Panelists at the National Association of Regulated Utility Commissioners’ annual meeting on Tuesday said the concept of a software bill of materials (SBOM) is attractive for the utility industry, but they warned that challenges remain for its implementation.

The SBOM idea has been getting more attention from the industry since its inclusion in President Biden’s Executive Order 14028, issued in May in response to the ransomware attack against Colonial Pipeline. (See Biden Directs Federal Cybersecurity Overhaul.) Biden’s order included a number of mandates, mostly aimed at federal agencies and their contractors, that were intended to improve cybersecurity preparedness in both the public and private sectors.

Participants in a panel on cyber supply chain security admitted to some surprise at the speed with which the SBOM concept has entered the popular lexicon.

“This has been a known idea for quite a while, but it’s really received a lot of traction lately. I don’t think two years ago I would have predicted we’d be in a conference talking about SBOMs and HBOMs [hardware bill of materials],” said Brian Barrios, vice president of cybersecurity and information technology compliance at Southern California Edison.

The impetus behind the SBOM is similar to that of the HBOM, which came earlier. With HBOMs, the manufacturer provides a list of all the physical materials that went into a hardware product and where they came from; SBOMs are not physical products, but they are similarly composed of various subprograms and other components that, unlike in the 1980s and 1990s, are almost always not created by a single programmer or even a single company.

“If you’re a coder these days, a lot of times you’re spending energy taking code from other places and pulling it all together. You’re not really writing a ton of custom code yourself,” Barrios said. “If I’m dealing with millions of lines of code in a software product, [understanding] where did it all come from [and] who ultimately wrote that is an extremely complex question.”

But implementing SBOMs in the utility sector could be a challenge. Tom Deitrich, CEO of Itron, a developer of technology for the energy and water industries, pointed out that while physical components can be traced back to their origin or at least the previous step in the supply chain, determining the provenance of software code is much more difficult.

In the case of last year’s attack on the SolarWinds Orion network management platform, an attacker managed to infiltrate the update channel for the widely used software and insert its own code into patches that went out to thousands of users. How could the company produce a useful SBOM when it didn’t even know that the malicious code was in the product?

“A situation like SolarWinds is a place where some bad software got integrated with some good software,” Deitrich said. “If you were looking at a bill of materials only, you may not have found it. If you were scanning the binaries to truly understand what’s inside of it, you could have detected it.”

Matt Wakefield, EPRI | NARUC

Matt Wakefield, director of information, communication and cybersecurity research at the Electric Power Research Institute, pointed out that Biden’s order focused on the IT space, but the greatest concern for many utilities is with operational technology, where software is more specialized and documentation may be scarce compared to more widely used products like SolarWinds.

“There’s much less maturity in [SBOMs] and [HBOMs] in the OT space and the technologies that we use to operate the grid, so we’re kind of a step behind,” Wakefield said.

To speed the process along, some observers have proposed using software to analyze code and determine its origins. However, like many software projects, putting this idea into practice has proven more difficult than anticipated.

“I read an article earlier this year that 2021 was going to be the year of the automated [SBOM],” Wakefield said. “I haven’t seen that occur yet.”