The Quest For SBOMs And the Legend of the SBOM’d Substation

In a world not unlike the mythical realms of video games, where heroes embark on quests filled with dragons, mysteries, and hidden treasures, a group of modern-day cyber-warriors gathered at the S4x23 Roundtable last year.

These were no ordinary warriors. Armed with expertise rather than swords, their mission was to navigate the labyrinthine complexity of securing a substation's digital infrastructure by illuminating the vulnerabilities in our software supply chains.

This is their story.

The Gathering of a Guild of Cyberwarriors

Last year, the diverse group convened at S4x23—a melting pot of operational technology (OT) vendors, manufacturers, and asset owners. Their battleground was the intricate ecosystem of a utility substation, a place where cybersecurity devices mingle with condition-based maintenance tools, each a crucial piece in the vast tapestry of utility security. The goal was ambitious: to pioneer a path for Software Bill of Materials (SBOM) collection within a substation, a complex domain.

The Quest Begins

Battle parties formed, our questline unfolds with a clear mission, yet brimming with challenges—to SBOM an entire facility at one of Southern Company's Mississippi Power substations.

The inventory list was as daunting as the Mississippi River itself, encompassing protection, network, and cybersecurity devices among others. Each device, a story; each story, a quest in its own right, with its unique risks, complicated supply chains, and deep well of dark secrets.

The Idealized Scenario: The Cybersecurity Utopia that Doesn't Exist

At the outset of our tale, we find ourselves armed with ideas of what every hero desires—a flawlessly accurate inventory of devices and their software versions. A fanciful starting point, indeed, you may note, for such an inventory exists mostly in the realm of wishful thinking.

Venturing to the first waypoint on our map, we're invited to envision a world of cybersecurity ease and grace, a place where SBOMs—a comprehensive list of all components in software—are not just available but offered on a silver platter. Here, vulnerabilities kneel in submission, and vendors, with smiles wide, eagerly await to hand over their SBOMs at the mere hint of a request.

As we progress to the second waypoint, the fantasy deepens with the introduction of the magical SBOM analyzer, a mythical device that, with a mere 'bing', unveils and verifies every vulnerability with unerring accuracy. The clarity it brings to security risks is as undeniable as the brightest sunny day.

The journey doesn't stop there; at the third waypoint, we find the 'Vulnerability Eraser'. This mythical tool, requiring but a single click, promises to patch all vulnerabilities, obviating the need for updates or tedious negotiations with vendors. A simple click, and all is secure.

By the fourth waypoint, the dream evolves into a vision of perfect collaboration. Vendors and asset owners, in this idyllic scenario, share data and insights with the ease of old friends gathered around a summer campfire, their interactions marked by mutual understanding and shared goals.

Finally, at the fifth waypoint, we're presented with the ultimate dream: every device, every line of code, existing in perfect security harmony. This symphony of cyber resilience is the pinnacle of the idealized scenario, a testament to what could be.

But as the tale unfolds, we're reminded that the path to cybersecurity is seldom as straightforward as our dreams might suggest, and reality waits to tell a very different story.

The Harsh Reality

As our heroes would soon discover, reality had other plans. The actual quest for SBOMs on this project was less 'Candy Land' and more 'Jumanji'—a game board rife with real-world challenges.

Complex stakeholder ecosystems, technical hurdles, incomplete information... the path was fraught with obstacles at every turn.

The True Grit of the Journey

Navigating this terrain required not just determination but innovation and collaboration. The task was formidable: to collect SBOMs for an entire substation. Each interaction with a vendor, each technical snag, was a battle to be won. And yet, our heroes pressed on, their eyes set on the prize—secure, resilient infrastructure.

The Conditions for Victory

The objectives were clear:

• Collect SBOMs,
• Identify and mitigate potential vulnerabilities, and
• Establish a process for ongoing SBOM management.

Each milestone reached was a testament to their resolve. From organizing SBOMs to slaying vulnerability dragons, every step forward was a victory in its own right.

The Group Faced the Dungeon's Door

Battle plan in hand, roles assigned, considerations of best and worst case scenarios completed, the group faced the task at hand: SBOMing a substation. Check back next time for our next installment and follow our group's progress as they began their quest and encountered their first real-world challenges.