Welcome to Part II of our blog post miniseries on The Quest for SBOMs and the Legend of the SBOM'd Substation. We continue this week with the second installment from this series, inspired by the epic S4x24 main-stage presentation delivered by Matt Wyckhouse, Founder & CEO of Finite State, and Alex Waitkus, Principal Power Delivery Cybersecurity Architect at Southern Company. 

If you missed the last post in the series, you can find it here.

Level One: The Inventory Jungle

As we delve deeper into our quest for SBOMs, we encounter the first formidable obstacle: The Inventory Jungle. A realm where visibility is obscured by the dense foliage of legacy systems and undocumented devices, and where the knowledge of each device's version and purpose is as critical as a map in uncharted territories.

S4x24 Blog Post Post Image 1

Our guide sets the stage for a mission that is part detective work, part exploration into the unknown.

Our intrepid explorers step into the Jungle armed with tools for network visibility and a camera for capturing the tangible. This phase of the quest feels like navigating a labyrinth, where understanding the story behind each device is as challenging as finding it.

Despite our tools, we need more. The real-world demands boots on the ground, photographs, and conversations with those who know the substation's secrets best. Ensuring we had the correct software version to match with the right SBOM became a critical, though daunting, task.

The Challenges Unveiled

As our explorers venture deeper into the unknown, several challenges emerge, painting a vivid picture of the Jungle's complexity:

  • Legacy Systems: Like ancient ruins, these devices stand as testaments to the past, holding valuable data but often resisting modern scrutiny.
  • Undocumented Devices: These are the enigmas of our journey, marked only by question marks where documentation should have been.
  • Physical Access Limitations: Locked doors and restricted areas pose significant barriers, making some parts of the Jungle nearly impenetrable.

Through a combination of network inventory tools, physical audits, and engaging with the guardians of this knowledge, we embark on a step-by-step process to map out the terrain.

A funny mishap occurs when, in pursuit of a particularly elusive device, one explorer mistook an ancient fax machine for a critical network component—a reminder of the unpredictable nature of our journey.

The Bounty of The Inventory Jungle

Emerging from the thicket, our expedition begins to bear fruit. We unveil a comprehensive map, revealing 39 devices sprawled across diverse network segments, each with its own story, history, and secrets.

S4x24 Blog Post Post Image 2

The Control Network alone yields a trove of 18 devices from 2 different vendors, a discovery that underscores the diversity and complexity of the ecosystem we navigate.

Venturing into Vendor Valley

Our journey next leads us into the foreboding terrains of Vendor Valley, a land where allies and adversaries hide behind every contract and legal document. Here, the quest for the sacred SBOM scrolls unfolds, with vendors varying from welcoming collaborators to guarded gatekeepers enshrouded in legalities and contractual mazes.

S4x24 Blog Post Post Image 3

In Vendor Valley, diplomacy and persistence become our most trusted allies. Every SBOM collected is a victory, a step towards fortifying our defenses against vulnerabilities. Yet, this valley is not without its dragons—refusals, restrictions, and complex negotiations test our resolve at every turn.

Side Quests and SBOM Drama

As we navigate the valley's challenging landscape, side quests emerge, each a drama-filled episode worthy of daytime TV. The slow pace of industry movement and the omnipresence of legacy systems in operational technology present unique challenges.

S4x24 Blog Post Post Image 4

These 'Case Studies in SBOM Drama' offer insights into the real-world complexities of SBOM collection and management, showcasing the creativity and tenacity required to overcome resistance and secure the necessary data.

The Journey Continues

As we conclude Level One of our quest and prepare to venture deeper, the journey thus far had been both enlightening and fraught with obstacles. From the dense Inventory Jungle to the treacherous Vendor Valley, each step brings us closer to our goal yet reveals the vast complexities of securing our digital realms.

The alliances formed, the challenges overcome, and the knowledge gained are all testaments to the importance of our mission: securing the future, one SBOM at a time.

Check back soon for our installment in this series, when our adventurers take on Level 2: Vendor Valley!