This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Post

The truth about SBOM’s; A consumer perspective

image credit: Article Author

Software Bill of Materials (SBOM) is becoming a hot topic of discussion following the Solarwinds attack that affected 18,000 entities in December 2020. People are asking, could an SBOM have prevented the installation of corrupted software distributed by Solarwinds. Sadly, the answer is no. However, this same attack is preventable today thanks to the availability of pattern matching algorithms that can detect the Solarwinds malware, called SUNBURST. Now that we know what the “SUNBURST virus” looks like, we can stop it from being installed, with the proper supply chain risk assessment controls in place. The ability to stop zero-day exploits, such as the original Solarwinds attack, remain a challenge to detect and prevent.

Your access to Member Features is limited.

Please or apply for membership to continue reading this post.

This article aims to educate consumers of software products on what can REALISTICALLY be expected today when deciding to use SBOM’s in your cyber security protection processes.

Before beginning, a full disclosure is in order. Reliable Energy Analytics LLC has developed patent pending software that implements a 7-step software supply chain risk assessment solution, called SAG-PM™ for use by smaller electric companies that may not have the cyber security skills and expertise on-site, and are living on a very limited cyber security budget. This is reflected in the cost of SAG-PM™, $1,800 for an annual subscription. Smaller electric utilities need to prevent bad software from causing harm, and SAG-PM™ aims to achieve this at a price point that fits within a smaller electric utility company’s budget.  Energy Central hosted an online PowerSession on 8/12/2020 describing this 7-step process, which is available on demand.

Understanding what SBOM is, is the first step to understanding how an SBOM can provide benefits to software consumers. An SBOM file, provided by a software vendor, contains an inventory of software components that have been incorporated into a software product. Complex software products, such as Energy Management Systems (EMS) and Customer Information Systems (CIS) are quite complex resulting in SBOM files of very significant size, e.g. 1,000 pages of documentation or more, that are not intended to be manually processed by humans, and are better handled using specialized software, such as SAG-PM™, as part of a risk assessment.

To start your SBOM journey you will need to work with your software vendors to provide you with an SBOM file for every delivery of their software product, including patches and upgrades. There are two SBOM formats that are gaining in popularity SPDX and CycloneDX. SAG-PM™ can process both formats equally, in the next V1.1 release, scheduled for 5/1/2021 . Both SPDX and CycloneDX SBOM formats are supported by a dedicated and knowledgeable community of experts that have proven to be very responsive to users request. I wholeheartedly endorse both SPDX and CycloneDX and you should request your software vendors to provide you with SBOM’s in either of these formats. Additionally, each of these SBOM formats support different type of data representations, i.e. XML, Text, JSON, etc. You will need to inform your software vendor of both the format (SPDX or CycloneDX) and data representation you prefer, I recommend that you request SPDX in Tag Value format, and CyclonedDX in XML format; these seem to be widely supported and implemented.

An SBOM file needs to accompany a software distribution package, e.g. patch, upgrade or initial release, that you are preparing to install. Before installation of any software package, you need to check for red flags that could indicate risk; this is where an SBOM becomes invaluable. SBOM’s can be used for both proactive and reactive cybersecurity controls. Proactively, an SBOM can drive the initial risk assessment process, before any attempt to install a software package, using the SAG-PM™ 7-step process described in the 8/12/2020 PowerSession. Reactively, an SBOM can provide insights into what software components are installed in your digital ecosystem. This information becomes extremely valuable when new software vulnerabilities are reported. By maintaining an inventory of all installed software components, using a tool such as Dependency Track, a party is able to answer the question, “Does new vulnerability X affect any of my installed software components?”. This enables parties to quickly assess their level of risk exposure when a new vulnerability is reported.

The Federal Government is actively seeking to harmonize the use of SBOM’s in a format neutral manner, through the Department of Commerce NTIA SBOM initiative. The participants of this initiative are actively working to produce guiding documents for software vendors and consumers looking to implement SBOM. It’s important to note that a party wishing to use SBOM today can do so without waiting on the NTIA work to complete, as both SPDX and CycloneDX are supported by NTIA. You are safe to start your implementation and be in full alignment with the NTIA SBOM guidance, when the documents are published, by sticking with these supported SBOM formats.  

In summary, you can start implementing SBOM today, using either the SPDX or CycloneDX SBOM formats. Both formats are being supported by the NTIA SBOM initiative, so you will be in complete alignment with NTIA guidelines by using either of these SBOM formats, when the NTIA documents are published. The next production release of SAG-PM™, version 1.1, is scheduled for release on May 1, 2021, with full support for SPDX Tag/Value and CycloneDX XML forms of SBOM. Small electric companies can improve their software supply chain cybersecurity protections at a cost of $1,800 annually, using the SAG-PM™ solution. You may be able to protect yourselves from becoming a victim of bad software today; production grade SBOM formats are available now, so why wait. REA is ready to work with your software vendors, now to test and implement SBOM's using SAG-PM™.

Never trust software, always verify and report!

 

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Discussions

Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Tom Alrich's picture
Tom Alrich on Mar 23, 2021

Dick, there are no NTIA "guidelines" coming. NTIA isn't in the business of producing regulations, guidelines or anything like that. They are in the business of helping individual industries work out among themselves (suppliers and software users) how to produce and share SBOMs. They are doing this with industry Proofs of Concept. There's an ongoing Healthcare PoC, and there will soon be an Autos PoC and an Energy (specifically Electric Power) PoC. Anyone interested in those can email afriedman@ntia.doc.gov 

You know this quite well. Please don't mislead your readers about this. 

Richard Brooks's picture
Richard Brooks on Mar 24, 2021

Tom, I assure you my readers are intelligent people that are not mislead by me or anyone else.  They can read your words, like the following, and realize that these "how to" documents you refer to are some form of guideline being offered: "They are in the business of helping individual industries work out among themselves (suppliers and software users) how to produce and share SBOMs."

If these NTIA documents are not guidelines on how to produce and share SBOMs then what are they? I'm happy to use whatever term you assign to the corpus of materials being developed by NTIA when communicating with you, but I'll tell my readers my opinion, which is the NTIA documents are guidelines, and they will decide for themselves if I'm accurate, in spite of your biased opinion of my writings.

I shared my experiences using SBOM's for the past year in this article. Maybe you should consider sharing your real experiences using SBOM, instead of criticizing my experiences. That might actually help readers see both sides of this discussion, and would be more useful than biased criticism.

Please cease further biased and contentious criticisms that serve no useful purpose toward SBOM adoption and much needed cybersecurity protections for the Energy industry, especially smaller electric utilities with limited cybersecurity expertise and very limited cybersecurity budgets.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »