Several major power companies have launched a software assurance database that will serve as a software bill of materials (SBOM) repository for the power industry. Part of a long-sought solution to address a critical supply chain cybersecurity risk, the collaborative effort announced on Feb. 8 seeks to help vendors identify and remediate vulnerabilities in software that is used to manage mission-critical applications for the energy industry.
The North America Energy Software Assurance Database (NAESAD) will be led by several investor-owned utilities—among them, American Electric Power (AEP) and Avangrid Networks—and managed by Orlando-based Fortress Information Security, a firm that specializes in power and defense cybersecurity. Fortress told POWER the industry-wide database would create the “largest inventory of software assurance data” for common bulk power system vendors and suppliers while also providing “comprehensive” SBOM component analyses and automated risk analyses. Fortress and partner organizations will also validate the database, ensuring “supplier-provided information is corroborated with security research (including binary analysis),” the firm said.
What Is a Software Bill of Materials?
Under a federal definition, SBOM is a formal record containing details and supply chain relationships of various components used in building software, much like food ingredient labels appear on packaging. “SBOMs provide the recipe of proprietary and open-source ingredients in software that run critical infrastructure technologies,” Fortress explained. “SBOMs provide actionable information to purchasers so they can make informed decisions about software and help improve the security of applications. While many standards and guidelines require varying levels of software security, an effectively prepared and analyzed SBOM can be invaluable in meeting tomorrow’s critical infrastructure application cybersecurity challenges.”
The new database is being rolled out as efforts to address bulk power system (BPS) supply chain security ramp up, given an increase in malicious cyber activity through more frequent and ever-more sophisticated breaches. For the power sector, a critical industry that relies on a complex set of critical equipment and constituent components, the threat landscape has been dynamic. According to the North American Reliability Corp. (NERC), “increasingly bold adversaries regularly employ new tactics, techniques, and procedures to exploit new and legacy vulnerabilities.” As the sector absorbs new interdependencies, a grid evolution, and an expanding supply chain, “the potential magnitude of impacts has increased,” the North American designated electric reliability organization notes.
NERC has issued numerous threat reports documenting active targeting of software embedded in widely used products, including those that secure communications and operate firewalls. Recent threats include the 2020 SolarWinds hack, led by Russian government hackers, and China-linked actors affiliated with the 2021 Log4j/LOG4SHELL vulnerability in enterprise systems.
However, interest in SBOM work has soared since 2018, when it was conceived as a collaborative community effort, driven by National Telecommunications and Information Administration’s (NTIA) multistakeholder process. Tasked by Congress, the newly established Cyberspace Solarium Commission laid out a framework for cybersecurity certification and labeling. Fortress on Tuesday told POWER the NAESAD follows the private-public partnership blueprint that the commission developed.
In May 2021, scrambling to address emerging risks through federal leadership, the Biden administration issued Executive Order 14028, setting out a lengthy list of cybersecurity imperatives for supply chain security. These included tasking the National Information Technology Laboratory (NIST) with laying out the groundwork for new SBOM requirements in collaboration with the U.S. Department of Energy, U.S. Department of Homeland Security, and other organizations responsible for U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) is in tandem advancing SBOM work by “facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases.”
According to Fortress, additional SBOM requirements for utilities and other critical industries are expected over the next year. But engaging now with the industry-led effort could provide fundamental accounting for every software component used within the energy industry, serving to alleviate risks which burden the industry, it suggested. “The challenges for utilities and their supply chain partners are significant, but there is a clear path to mitigating critical risks,” noted Alex Santos, Fortress CEO. “Industry players must collaborate—from the smallest supplier to the largest utility. The SBOM for every critical product needs to be carefully analyzed to reveal, prioritize, and eliminate the vulnerabilities that pose the greatest threat to the U.S. energy industry.”
Challenges Surrounding SBOM
Some vendors, however, aren’t convinced SBOM presents a “clear path” to mitigating risks. During a Dec. 7 technical hosted jointly by the DOE and the Federal Energy Regulatory Commission (FERC), Hitachi Energy’s director of Product Management and Applications for Grid Automation, Steven Kunsman, pointed to the tool’s relative infancy. SBOMs and hardware bills of materials (HBOMs) “will take time as the use cases, exchange format, and mechanism are defined, and pilots demonstrate the realizable value,” he said. Kunsman also noted that while Hitachi Energy participated in an Energy Sector SBOM proof of concept (POC) to explore utility-use cases, “no asset owners were interested in SBOM exchange as part of the POC.”
Meanwhile, from a vendor perspective, “concerns arise from SBOM and HBOM publication including intellectual property disclosure and providing adversaries with insight on potential vulnerability exploitations before availability of mitigations or a remediation patch,” Kunsman said. “SBOM as a tool can identify potential vulnerabilities in software components but by itself is not enough. Vendor collaboration is important as the identified SBOM vulnerability might not be exploitable. A deeper understanding of the software architecture is required to avoid unnecessary cyber asset mitigation or remediation,” he said.
Kunsman, however, suggested that SBOMs might have a crucial role to play in legacy technologies, which are products or systems that are no longer actively offered for sale. Much of the critical technology used in the energy sector is considered legacy technology, the DOE acknowledges. Software tools could enable reverse engineering of source code for legacy systems by extracting firmware from legacy technology to produce associated SBOM, Kunsman said. That extraction process could be developed by a DOE national laboratory, and its vulnerability assessment and management could be performed by third-party organizations supported by its vendors, he suggested.
Others in the industry, however, view SBOM as a critically important consumer-protection tool. “The information contained in an SBOM identifies the software supplier, component name, and version information for each SBOM component, enabling consumers to use this information to search for vulnerabilities in the NIST NVD,” a U.S. government repository of standards-based vulnerability management data, noted Dick Brooks, chief technology officer for Reliable Energy Analytics, a small Massachusetts-based software engineering firm that develops software supply chain risk management solutions for critical infrastructure.
“Knowledge is power, and the more knowledge we have about supply chain risks, the more effective we can be in responding to those risks. HBOM and SBOM together would be beneficial in the cyber war against hackers. An SBOM should be a minimum requirement,” he said.
“CISA has assigned a work stream under the ICT_SCRM Task Force to address HBOM requirements and a Software Assurance work stream addressing the use of SBOM and other best practices needed to assess the trustworthiness of software.” Trust, however, cannot thrive without accountability. “Software vendors that oppose the use of SBOM’s show a clear lack of empathy for software consumers that bear all the risk and impact of cyber-attacks,” Brooks said.