An SBOM doesn’t sound like something you’d want on your IT system, but it can play an important role in keeping that system safe from malware and hackers.
A “Software Bill of Materials” is “essentially a nutrition label for your software and firmware,” says Emma Stewart, NRECA chief scientist. “It’s a list of ingredients that allows you to see where things came from and determine whether they’re healthy or not.”
This spring, the Biden administration issued an executive order on improving U.S. cybersecurity that mandates the establishment of SBOM standards. NRECA has initiated a pilot project with member co-ops to study the application of SBOMs for electric cooperatives and develop an approach that benefits co-ops of all sizes.
The focus reflects growing national concern about cyberattacks, from ransomware to efforts by foreign actors to damage critical infrastructure. SBOMs are made necessary by the nature of today’s software, which often consists of other software built to handle specific functions and is regularly updated by vendors to include new features and security fixes.
This means software has a supply chain that evolves over time. SBOMs provide transparency that allows users to see and react to any suspicious components or changes.
West River Electric Association, based in Rapid City, South Dakota, is taking part in the pilot project. They’re working with Ellsworth Air Force Base on an SBOM for a 250-kW battery system to provide backup power for a critical facility on the base.
The SBOM “will provide a level of security that makes us and the base feel more secure at the end of the day,” says Dick Johnson, West River Electric CEO/general manager.
Johnson believes SBOMs have further benefits for electric co-ops, particularly with recent media attention on potential vulnerabilities in the grid.
“I think, down the road, this will help ease members’ minds that we’re doing all we can to keep our systems safe and secure,” he says.