Standardized Software Bill of Materials Needed to Power Energy Cybersecurity

COMMENTARY

Supply chain security is top of mind these days for policymakers and regulators focused on protecting the utility industry and other critical infrastructure. A cyber vulnerability with a single supplier can take down an entire supply chain network and the entities that use its products.

The organizations that support and supply products and services to our critical infrastructure are wholly reliant on advanced operational software and hardware assets to ensure effective and reliable operations. Therefore, they are particularly vulnerable to cyber risk within their complex supply chains.

However, the supply chain cybersecurity discussions in the halls of Washington, D.C., have frequently focused on the manufacturing of physical products and neglected to mention the higher-risk software products. The most vital part of our infrastructure, the nation’s power grid, is at its core composed of software platforms that control every aspect of power generation and distribution.

The electric power organizations that purchase, deploy, and manage the software associated with critical infrastructure need visibility into the software they are using to ensure effective and reliable operations. The power grid has been called the most complicated interconnected machine on earth. Those who plan, design, and construct it must have confidence that the software they deploy is cyber secure.

Software solutions have complex supply chains, with multiple companies contributing to their development. Modern software code can contain hundreds of software components sourced from third-party software solutions (either proprietary or open-source) and incorporated into the product by the supplier.  

In less than six months, we have seen cybersecurity incidents at Solar Winds, Colonial Pipeline, and Kaseya that directly resulted from ineffective software security controls. With the increased complexity of software attacks, it is now necessary for cybersecurity practices to focus on eliminating malicious code in control systems software.

In May of 2021, the National Institute of Standards and Technology (NIST) issued guidance to enhance the security of software supply chains by Feb. 6, 2022. The recommendations include that the federal government requires a Software Bill of Materials (SBOM) for every purchased product.

The guidance stated: “An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks.”

Thankfully, there is little debate about whether SBOMs are needed.  The focus now needs to shift to how to operationalize SBOM requirements, a job that is likely to fall to regulators.

Companies today face a labyrinth of regulators and regulations, each of which holds a piece of the SBOM puzzle, but none put them all together.  From North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards to NIST Cybersecurity Framework (CSF), an alphabet soup of standards exists. Policies like Executive Order 14028 require implementing software supply chain risk strategies such as acquiring software bill of materials (SBOM) from supply chain vendors. 

Ultimately, the benefit of SBOMs is to provide actionable information to purchasers to make informed decisions about software and help to improve the security of applications and establish a baseline for continuously monitoring software applications for potential vulnerabilities. 

While many standards and guidelines require varying levels of software security, an effective standard for preparing and analyzing SBOMs will be invaluable to enable utility companies to reach the ultimate goal—effective and reliable operation enabled by software supply chain transparency, accountability, and cybersecurity.

—Tobias Whitney is the vice president of energy solutions for Fortress Information Security, a former technical executive at the Electric Power Research Institute, and a former senior manager of infrastructure protection at the North American Electric Reliability Corporation.