Welcome to Part II of our blog post miniseries on The Quest for SBOMs and the Legend of the SBOM'd Substation. We continue this week with the second installment from this series, inspired by the epic S4x24 main-stage presentation delivered by Matt Wyckhouse, Founder & CEO of Finite State, and Alex Waitkus, Principal Power Delivery Cybersecurity Architect at Southern Company.
If you missed the last post in the series, you can find it here.
As we delve deeper into our quest for SBOMs, we encounter the first formidable obstacle: The Inventory Jungle. A realm where visibility is obscured by the dense foliage of legacy systems and undocumented devices, and where the knowledge of each device's version and purpose is as critical as a map in uncharted territories.
Our guide sets the stage for a mission that is part detective work, part exploration into the unknown.
Our intrepid explorers step into the Jungle armed with tools for network visibility and a camera for capturing the tangible. This phase of the quest feels like navigating a labyrinth, where understanding the story behind each device is as challenging as finding it.
Despite our tools, we need more. The real-world demands boots on the ground, photographs, and conversations with those who know the substation's secrets best. Ensuring we had the correct software version to match with the right SBOM becomes a critical, though daunting, task.
As our explorers venture deeper into the unknown, several challenges emerge, painting a vivid picture of the Jungle's complexity:
Through a combination of network inventory tools, physical audits, and engaging with the guardians of this knowledge, we embark on a step-by-step process to map out the terrain.
A funny mishap occurs when, in pursuit of a particularly elusive device, one explorer mistakes an ancient fax machine for a critical network component—a reminder of the unpredictable nature of our journey.
Emerging from the thicket, our expedition begins to bear fruit. We unveil a comprehensive map, revealing 39 devices sprawled across diverse network segments, each with its own story, history, and secrets.
The Control Network alone yields a trove of 18 devices from 2 different vendors, a discovery that underscores the diversity and complexity of the ecosystem we navigate.
Our journey next leads us into the foreboding terrains of Vendor Valley, a land where allies and adversaries hide behind every contract and legal document. Here, the quest for the sacred SBOM scrolls unfolds, with vendors varying from welcoming collaborators to guarded gatekeepers enshrouded in legalities and contractual mazes.
In Vendor Valley, diplomacy and persistence become our most trusted allies. Every SBOM collected is a victory, a step towards fortifying our defenses against vulnerabilities. Yet, this valley is not without its dragons—refusals, restrictions, and complex negotiations test our resolve at every turn.
As we navigate the valley's challenging landscape, side quests emerge, each a drama-filled episode worthy of daytime TV. The slow pace of industry movement and the omnipresence of legacy systems in operational technology present unique challenges.
These 'Case Studies in SBOM Drama' offer insights into the real-world complexities of SBOM collection and management, showcasing the creativity and tenacity required to overcome resistance and secure the necessary data.
As we conclude Level One of our quest and prepare to venture deeper, the journey thus far had been both enlightening and fraught with obstacles. From the dense Inventory Jungle to the treacherous Vendor Valley, each step brings us closer to our goal yet reveals the vast complexities of securing our digital realms.
The alliances formed, the challenges overcome, and the knowledge gained are all testaments to the importance of our mission: securing the future, one SBOM at a time.
Check back soon for our next installment in this series, when our adventurers take on Level 2: Vendor Valley!