Energy giant Southern Company embarked on a comprehensive project over the past year to create a software bill of materials (SBOM) for one of its Mississippi substations. The initiative involved inventorying all hardware, software, and firmware in the equipment at the substation to gain a better understanding of the software components and potential vulnerabilities present.

The cybersecurity team at Southern Company conducted on-site visits to the Mississippi Power substation to physically catalog the equipment, gather data from network sensors, and take photos. This initial reconnaissance phase was followed by the daunting task of obtaining software supply-chain details from the 17 different vendors whose devices were identified at the substation.

Alex Waitkus, principal cybersecurity architect at Southern Company, spearheaded the SBOM project and emphasized the importance of collecting information on all hardware, software, and interdependencies at the substation. Prior to the project, the energy company lacked visibility into the various software versions running on its systems. This lack of insight posed security risks and made vulnerability management challenging.

The project involved gathering SBOMs from each vendor represented at the substation. However, Southern encountered roadblocks as a significant number of vendors declined to provide the SBOM information. It took an average of 60 days and multiple meetings to obtain SBOMs from cooperating vendors, leading to frustrations and delays in the project.

Creating an SBOM for an operational technology (OT) environment presents unique challenges, especially with legacy equipment and outdated software that is crucial for industrial processes. The project highlighted the importance of supply chain transparency in identifying security weaknesses and vulnerabilities in industrial networks.

The benefits of SBOMs for Southern Company included NERC CIP compliance management, vulnerability management, and software patching prioritization. The project also emphasized the role of SBOMs in enhancing procurement processes by providing deeper visibility into software products during the evaluation phase.

While the project did not yield all the desired data due to vendor non-cooperation, Southern took proactive steps to verify the accuracy of the SBOMs they received. The team analyzed the SBOMs for component and code dependency data, and cross-referenced them with vulnerability databases to identify exploitable vulnerabilities in the systems.

Despite the challenges faced during the SBOM project, Southern Company is committed to operationalizing the program. The company plans to automate elements of the project in collaboration with other industry partners, including Schneider Electric, MITRE, Ameren, EPRI, and Scythe, to streamline inventory, SBOM collection, verification, and vulnerability analysis processes.

Southern Company’s SBOM project underscored the importance of supply chain transparency, vulnerability management, and proactive security measures in ensuring the resilience of critical infrastructure networks. By investing in initiatives like SBOMs, energy companies can enhance their cybersecurity posture and mitigate potential risks posed by software vulnerabilities.

Source link