempt to install a software package, using the SAG-PM™ 7-step process described in the 8/12/2020 PowerSession. Reactively, an SBOM can provide insights into what software components are installed in your digital ecosystem. This information becomes extremely valuable when new software vulnerabilities are reported. By maintaining an inventory of all installed software components, using a tool such as Dependency Track, a party is able to answer the question, “Does new vulnerability X affect any of my installed software components?”. This enables parties to quickly assess their level of risk exposure when a new vulnerability is reported.
The Federal Government is actively seeking to harmonize the use of SBOM’s in a format neutral manner, through the Department of Commerce NTIA SBOM initiative. The participants of this initiative are actively working to produce guiding documents for software vendors and consumers looking to implement SBOM. It’s important to note that a party wishing to use SBOM today can do so without waiting on the NTIA work to complete, as both SPDX and CycloneDX are supported by NTIA. You are safe to start your implementation and be in full alignment with the NTIA SBOM guidance, when the documents are published, by sticking with these supported SBOM formats.
In summary, you can start implementing SBOM today, using either the SPDX or CycloneDX SBOM formats. Both formats are being supported by the NTIA SBOM initiative, so you will be in complete alignment with NTIA guidelines by using either of these SBOM formats, when the NTIA documents are published. The next production release of SAG-PM™, version 1.1, is scheduled for release on May 1, 2021, with full support for SPDX Tag/Value and CycloneDX XML forms of SBOM. Small electric companies can improve their software supply chain cybersecurity protections at a cost of $1,800 annually, using the SAG-PM™ solution. You may be able to protect yourselves from becoming a victim of bad software today; production grade SBOM formats are available now, so why wait. REA is ready to work with your software vendors, now to test and implement SBOM's using SAG-PM™.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.