The Energy Sector Software Bill Of Materials (SBOM) Proof of Concept (POC) will convene a group of diverse energy-sector stakeholders in an open, transparent, consensus-based process to explore the application of SBOMs within energy sector environments and catalyze progress in SBOM adoption to increase transparency of software components within the sector.

In an open forum, this group will develop tools and technologies for SBOM adoption into the energy sector, including leveraging the work of the following NTIA SBOM Working Groups:

  • Framing – SBOM specification and structures
  • Formats and Tooling – Automation of SBOMS including tools, processes, and playbooks
  • Awareness and Adoption – Outreach strategies and business cases
  • Automotive Proof of Concept – Explored adoption of SBOM within the Automotive Sector
  • Healthcare Proof of Concept – Explored adoption of SBOM within the Medical Device Community

energy sector proof of concept software bill materials

Meeting Materials 2022

Debrief of S4 SBOM Exercise

SBOM Transports

Venues for SBOM Discussion

Meeting Materials 2021

Energy SBOM Retrospective

JuiceBox Demonstration

Healthcare Proof of Concept

SBOM and VEX

SBOM Open Source

Making an SBOM

Use Cases - Part 2

Use Cases - Part 1

Minimum Elements for SBOM

Healthcare Lessons Learned

Brainstorming

MURAL Synthesis Work

Proof of Concept Kickoff, Apr. 26, 2021

Additional Resources

Energy SBOM POC Charter

Roles and Benefits for SBOM Across the Supply Chain

Energy SBOM Meetings

Please join the Energy Sector SBOM Proof-of-Concept bi-weekly meetings.

CLICK HERE FOR MEETING VIDEO PLAYLIST

Meetings are held alternating Wednesdays at 12 PM – 1PM EST
Participants will continue to receive email invitations as we progress.

TO BE ADDED TO MEETING INVITATIONS, PLEASE EMAIL:

Debrief of S4 SBOM Exercise

May 18, 2022
Discuss exercises and feedback from the S4x22 conference session; CISA working group updates and CycloneDx announcements.

SBOM Transports

March 16, 2022
Energy Sector Software Bill of Materials discussion: survey results of software bill of materials transports.

Venues for SBOM Discussion

FEBRUARY 16, 2022
A review of SBOM’s activities from past year and preview of discussion opportunities and path ahead for 2022.

Energy SBOM Retrospective

DECEMBER 1, 2021
A retrospective analysis of the past year of Energy SBOM work and brainstorming for the year ahead.

JuiceBox Demonstration

NOVEMBER 17, 2021
A detailed walkthrough of the SBOM elements within the Juicebox open source product.

Healthcare Proof of Concept

NOVEMBER 3, 2021
Cooking Class: Presented by Tim Walsh of the Mayo Clinic

SBOM and VEX

OCTOBER 20, 2021
Cooking Show: Dr. Allan Friedman of CISA explains the concept and importance of the Vulnerabilities Exploitability eXchange (VEX) format, for reporting the status of component vulnerabilities.

SBOM Open Source

OCTOBER 6, 2021
Cooking Class: Thomas Steenbergen of Here.com discusses how the European auto industry is now using SBOMs in the SPDX format.

Making an SBOM

SEPTEMBER 21, 2021
Cooking Class: Steve Springett, leader of the OWASP CycloneDX project, demonstrates how to create an SBOM in that format.

Use Cases - Part 2

SEPTEMBER 8, 2021

Use Cases - Part 1

AUGUST 25, 2021

Healthcare Lessons Learned

JUNE 30, 2021
Cooking Class: Jennings Aske of NY Presbyterian Medical Center and Jim Jacobson of Siemens Healthineers discuss lessons learned in the Healthcare SBOM PoC, which started in 2018 and continues today.

Brainstorming

JUNE 16, 2021

MURAL Synthesis Work

JUNE 2, 2021

Agenda: To identify specific topics, use cases, and technology gaps the POC would like to focus on in the remainder of the calendar year. We will be using a tool called MURAL to allow the group to work together and we will send an advance copy of the “board” in case there are those for whom this technology will not work.

Proof of Concept Kickoff, Apr. 26, 2021

Attendees may be interested in this review of SBOM use cases, and the benefits across the ecosystem. We encourage you to review it before Monday’s meeting: NTIA SBOM Use Cases Roles and Benefits, 2019 [PDF]Energy POC planning April web pdf image

Energy SBOM POC Charter

May 19, 2021

The Project Charter captures high level planning information (scope, deliverables, assumptions, etc.) about the SBOM Proof of Concept effort.

Agenda:

 

Roles and Benefits for SBOM Across the Supply Chain

NTIA Multi-stakeholder Process on Software Component Transparency Use Cases and State of Practice Working Group

November 2019

Introduction:

Software is everywhere. Like steel and concrete, software increasingly plays a foundational role in a modern, connected society and like those other building materials, how and with what ingredients the building materials are created often matters. Software permeates banking, healthcare, utilities, emergency services, national defense, government systems, and the like. The software includes operating systems, firmware, and embedded systems within our gadgets, devices, IoT, and other machines. And just like these physical goods, the software has a supply chain that may need to be understood and managed by an organization dependent on that software.

nhs Methodology

About Software Bill of Materials

This is an introduction to the practice of Software Bill of Materials (SBOM), supporting literature, and the pivotal role SBOMs play in providing much-needed transparency: enabling stakeholders to answer questions like “Am I affected?” and “Where am I affected?” when faced with a supply chain concern.

SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. These inventories should be comprehensive – or should explicitly state where they could not be. SBOMs may include open source or proprietary software and can be widely available or access-restricted.

SBOMs should also include baseline attributes with the ability to uniquely identify individual components in a standard data format. The most efficient generation of SBOMs is as a byproduct of a modern development process. For older software, less-automated methods exist.

For more information or to join the SBOM-POC: SBOMEnergyPOC@inl.gov

Sponsor

DOE logoThe Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.

 

Participating Laboratories and Organizations

inlIdaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity research and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity testing. INL uses a comprehensive approach to developing ICS cybersecurity research to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.

px US NationalTelecommunicationsAndInformationAdministration LogoNational Telecommunications and Information Administration (NTIA) is the Executive Branch agency that is principally responsible for advising the President on telecommunications and information policy issues. NTIA’s programs and policymaking focus largely on expanding broadband Internet access and adoption in America, expanding the use of spectrum by all users, and ensuring that the Internet remains an engine for continued innovation and economic growth.