March 6, 2024 at 08:03AM
Southern Company undertook a project to create a software bill of materials (SBOM) for its Mississippi substation, involving inventorying hardware, software, and firmware, and gathering supply-chain information from 17 vendors. The process included challenges such as limited vendor cooperation and outdated SBOMs upon receipt. The project highlighted the importance of SBOMs for vulnerability management and patch prioritization in industrial networks. Despite challenges, Southern plans to operationalize the SBOM program and collaborate on automating the process with other organizations.
From the meeting notes, we can gather the following key takeaways:
1. Southern Company embarked on an ambitious project to create a software bill of materials (SBOM) for one of its Mississippi substations, involving an extensive inventory of hardware, software, and firmware from multiple vendors.
2. The project revealed challenges in obtaining SBOM information from vendors, with nearly 60% declining to provide the information and significant delays in obtaining the SBOMs from cooperating vendors.
3. Despite the challenges, the project provided valuable insights into the substation’s software supply chain and potential exploitable vulnerabilities, demonstrating the importance of supply chain transparency in industrial networks.
4. Southern Company took proactive steps to verify the accuracy and completeness of the SBOMs received from vendors, using scripts, vulnerability assessment tools, and independent vulnerability testers to ensure the information was reliable.
5. The project also highlighted the need for restructuring vendor contracts to include SBOM requirements and the clunkiness of current SBOM sharing processes, pointing to the ongoing nature of the SBOM initiative.
Overall, the SBOM project at Southern Company exemplifies the complex nature of creating SBOMs for OT environments, the importance of supply chain transparency, and the ongoing efforts to enhance the operationalization of SBOM programs.
Is there anything else you would like to know?