What's in your software? Federal initiative targets frequently overlooked electric utility vulnerabilities

Security vulnerabilities in the utility supply chain are not going to come in the form of "chips in the hardware," Robert Lee, CEO of security company Dragos, said at a February U.S. Department of Energy (DOE) briefing on the SolarWinds hack.

"That is by far the least likely scenario," Lee said, due to the high cost and overt nature of such an attack. Supply chain compromises, as the SolarWinds hack demonstrated, are more likely to come on the software side where cyber criminals could potentially gain access to critical infrastructure through vendor and manufacturer systems.

As computer applications are used to manage larger parts of the nation's electric grid, software security is a growing concern. In particular, say experts, because modern software is constructed from lots of different components.

The U.S. Department of Commerce's National Technology and Information Administration (NTIA) is in the process of launching a pilot program for the energy sector to develop and bring into use a Software Bill of Materials (SBOM) that could help utilities procure secure equipment and software, track existing vulnerabilities and ensure they are patched. Project officials say the effort will build on an international, cross-sector effort to establish consensus around the technical and operational considerations for software supply chains.

The "proof of concept" (POC) pilot will focus on a small number of software developers and companies from the electric power sector, potentially including manufacturers, asset owners and security companies. The Edison Electric Institute (EEI), which represents investor-owned utilities, has been collaborating with NTIA on the project.

"EEI is working with NTIA to help them to understand what elements are important to the energy sector, and we are working with our member companies to update them on new tools they can consider using as they work with potential vendors on procurement terms," David Batz, EEI senior director for cyber and infrastructure security, said in an email.

SBOMs can help utilities mitigate supply chain risk

EEI sees SBOMs as one more tool for utilities to mitigate overall supply chain risk, said Batz. "As a purchaser, you want to know what you are getting, and this tool could help entities identify product vulnerabilities that aren't readily apparent, down to the software assembly and subset component levels," he said.

As software has become more complex, the problem of component vulnerabilities has grown.

"Most estimates are that the average software product contains at least a hundred components, and sometimes many more than that, into the thousands," said Tom Alrich, a security consultant who has been working with the software transparency initiative since last August and is helping to organize the energy sector POC. "The problem is each of those components can have vulnerabilities, as well as pose other risks."

SBOMs indicate what components are in a piece of software, allowing end users to track and patch vulnerabilities.

An SBOM would not have stopped the SolarWinds attack, which hit multiple government agencies and hundreds of companies, because the vulnerability was not yet known. But SBOMs can help energy companies know what vulnerabilities exist in components of software and hardware they are acquiring, and work with the supplier to determine the best way to mitigate each vulnerability. Usually, said Alrich, a patch is the best mitigation.

An SBOM is also the first step for a company that makes or ships software to take ownership of their supply chain, said Allan Friedman, director of cybersecurity initiatives at NTIA.

"SBOM will be an invaluable tool for managing cybersecurity and software supply chain risk," Friedman said. "We find new vulnerabilities every few months that widely affect a lot of software and embedded components that are really deployed everywhere in our ecosystem — especially in the energy world."

There are multiple use cases in the energy world for SBOMs, said Friedman, including secure development processes, supply chain security, risk management and vulnerability assessments.

SBOMs can be used in utility procurement, said Alrich. "If you know about open vulnerabilities in components, you can require in the contract that they be patched or otherwise mitigated before the purchase is complete," he said.

Energy companies can also require terms for how suppliers will address component vulnerabilities going forward, he added.

NTIA wants to be the 'nexus for this discussion'

Friedman has been working on this project since 2018, when a first SBOM POC was developed for the health care sector. The plan now is to expand the POC to multiple other critical sectors, beginning with energy and later including automotive and banking. Each POC will bring together software and security experts to develop a shared vision of how SBOMs should be formatted, developed and utilized. The idea is for the production and use of SBOMs to develop organically from the effort, rather than through regulation or standards development.

NTIA is "trying to act as the nexus for this discussion," Friedman said. "We've been tackling this as an entire supply chain issue." That means the discussion has to include the asset owners who will be using the software, "to make sure they have some visibility into it."

And the POCs have to be cross sector, said Friedman. "We want to avoid having sector-specific solutions," he said, because across different critical infrastructure sectors "we all use the same software."

As more of the nation's electric grid is interconnected and automated, securing the systems that run it will be essential. But when it comes to assessing software vulnerabilities, Friedman said very few organizations can answer a simple question: "Am I potentially affected by this?"

"It's really surprising that very few organizations can do this," Friedman said. Utilizing SBOMs would make that determination much simpler, ultimately helping to boost security on the grid by making clear a piece of software's "list of ingredients."

"Modern software is not hewn out of alabaster," Friedman said at a January informational meeting. "Modern software is built out of existing components."

The next NTIA energy informational meeting is scheduled for 12 p.m. ET on March 24. The webinar is open to anyone with an interest in software security, although Alrich said it will be focused on the energy industry.

SBOMs' chicken-egg problem

If SBOMs are a simple solution to a growing problem, why aren't they in use now?

There are some concerns about licensing and open source restrictions, according to Friedman, but this is less a concern now than it was a few years ago. It is primarily a chicken and egg problem — software developers must make SBOMs available before companies can use them in procurement and vulnerability tracking, but they won't be available unless customers ask.

An SBOM "only becomes a tool if vendors are able to provide it," said EEI's Batz.

Ultimately, the SBOM system will need to be very regimented to allow use by different sectors. "If we want this to scale across the community, it needs to be machine-readable for automation, and that means having a shared vision, and building around some existing standards," Friedman said.